Skip to content

Commit 2f10d49

Browse files
ESS-ENNESS-ENN
authored
Two Rust rules (#35)
1 parent deb96b1 commit 2f10d49

6 files changed

+526
-0
lines changed

rules/rust/security/postgres-empty-password-rust.yml

Lines changed: 124 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,124 @@
1+
id: postgres-empty-password-rust
2+
language: rust
3+
severity: warning
4+
message: >-
5+
The application uses an empty credential. This can lead to unauthorized
6+
access by either an internal or external malicious actor. It is
7+
recommended to rotate the secret and retrieve them from a secure secret
8+
vault or Hardware Security Module (HSM), alternatively environment
9+
variables can be used if allowed by your company policy.
10+
note: >-
11+
[CWE-287] Improper Authentication.
12+
[REFERENCES]
13+
- https://docs.rs/postgres/latest/postgres/
14+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
15+
utils:
16+
MATCH_PATTERN_WITH_INSTANCE:
17+
kind: call_expression
18+
all:
19+
- has:
20+
stopBy: neighbor
21+
kind: field_expression
22+
all:
23+
- has:
24+
stopBy: neighbor
25+
kind: call_expression
26+
all:
27+
- has:
28+
stopBy: neighbor
29+
kind: field_expression
30+
all:
31+
- has:
32+
stopBy: end
33+
kind: call_expression
34+
all:
35+
- has:
36+
stopBy: neighbor
37+
kind: field_expression
38+
all:
39+
- has:
40+
stopBy: neighbor
41+
kind: identifier
42+
pattern: $C
43+
- has:
44+
stopBy: neighbor
45+
kind: arguments
46+
- has:
47+
stopBy: neighbor
48+
kind: field_identifier
49+
- has:
50+
stopBy: neighbor
51+
kind: arguments
52+
- has:
53+
stopBy: neighbor
54+
kind: field_identifier
55+
regex: "^password$"
56+
- has:
57+
stopBy: neighbor
58+
kind: arguments
59+
regex: \(\s*\"\"\s*\)
60+
- inside:
61+
stopBy: end
62+
kind: expression_statement
63+
follows:
64+
stopBy: end
65+
kind: let_declaration
66+
all:
67+
- has:
68+
stopBy: neighbor
69+
kind: identifier
70+
pattern: $C
71+
- has:
72+
stopBy: neighbor
73+
kind: call_expression
74+
pattern: postgres::Config::new()
75+
76+
MATCH_PATTERN_DIRECTLY:
77+
kind: call_expression
78+
all:
79+
- has:
80+
stopBy: neighbor
81+
kind: field_expression
82+
all:
83+
- has:
84+
stopBy: neighbor
85+
kind: call_expression
86+
all:
87+
- has:
88+
stopBy: neighbor
89+
kind: field_expression
90+
all:
91+
- has:
92+
stopBy: neighbor
93+
kind: call_expression
94+
all:
95+
- has:
96+
stopBy: neighbor
97+
kind: field_expression
98+
has:
99+
stopBy: neighbor
100+
kind: call_expression
101+
pattern: postgres::Config::new()
102+
- has:
103+
stopBy: neighbor
104+
kind: arguments
105+
- has:
106+
stopBy: neighbor
107+
kind: field_identifier
108+
- has:
109+
stopBy: neighbor
110+
kind: arguments
111+
- has:
112+
stopBy: neighbor
113+
kind: field_identifier
114+
regex: "^password$"
115+
- has:
116+
stopBy: neighbor
117+
kind: arguments
118+
regex: \(\s*\"\"\s*\)
119+
120+
rule:
121+
kind: call_expression
122+
any:
123+
- matches: MATCH_PATTERN_WITH_INSTANCE
124+
- matches: MATCH_PATTERN_DIRECTLY

rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml

Lines changed: 138 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,138 @@
1+
id: secrets-reqwest-hardcoded-auth-rust
2+
language: rust
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. It is
8+
recommended to rotate the secret and retrieve them from a secure secret
9+
vault or Hardware Security Module (HSM), alternatively environment
10+
variables can be used if allowed by your company policy.
11+
note: >-
12+
[CWE-798] Use of Hard-coded Credentials.
13+
[REFERENCES]
14+
- https://docs.rs/reqwest/latest/reqwest/
15+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
16+
utils:
17+
MATCH_PATTERN_ONE:
18+
kind: call_expression
19+
all:
20+
- has:
21+
stopBy: neighbor
22+
kind: field_expression
23+
all:
24+
- has:
25+
stopBy: neighbor
26+
kind: call_expression
27+
has:
28+
stopBy: neighbor
29+
kind: field_expression
30+
all:
31+
- has:
32+
stopBy: neighbor
33+
kind: identifier
34+
pattern: $C
35+
- has:
36+
stopBy: neighbor
37+
kind: field_identifier
38+
regex: "^bearer_auth|basic_auth$"
39+
- has:
40+
stopBy: neighbor
41+
kind: arguments
42+
all:
43+
- has:
44+
stopBy: neighbor
45+
kind: string_literal
46+
has:
47+
stopBy: neighbor
48+
kind: string_content
49+
- has:
50+
stopBy: neighbor
51+
kind: call_expression
52+
all:
53+
- has:
54+
stopBy: neighbor
55+
kind: identifier
56+
regex: "^Some$"
57+
- has:
58+
stopBy: neighbor
59+
kind: arguments
60+
has:
61+
stopBy: neighbor
62+
kind: string_literal
63+
has:
64+
stopBy: neighbor
65+
kind: string_content
66+
67+
- inside:
68+
stopBy: end
69+
kind: let_declaration
70+
follows:
71+
stopBy: end
72+
kind: let_declaration
73+
all:
74+
- has:
75+
stopBy: neighbor
76+
kind: identifier
77+
pattern: $C
78+
- has:
79+
stopBy: neighbor
80+
kind: call_expression
81+
pattern: reqwest::Client::new($$$)
82+
83+
MATCH_PATTERN_TWO:
84+
kind: call_expression
85+
all:
86+
- has:
87+
stopBy: neighbor
88+
kind: field_expression
89+
all:
90+
- has:
91+
stopBy: neighbor
92+
kind: call_expression
93+
has:
94+
stopBy: neighbor
95+
kind: field_expression
96+
all:
97+
- has:
98+
stopBy: neighbor
99+
kind: identifier
100+
pattern: $C
101+
- has:
102+
stopBy: neighbor
103+
kind: field_identifier
104+
regex: "^bearer_auth|basic_auth$"
105+
- inside:
106+
stopBy: end
107+
kind: let_declaration
108+
follows:
109+
stopBy: end
110+
kind: let_declaration
111+
all:
112+
- has:
113+
stopBy: neighbor
114+
kind: identifier
115+
pattern: $C
116+
- has:
117+
stopBy: neighbor
118+
kind: call_expression
119+
pattern: reqwest::Client::new($$$)
120+
- has:
121+
stopBy: neighbor
122+
kind: arguments
123+
all:
124+
- has:
125+
stopBy: neighbor
126+
kind: string_literal
127+
has:
128+
stopBy: neighbor
129+
kind: string_content
130+
- not:
131+
has:
132+
kind: call_expression
133+
134+
rule:
135+
kind: call_expression
136+
any:
137+
- matches: MATCH_PATTERN_ONE
138+
- matches: MATCH_PATTERN_TWO

tests/__snapshots__/postgres-empty-password-rust-snapshot.yml

Lines changed: 101 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,101 @@
1+
id: postgres-empty-password-rust
2+
snapshots:
3+
? |
4+
fn test1() {
5+
let mut config = postgres::Config::new();
6+
config
7+
.host(std::env::var("HOST").expect("set HOST"))
8+
.user(std::env::var("USER").expect("set USER"))
9+
.password("")
10+
.port(std::env::var("PORT").expect("set PORT"));
11+
let (client, connection) = config.connect(NoTls);
12+
Ok(())
13+
}
14+
: labels:
15+
- source: |-
16+
config
17+
.host(std::env::var("HOST").expect("set HOST"))
18+
.user(std::env::var("USER").expect("set USER"))
19+
.password("")
20+
style: primary
21+
start: 55
22+
end: 171
23+
- source: config
24+
style: secondary
25+
start: 55
26+
end: 61
27+
- source: |-
28+
config
29+
.host
30+
style: secondary
31+
start: 55
32+
end: 67
33+
- source: (std::env::var("HOST").expect("set HOST"))
34+
style: secondary
35+
start: 67
36+
end: 109
37+
- source: |-
38+
config
39+
.host(std::env::var("HOST").expect("set HOST"))
40+
style: secondary
41+
start: 55
42+
end: 109
43+
- source: user
44+
style: secondary
45+
start: 111
46+
end: 115
47+
- source: |-
48+
config
49+
.host(std::env::var("HOST").expect("set HOST"))
50+
.user
51+
style: secondary
52+
start: 55
53+
end: 115
54+
- source: (std::env::var("USER").expect("set USER"))
55+
style: secondary
56+
start: 115
57+
end: 157
58+
- source: |-
59+
config
60+
.host(std::env::var("HOST").expect("set HOST"))
61+
.user(std::env::var("USER").expect("set USER"))
62+
style: secondary
63+
start: 55
64+
end: 157
65+
- source: password
66+
style: secondary
67+
start: 159
68+
end: 167
69+
- source: |-
70+
config
71+
.host(std::env::var("HOST").expect("set HOST"))
72+
.user(std::env::var("USER").expect("set USER"))
73+
.password
74+
style: secondary
75+
start: 55
76+
end: 167
77+
- source: ("")
78+
style: secondary
79+
start: 167
80+
end: 171
81+
- source: config
82+
style: secondary
83+
start: 21
84+
end: 27
85+
- source: postgres::Config::new()
86+
style: secondary
87+
start: 30
88+
end: 53
89+
- source: let mut config = postgres::Config::new();
90+
style: secondary
91+
start: 13
92+
end: 54
93+
- source: |-
94+
config
95+
.host(std::env::var("HOST").expect("set HOST"))
96+
.user(std::env::var("USER").expect("set USER"))
97+
.password("")
98+
.port(std::env::var("PORT").expect("set PORT"));
99+
style: secondary
100+
start: 55
101+
end: 220

0 commit comments

Comments
 (0)