Skip to content

Commit 4371f5c

Browse files
author
Sakshis
committed
python-tormysql-hardcoded-secret-python
1 parent 6090ccf commit 4371f5c

File tree

3 files changed

+274
-0
lines changed

3 files changed

+274
-0
lines changed

rules/python/security/python-tormysql-hardcoded-secret-python.yml

Lines changed: 152 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,152 @@
1+
id: python-tormysql-hardcoded-secret-python
2+
language: python
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide crede ntials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798]: Use of Hard-coded Credentials
12+
[OWASP A07:2021]: Identification and Authentication Failures
13+
[REFERENCES]
14+
https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
15+
utils:
16+
match_expression_statement:
17+
kind: expression_statement
18+
has:
19+
stopBy: end
20+
kind: call
21+
all:
22+
- has:
23+
stopBy: end
24+
kind: attribute
25+
field: function
26+
all:
27+
- has:
28+
stopBy: end
29+
kind: identifier
30+
field: object
31+
regex: "^tormysql$"
32+
- has:
33+
stopBy: end
34+
kind: identifier
35+
field: attribute
36+
regex: "^ConnectionPool$"
37+
- has:
38+
stopBy: end
39+
kind: argument_list
40+
field: arguments
41+
has:
42+
stopBy: end
43+
kind: keyword_argument
44+
all:
45+
- has:
46+
stopBy: end
47+
kind: identifier
48+
field: name
49+
regex: ^(password|passwd)$
50+
- has:
51+
kind: string
52+
all:
53+
- has:
54+
kind: string_start
55+
- has:
56+
kind: string_content
57+
- has:
58+
kind: string_end
59+
match_expression_statement_with_identifier:
60+
kind: expression_statement
61+
has:
62+
stopBy: end
63+
kind: call
64+
all:
65+
- has:
66+
stopBy: end
67+
kind: attribute
68+
field: function
69+
all:
70+
- has:
71+
stopBy: end
72+
kind: identifier
73+
field: object
74+
regex: "^tormysql$"
75+
- has:
76+
stopBy: end
77+
kind: identifier
78+
field: attribute
79+
regex: "^ConnectionPool$"
80+
- has:
81+
stopBy: end
82+
kind: argument_list
83+
field: arguments
84+
has:
85+
stopBy: end
86+
kind: keyword_argument
87+
all:
88+
- has:
89+
stopBy: end
90+
kind: identifier
91+
field: name
92+
regex: "^password$"
93+
- has:
94+
stopBy: end
95+
kind: identifier
96+
field: value
97+
pattern: $PASS
98+
follows:
99+
stopBy: end
100+
kind: expression_statement
101+
has:
102+
stopBy: end
103+
kind: assignment
104+
all:
105+
- has:
106+
kind: identifier
107+
pattern: $PASS
108+
- has:
109+
kind: string
110+
match_call_with_return:
111+
kind: call
112+
all:
113+
- has:
114+
kind: attribute
115+
field: function
116+
all:
117+
- has:
118+
kind: identifier
119+
field: object
120+
regex: "^tormysql$"
121+
- has:
122+
kind: identifier
123+
field: attribute
124+
regex: "^ConnectionPool$"
125+
- has:
126+
kind: argument_list
127+
field: arguments
128+
has:
129+
kind: keyword_argument
130+
all:
131+
- has:
132+
kind: identifier
133+
field: name
134+
regex: "^password$"
135+
- has:
136+
kind: string
137+
field: value
138+
all:
139+
- has:
140+
kind: string_start
141+
- has:
142+
kind: string_content
143+
- has:
144+
kind: string_end
145+
inside:
146+
stopBy: end
147+
kind: return_statement
148+
rule:
149+
any:
150+
- matches: match_expression_statement
151+
- matches: match_expression_statement_with_identifier
152+
- matches: match_call_with_return

tests/__snapshots__/python-tormysql-hardcoded-secret-python-snapshot.yml

Lines changed: 109 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,109 @@
1+
id: python-tormysql-hardcoded-secret-python
2+
snapshots:
3+
? |
4+
HARDCODED_PASSWORD = "123secure"
5+
conn4 = tormysql.ConnectionPool(password=HARDCODED_PASSWORD)
6+
: labels:
7+
- source: conn4 = tormysql.ConnectionPool(password=HARDCODED_PASSWORD)
8+
style: primary
9+
start: 33
10+
end: 93
11+
- source: tormysql
12+
style: secondary
13+
start: 41
14+
end: 49
15+
- source: ConnectionPool
16+
style: secondary
17+
start: 50
18+
end: 64
19+
- source: tormysql.ConnectionPool
20+
style: secondary
21+
start: 41
22+
end: 64
23+
- source: password
24+
style: secondary
25+
start: 65
26+
end: 73
27+
- source: HARDCODED_PASSWORD
28+
style: secondary
29+
start: 74
30+
end: 92
31+
- source: password=HARDCODED_PASSWORD
32+
style: secondary
33+
start: 65
34+
end: 92
35+
- source: (password=HARDCODED_PASSWORD)
36+
style: secondary
37+
start: 64
38+
end: 93
39+
- source: tormysql.ConnectionPool(password=HARDCODED_PASSWORD)
40+
style: secondary
41+
start: 41
42+
end: 93
43+
- source: HARDCODED_PASSWORD
44+
style: secondary
45+
start: 0
46+
end: 18
47+
- source: '"123secure"'
48+
style: secondary
49+
start: 21
50+
end: 32
51+
- source: HARDCODED_PASSWORD = "123secure"
52+
style: secondary
53+
start: 0
54+
end: 32
55+
- source: HARDCODED_PASSWORD = "123secure"
56+
style: secondary
57+
start: 0
58+
end: 32
59+
? |
60+
conn1 = tormysql.ConnectionPool(password="hardcoded_password")
61+
: labels:
62+
- source: conn1 = tormysql.ConnectionPool(password="hardcoded_password")
63+
style: primary
64+
start: 0
65+
end: 62
66+
- source: tormysql
67+
style: secondary
68+
start: 8
69+
end: 16
70+
- source: ConnectionPool
71+
style: secondary
72+
start: 17
73+
end: 31
74+
- source: tormysql.ConnectionPool
75+
style: secondary
76+
start: 8
77+
end: 31
78+
- source: password
79+
style: secondary
80+
start: 32
81+
end: 40
82+
- source: '"'
83+
style: secondary
84+
start: 41
85+
end: 42
86+
- source: hardcoded_password
87+
style: secondary
88+
start: 42
89+
end: 60
90+
- source: '"'
91+
style: secondary
92+
start: 60
93+
end: 61
94+
- source: '"hardcoded_password"'
95+
style: secondary
96+
start: 41
97+
end: 61
98+
- source: password="hardcoded_password"
99+
style: secondary
100+
start: 32
101+
end: 61
102+
- source: (password="hardcoded_password")
103+
style: secondary
104+
start: 31
105+
end: 62
106+
- source: tormysql.ConnectionPool(password="hardcoded_password")
107+
style: secondary
108+
start: 8
109+
end: 62

tests/python/python-tormysql-hardcoded-secret-python-test.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
id: python-tormysql-hardcoded-secret-python
2+
valid:
3+
- |
4+
conn9 = tormysql.ConnectionPool(passwd="")
5+
- |
6+
SECURE_CONFIG = {"password": os.getenv("SECURE_DB_PASSWORD")}
7+
conn11 = tormysql.ConnectionPool(password=SECURE_CONFIG["password"])
8+
invalid:
9+
- |
10+
conn1 = tormysql.ConnectionPool(password="hardcoded_password")
11+
- |
12+
HARDCODED_PASSWORD = "123secure"
13+
conn4 = tormysql.ConnectionPool(password=HARDCODED_PASSWORD)

0 commit comments

Comments
 (0)