Skip to content

Commit 43ae909

Browse files
author
Sakshis
committed
python-mysqlclient-empty-password-python
1 parent 2467d76 commit 43ae909

File tree

3 files changed

+597
-0
lines changed

3 files changed

+597
-0
lines changed

rules/python/security/python-mysqlclient-empty-password-python.yml

Lines changed: 214 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,214 @@
1+
id: python-mysqlclient-empty-password-python
2+
language: python
3+
severity: warning
4+
message: >-
5+
The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).
6+
note: >-
7+
[CWE-287]: Improper Authentication
8+
[A07:2021]: Identification and Authentication Failures
9+
[REFERENCES]
10+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
11+
12+
rule:
13+
kind: call
14+
any:
15+
- all:
16+
- has:
17+
nthChild: 1
18+
kind: attribute
19+
pattern: MySQLdb.$CONNECT
20+
- has:
21+
kind: argument_list
22+
nthChild: 2
23+
has:
24+
any:
25+
- kind: keyword_argument
26+
all:
27+
- has:
28+
kind: identifier
29+
field: name
30+
nthChild: 1
31+
regex: ^passwd$
32+
- has:
33+
kind: string
34+
field: value
35+
nthChild: 2
36+
all:
37+
- has:
38+
kind: string_start
39+
nthChild: 1
40+
- has:
41+
kind: string_end
42+
nthChild: 2
43+
- kind: string
44+
nthChild: 3
45+
all:
46+
- has:
47+
kind: string_start
48+
nthChild: 1
49+
- has:
50+
kind: string_end
51+
nthChild: 2
52+
- all:
53+
- has:
54+
nthChild: 1
55+
kind: attribute
56+
pattern: $MYSQL_ALIAS.$CONNECT
57+
inside:
58+
stopBy: end
59+
follows:
60+
stopBy: end
61+
kind: import_statement
62+
has:
63+
kind: aliased_import
64+
all:
65+
- has:
66+
kind: dotted_name
67+
regex: MySQLdb
68+
- has:
69+
kind: identifier
70+
pattern: $MYSQL_ALIAS
71+
- has:
72+
kind: argument_list
73+
nthChild: 2
74+
has:
75+
any:
76+
- kind: keyword_argument
77+
all:
78+
- has:
79+
kind: identifier
80+
field: name
81+
nthChild: 1
82+
regex: ^passwd$
83+
- has:
84+
kind: string
85+
field: value
86+
nthChild: 2
87+
all:
88+
- has:
89+
kind: string_start
90+
nthChild: 1
91+
- has:
92+
kind: string_end
93+
nthChild: 2
94+
- kind: string
95+
nthChild: 3
96+
all:
97+
- has:
98+
kind: string_start
99+
nthChild: 1
100+
- has:
101+
kind: string_end
102+
nthChild: 2
103+
- all:
104+
- has:
105+
nthChild: 1
106+
kind: attribute
107+
any:
108+
- pattern: MySQLdb._mysql.$CONNECT
109+
- pattern: _mysql.$CONNECT
110+
inside:
111+
stopBy: end
112+
follows:
113+
stopBy: end
114+
kind: import_from_statement
115+
all:
116+
- has:
117+
kind: dotted_name
118+
field: module_name
119+
regex: ^MySQLdb$
120+
- has:
121+
kind: dotted_name
122+
field: name
123+
regex: ^_mysql$
124+
- has:
125+
kind: argument_list
126+
nthChild: 2
127+
has:
128+
any:
129+
- kind: keyword_argument
130+
all:
131+
- has:
132+
kind: identifier
133+
field: name
134+
nthChild: 1
135+
regex: ^passwd$
136+
- has:
137+
kind: string
138+
field: value
139+
nthChild: 2
140+
all:
141+
- has:
142+
kind: string_start
143+
nthChild: 1
144+
- has:
145+
kind: string_end
146+
nthChild: 2
147+
- kind: string
148+
nthChild: 3
149+
all:
150+
- has:
151+
kind: string_start
152+
nthChild: 1
153+
- has:
154+
kind: string_end
155+
nthChild: 2
156+
- all:
157+
- has:
158+
nthChild: 1
159+
kind: attribute
160+
pattern: $MYSQL_FROM_ALIAS.$CONNECT
161+
inside:
162+
stopBy: end
163+
follows:
164+
stopBy: end
165+
kind: import_from_statement
166+
all:
167+
- has:
168+
kind: dotted_name
169+
field: module_name
170+
regex: ^MySQLdb$
171+
nthChild: 1
172+
- has:
173+
kind: aliased_import
174+
all:
175+
- has:
176+
kind: dotted_name
177+
field: name
178+
regex: ^_mysql$
179+
- has:
180+
kind: identifier
181+
field: alias
182+
pattern: $MYSQL_FROM_ALIAS
183+
- has:
184+
kind: argument_list
185+
nthChild: 2
186+
has:
187+
any:
188+
- kind: keyword_argument
189+
all:
190+
- has:
191+
kind: identifier
192+
field: name
193+
nthChild: 1
194+
regex: ^passwd$
195+
- has:
196+
kind: string
197+
field: value
198+
nthChild: 2
199+
all:
200+
- has:
201+
kind: string_start
202+
nthChild: 1
203+
- has:
204+
kind: string_end
205+
nthChild: 2
206+
- kind: string
207+
nthChild: 3
208+
all:
209+
- has:
210+
kind: string_start
211+
nthChild: 1
212+
- has:
213+
kind: string_end
214+
nthChild: 2

0 commit comments

Comments
 (0)