Skip to content

Commit 51a2d30

Browse files
author
Sakshis
committed
python-pg8000-hardcoded-secret-python
1 parent 5eaa74e commit 51a2d30

File tree

4 files changed

+825
-0
lines changed

4 files changed

+825
-0
lines changed

rules/python/security/python-pg8000-hardcoded-secret-python.yml

Lines changed: 251 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,251 @@
1+
id: python-pg8000-hardcoded-secret-python
2+
severity: warning
3+
language: python
4+
message: >-
5+
The application creates a database connection with an empty password.
6+
This can lead to unauthorized access by either an internal or external
7+
malicious actor. To prevent this vulnerability, enforce authentication
8+
when connecting to a database by using environment variables to securely
9+
provide credentials or retrieving them from a secure vault or HSM
10+
(Hardware Security Module).
11+
note: >-
12+
[CWE-287] Improper Authentication.
13+
[REFERENCES]
14+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
15+
utils:
16+
pg8000.dbapi.connect(..., password="...",...):
17+
# pg8000.dbapi.connect(..., password="...",...)
18+
kind: call
19+
all:
20+
- has:
21+
stopBy: neighbor
22+
pattern: $DB
23+
regex: ^pg8000.dbapi.connect|pg8000.native.Connection$
24+
- has:
25+
stopBy: neighbor
26+
kind: argument_list
27+
has:
28+
stopBy: end
29+
kind: keyword_argument
30+
all:
31+
- has:
32+
stopBy: neighbor
33+
kind: identifier
34+
regex: ^password$
35+
- has:
36+
stopBy: neighbor
37+
kind: string
38+
has:
39+
stopBy: neighbor
40+
kind: string_content
41+
pg8000.dbapi.connect(..., password=$VAR,...):
42+
# pg8000.dbapi.connect(..., password=$VAR,...)_with_instance
43+
kind: call
44+
all:
45+
- has:
46+
stopBy: neighbor
47+
pattern: $DB
48+
regex: ^pg8000.dbapi.connect|pg8000.native.Connection$
49+
- has:
50+
stopBy: neighbor
51+
kind: argument_list
52+
has:
53+
stopBy: end
54+
kind: keyword_argument
55+
all:
56+
- has:
57+
stopBy: neighbor
58+
kind: identifier
59+
regex: ^password|passwd$
60+
- has:
61+
stopBy: neighbor
62+
kind: identifier
63+
pattern: $R
64+
nthChild: 2
65+
- inside:
66+
stopBy: end
67+
kind: expression_statement
68+
follows:
69+
stopBy: end
70+
kind: expression_statement
71+
has:
72+
stopBy: neighbor
73+
kind: assignment
74+
all:
75+
- has:
76+
stopBy: neighbor
77+
kind: identifier
78+
pattern: $R
79+
- has:
80+
stopBy: neighbor
81+
kind: string
82+
has:
83+
stopBy: neighbor
84+
kind: string_content
85+
connect(..., password="...",...):
86+
# connect(..., password="...",...)
87+
kind: call
88+
all:
89+
- has:
90+
stopBy: neighbor
91+
pattern: $DB
92+
regex: ^connect$
93+
- has:
94+
stopBy: neighbor
95+
kind: argument_list
96+
has:
97+
stopBy: end
98+
kind: keyword_argument
99+
all:
100+
- has:
101+
stopBy: neighbor
102+
kind: identifier
103+
regex: ^password$
104+
- has:
105+
stopBy: neighbor
106+
kind: string
107+
has:
108+
stopBy: neighbor
109+
kind: string_content
110+
- inside:
111+
stopBy: end
112+
kind: module
113+
any:
114+
- has:
115+
stopBy: end
116+
kind: import_from_statement
117+
any:
118+
- pattern: from pg8000.dbapi import connect
119+
- pattern: from pg8000.native import connect
120+
connect(..., password=$VAR,...):
121+
# connect(..., password=$VAR,...)
122+
kind: call
123+
all:
124+
- has:
125+
stopBy: neighbor
126+
pattern: $DB
127+
regex: ^connect$
128+
- has:
129+
stopBy: neighbor
130+
kind: argument_list
131+
has:
132+
stopBy: end
133+
kind: keyword_argument
134+
all:
135+
- has:
136+
stopBy: neighbor
137+
kind: identifier
138+
regex: ^password$
139+
- has:
140+
stopBy: neighbor
141+
kind: identifier
142+
pattern: $Z
143+
nthChild: 2
144+
- inside:
145+
stopBy: end
146+
kind: module
147+
has:
148+
stopBy: end
149+
kind: import_from_statement
150+
any:
151+
- pattern: from pg8000.dbapi import connect
152+
- pattern: from pg8000.native import connect
153+
- inside:
154+
stopBy: end
155+
kind: expression_statement
156+
follows:
157+
stopBy: end
158+
kind: expression_statement
159+
has:
160+
stopBy: neighbor
161+
kind: assignment
162+
all:
163+
- has:
164+
stopBy: neighbor
165+
kind: identifier
166+
pattern: $Z
167+
- has:
168+
stopBy: neighbor
169+
kind: string
170+
has:
171+
stopBy: neighbor
172+
kind: string_content
173+
$$$.connect(..., password=$VAR,...):
174+
# $$$.connect(..., password=$VAR,...)
175+
kind: call
176+
all:
177+
- has:
178+
stopBy: neighbor
179+
kind: attribute
180+
all:
181+
- has:
182+
stopBy: neighbor
183+
kind: identifier
184+
pattern: $PG
185+
nthChild: 1
186+
- has:
187+
stopBy: neighbor
188+
kind: identifier
189+
regex: ^Connection$
190+
- has:
191+
stopBy: neighbor
192+
kind: argument_list
193+
has:
194+
stopBy: end
195+
kind: keyword_argument
196+
all:
197+
- has:
198+
stopBy: neighbor
199+
kind: identifier
200+
regex: ^password$
201+
- has:
202+
stopBy: neighbor
203+
kind: identifier
204+
pattern: $A
205+
nthChild: 2
206+
- inside:
207+
stopBy: end
208+
kind: module
209+
has:
210+
stopBy: end
211+
kind: import_statement
212+
has:
213+
stopBy: neighbor
214+
kind: aliased_import
215+
all:
216+
- has:
217+
stopBy: neighbor
218+
kind: dotted_name
219+
regex: ^pg8000.native$
220+
- has:
221+
stopBy: neighbor
222+
kind: identifier
223+
pattern: $PG
224+
- inside:
225+
stopBy: end
226+
kind: expression_statement
227+
follows:
228+
stopBy: end
229+
kind: expression_statement
230+
has:
231+
stopBy: neighbor
232+
kind: assignment
233+
all:
234+
- has:
235+
stopBy: neighbor
236+
kind: identifier
237+
pattern: $A
238+
- has:
239+
stopBy: neighbor
240+
kind: string
241+
has:
242+
stopBy: neighbor
243+
kind: string_content
244+
rule:
245+
kind: call
246+
any:
247+
- matches: pg8000.dbapi.connect(..., password="...",...)
248+
- matches: pg8000.dbapi.connect(..., password=$VAR,...)
249+
- matches: connect(..., password="...",...)
250+
- matches: connect(..., password=$VAR,...)
251+
- matches: $$$.connect(..., password=$VAR,...)

0 commit comments

Comments
 (0)