Skip to content

Commit 5298896

Browse files
author
Sakshis
committed
python-urllib3-hardcoded-secret-python
1 parent 2f95a8e commit 5298896

File tree

3 files changed

+363
-0
lines changed

3 files changed

+363
-0
lines changed

rules/python/security/python-urllib3-hardcoded-secret-python.yml

Lines changed: 106 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,106 @@
1+
id: python-urllib3-hardcoded-secret-python
2+
severity: warning
3+
language: python
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798] Use of Hard-coded Credentials.
12+
[REFERENCES]
13+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
14+
utils:
15+
urllib3.util.make_headers(...,basic_auth="...",...):
16+
# urllib3.util.make_headers(...,basic_auth="...",...)
17+
kind: call
18+
all:
19+
- has:
20+
stopBy: neighbor
21+
kind: attribute
22+
regex: 'urllib3.util.make_headers|urllib3.make_headers|requests.packages.urllib3.make_headers|requests.packages.urllib3.util.make_headers'
23+
- has:
24+
stopBy: neighbor
25+
kind: argument_list
26+
has:
27+
stopBy: end
28+
kind: keyword_argument
29+
all:
30+
- has:
31+
stopBy: neighbor
32+
kind: identifier
33+
regex: '^basic_auth|proxy_basic_auth$'
34+
- has:
35+
stopBy: neighbor
36+
kind: string
37+
has:
38+
stopBy: neighbor
39+
kind: string_content
40+
urllib3.util.make_headers(...,basic_auth="...",...)_with_instance:
41+
# urllib3.util.make_headers(...,basic_auth="...",...)_with_instance
42+
kind: call
43+
all:
44+
- has:
45+
stopBy: neighbor
46+
kind: attribute
47+
regex: 'urllib3.util.make_headers|urllib3.make_headers|requests.packages.urllib3.make_headers|requests.packages.urllib3.util.make_headers'
48+
- has:
49+
stopBy: neighbor
50+
kind: argument_list
51+
has:
52+
stopBy: end
53+
kind: keyword_argument
54+
all:
55+
- has:
56+
stopBy: neighbor
57+
kind: identifier
58+
regex: '^basic_auth|proxy_basic_auth$'
59+
- has:
60+
stopBy: end
61+
kind: identifier
62+
pattern: $PASS
63+
nthChild: 2
64+
- inside:
65+
stopBy: end
66+
kind: expression_statement
67+
follows:
68+
stopBy: end
69+
kind: expression_statement
70+
has:
71+
stopBy: neighbor
72+
kind: assignment
73+
all:
74+
- has:
75+
stopBy: neighbor
76+
kind: identifier
77+
pattern: $PASS
78+
- has:
79+
stopBy: neighbor
80+
kind: string
81+
has:
82+
stopBy: neighbor
83+
kind: string_content
84+
- inside:
85+
stopBy: end
86+
kind: expression_statement
87+
not:
88+
follows:
89+
stopBy: end
90+
kind: expression_statement
91+
has:
92+
stopBy: neighbor
93+
kind: assignment
94+
all:
95+
- has:
96+
stopBy: neighbor
97+
kind: identifier
98+
pattern: $PASS
99+
- has:
100+
stopBy: neighbor
101+
kind: subscript
102+
rule:
103+
kind: call
104+
any:
105+
- matches: urllib3.util.make_headers(...,basic_auth="...",...)
106+
- matches: urllib3.util.make_headers(...,basic_auth="...",...)_with_instance

tests/__snapshots__/python-urllib3-hardcoded-secret-python-snapshot.yml

Lines changed: 238 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,238 @@
1+
id: python-urllib3-hardcoded-secret-python
2+
snapshots:
3+
? |
4+
auth_str = 'user:123'
5+
headers = requests.packages.urllib3.make_headers(basic_auth=auth_str)
6+
: labels:
7+
- source: requests.packages.urllib3.make_headers(basic_auth=auth_str)
8+
style: primary
9+
start: 32
10+
end: 91
11+
- source: requests.packages.urllib3.make_headers
12+
style: secondary
13+
start: 32
14+
end: 70
15+
- source: basic_auth
16+
style: secondary
17+
start: 71
18+
end: 81
19+
- source: auth_str
20+
style: secondary
21+
start: 82
22+
end: 90
23+
- source: basic_auth=auth_str
24+
style: secondary
25+
start: 71
26+
end: 90
27+
- source: (basic_auth=auth_str)
28+
style: secondary
29+
start: 70
30+
end: 91
31+
- source: auth_str
32+
style: secondary
33+
start: 0
34+
end: 8
35+
- source: user:123
36+
style: secondary
37+
start: 12
38+
end: 20
39+
- source: '''user:123'''
40+
style: secondary
41+
start: 11
42+
end: 21
43+
- source: auth_str = 'user:123'
44+
style: secondary
45+
start: 0
46+
end: 21
47+
- source: auth_str = 'user:123'
48+
style: secondary
49+
start: 0
50+
end: 21
51+
- source: headers = requests.packages.urllib3.make_headers(basic_auth=auth_str)
52+
style: secondary
53+
start: 22
54+
end: 91
55+
- source: headers = requests.packages.urllib3.make_headers(basic_auth=auth_str)
56+
style: secondary
57+
start: 22
58+
end: 91
59+
? |
60+
headers = requests.packages.urllib3.util.make_headers(basic_auth='pass')
61+
: labels:
62+
- source: requests.packages.urllib3.util.make_headers(basic_auth='pass')
63+
style: primary
64+
start: 10
65+
end: 72
66+
- source: requests.packages.urllib3.util.make_headers
67+
style: secondary
68+
start: 10
69+
end: 53
70+
- source: basic_auth
71+
style: secondary
72+
start: 54
73+
end: 64
74+
- source: pass
75+
style: secondary
76+
start: 66
77+
end: 70
78+
- source: '''pass'''
79+
style: secondary
80+
start: 65
81+
end: 71
82+
- source: basic_auth='pass'
83+
style: secondary
84+
start: 54
85+
end: 71
86+
- source: (basic_auth='pass')
87+
style: secondary
88+
start: 53
89+
end: 72
90+
? |
91+
password = '123'
92+
headers = urllib3.util.make_headers(proxy_basic_auth=user + ':' + password)
93+
: labels:
94+
- source: urllib3.util.make_headers(proxy_basic_auth=user + ':' + password)
95+
style: primary
96+
start: 27
97+
end: 92
98+
- source: urllib3.util.make_headers
99+
style: secondary
100+
start: 27
101+
end: 52
102+
- source: proxy_basic_auth
103+
style: secondary
104+
start: 53
105+
end: 69
106+
- source: password
107+
style: secondary
108+
start: 83
109+
end: 91
110+
- source: proxy_basic_auth=user + ':' + password
111+
style: secondary
112+
start: 53
113+
end: 91
114+
- source: (proxy_basic_auth=user + ':' + password)
115+
style: secondary
116+
start: 52
117+
end: 92
118+
- source: password
119+
style: secondary
120+
start: 0
121+
end: 8
122+
- source: '123'
123+
style: secondary
124+
start: 12
125+
end: 15
126+
- source: '''123'''
127+
style: secondary
128+
start: 11
129+
end: 16
130+
- source: password = '123'
131+
style: secondary
132+
start: 0
133+
end: 16
134+
- source: password = '123'
135+
style: secondary
136+
start: 0
137+
end: 16
138+
- source: headers = urllib3.util.make_headers(proxy_basic_auth=user + ':' + password)
139+
style: secondary
140+
start: 17
141+
end: 92
142+
- source: headers = urllib3.util.make_headers(proxy_basic_auth=user + ':' + password)
143+
style: secondary
144+
start: 17
145+
end: 92
146+
? |
147+
urllib3.make_headers(basic_auth="user:123")
148+
: labels:
149+
- source: urllib3.make_headers(basic_auth="user:123")
150+
style: primary
151+
start: 0
152+
end: 43
153+
- source: urllib3.make_headers
154+
style: secondary
155+
start: 0
156+
end: 20
157+
- source: basic_auth
158+
style: secondary
159+
start: 21
160+
end: 31
161+
- source: user:123
162+
style: secondary
163+
start: 33
164+
end: 41
165+
- source: '"user:123"'
166+
style: secondary
167+
start: 32
168+
end: 42
169+
- source: basic_auth="user:123"
170+
style: secondary
171+
start: 21
172+
end: 42
173+
- source: (basic_auth="user:123")
174+
style: secondary
175+
start: 20
176+
end: 43
177+
? |
178+
urllib3.util.make_headers(basic_auth="user:123")
179+
: labels:
180+
- source: urllib3.util.make_headers(basic_auth="user:123")
181+
style: primary
182+
start: 0
183+
end: 48
184+
- source: urllib3.util.make_headers
185+
style: secondary
186+
start: 0
187+
end: 25
188+
- source: basic_auth
189+
style: secondary
190+
start: 26
191+
end: 36
192+
- source: user:123
193+
style: secondary
194+
start: 38
195+
end: 46
196+
- source: '"user:123"'
197+
style: secondary
198+
start: 37
199+
end: 47
200+
- source: basic_auth="user:123"
201+
style: secondary
202+
start: 26
203+
end: 47
204+
- source: (basic_auth="user:123")
205+
style: secondary
206+
start: 25
207+
end: 48
208+
? |
209+
urllib3.util.make_headers(proxy_basic_auth="user:123")
210+
: labels:
211+
- source: urllib3.util.make_headers(proxy_basic_auth="user:123")
212+
style: primary
213+
start: 0
214+
end: 54
215+
- source: urllib3.util.make_headers
216+
style: secondary
217+
start: 0
218+
end: 25
219+
- source: proxy_basic_auth
220+
style: secondary
221+
start: 26
222+
end: 42
223+
- source: user:123
224+
style: secondary
225+
start: 44
226+
end: 52
227+
- source: '"user:123"'
228+
style: secondary
229+
start: 43
230+
end: 53
231+
- source: proxy_basic_auth="user:123"
232+
style: secondary
233+
start: 26
234+
end: 53
235+
- source: (proxy_basic_auth="user:123")
236+
style: secondary
237+
start: 25
238+
end: 54

tests/python/python-urllib3-hardcoded-secret-python-test.yml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
id: python-urllib3-hardcoded-secret-python
2+
valid:
3+
- |
4+
urllib3.util.make_headers(basic_auth=user:123)
5+
invalid:
6+
- |
7+
urllib3.util.make_headers(basic_auth="user:123")
8+
- |
9+
urllib3.util.make_headers(proxy_basic_auth="user:123")
10+
- |
11+
urllib3.make_headers(basic_auth="user:123")
12+
- |
13+
headers = requests.packages.urllib3.util.make_headers(basic_auth='pass')
14+
- |
15+
password = '123'
16+
headers = urllib3.util.make_headers(proxy_basic_auth=user + ':' + password)
17+
- |
18+
auth_str = 'user:123'
19+
headers = requests.packages.urllib3.make_headers(basic_auth=auth_str)

0 commit comments

Comments
 (0)