Skip to content

Commit 5f5bb55

Browse files
ESS-ENNgatsby003
ESS-ENN
authored and
gatsby003
committed
Add security rules for deprecated mktemp and empty password in Python (#70)
* avoid-mktemp-python * Code for the rule * Removing rule - python-ldap3-empty-password * python-ldap3-empty-password
1 parent 13660fd commit 5f5bb55

File tree

6 files changed

+206
-0
lines changed

6 files changed

+206
-0
lines changed

rules/python/security/avoid-mktemp-python.yml

Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
id: avoid-mktemp-python
2+
language: python
3+
severity: warning
4+
message: >-
5+
The function `mktemp` is deprecated. When using this function, it is
6+
possible for an attacker to modify the created file before the filename is
7+
returned. Use `NamedTemporaryFile()` instead and pass it the
8+
`delete=False` parameter.
9+
note: >-
10+
[CWE-377]: Insecure Temporary File
11+
[OWASP A01:2021]: Broken Access Control
12+
[REFERENCES]
13+
https://docs.python.org/3/library/tempfile.html#tempfile.mktemp
14+
https://owasp.org/Top10/A01_2021-Broken_Access_Control
15+
utils:
16+
match_call:
17+
kind: call
18+
all:
19+
- has:
20+
stopBy: end
21+
kind: attribute
22+
field: function
23+
all:
24+
- has:
25+
stopBy: end
26+
kind: identifier
27+
field: object
28+
regex: "^tempfile$"
29+
- has:
30+
stopBy: end
31+
kind: identifier
32+
field: attribute
33+
regex: "^mktemp$"
34+
- has:
35+
stopBy: end
36+
kind: argument_list
37+
field: arguments
38+
match_second_call:
39+
kind: call
40+
all:
41+
- has:
42+
stopBy: end
43+
kind: identifier
44+
field: function
45+
regex: "^mktemp$"
46+
- has:
47+
stopBy: end
48+
kind: argument_list
49+
field: arguments
50+
inside:
51+
stopBy: end
52+
kind: expression_statement
53+
follows:
54+
stopBy: end
55+
kind: import_from_statement
56+
all:
57+
- has:
58+
kind: dotted_name
59+
field: module_name
60+
has:
61+
kind: identifier
62+
regex: "^tempfile$"
63+
- has:
64+
stopBy: end
65+
kind: dotted_name
66+
field: name
67+
has:
68+
stopBy: end
69+
kind: identifier
70+
regex: "^mktemp$"
71+
rule:
72+
any:
73+
- matches: match_call
74+
- matches: match_second_call

rules/python/security/python-ldap3-empty-password-python.yml

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
id: python-ldap3-empty-password
2+
language: python
3+
severity: warning
4+
message: >-
5+
The application creates a database connection with an empty password.
6+
This can lead to unauthorized access by either an internal or external
7+
malicious actor. To prevent this vulnerability, enforce authentication
8+
when connecting to a database by using environment variables to securely
9+
provide credentials or retrieving them from a secure vault or HSM
10+
(Hardware Security Module).
11+
note: >-
12+
[CWE-287]: Improper Authentication
13+
[OWASP A07:2021]: Identification and Authentication Failures
14+
[REFERENCES]
15+
https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
16+
utils:
17+
match_empty_password:
18+
kind: call
19+
all:
20+
- has:
21+
stopBy: end
22+
kind: attribute
23+
- has:
24+
stopBy: end
25+
kind: argument_list
26+
all:
27+
- has:
28+
stopBy: end
29+
kind: keyword_argument
30+
all:
31+
- has:
32+
stopBy: end
33+
kind: identifier
34+
regex: '^password$'
35+
- has:
36+
stopBy: neighbor
37+
kind: string
38+
not:
39+
has:
40+
stopBy: neighbor
41+
kind: string_content
42+
rule:
43+
any:
44+
- matches: match_empty_password

tests/__snapshots__/avoid-mktemp-python-snapshot.yml

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
id: avoid-mktemp-python
2+
snapshots:
3+
? |
4+
from tempfile import mktemp
5+
ff = mktemp()
6+
: labels:
7+
- source: mktemp()
8+
style: primary
9+
start: 33
10+
end: 41
11+
- source: mktemp
12+
style: secondary
13+
start: 33
14+
end: 39
15+
- source: ()
16+
style: secondary
17+
start: 39
18+
end: 41
19+
- source: tempfile
20+
style: secondary
21+
start: 5
22+
end: 13
23+
- source: tempfile
24+
style: secondary
25+
start: 5
26+
end: 13
27+
- source: mktemp
28+
style: secondary
29+
start: 21
30+
end: 27
31+
- source: mktemp
32+
style: secondary
33+
start: 21
34+
end: 27
35+
- source: from tempfile import mktemp
36+
style: secondary
37+
start: 0
38+
end: 27
39+
- source: ff = mktemp()
40+
style: secondary
41+
start: 28
42+
end: 41

tests/__snapshots__/python-ldap3-empty-password-snapshot.yml

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
id: python-ldap3-empty-password
2+
snapshots:
3+
? |
4+
ldap3.Connection(password="")
5+
: labels:
6+
- source: ldap3.Connection(password="")
7+
style: primary
8+
start: 0
9+
end: 29
10+
- source: ldap3.Connection
11+
style: secondary
12+
start: 0
13+
end: 16
14+
- source: password
15+
style: secondary
16+
start: 17
17+
end: 25
18+
- source: '""'
19+
style: secondary
20+
start: 26
21+
end: 28
22+
- source: password=""
23+
style: secondary
24+
start: 17
25+
end: 28
26+
- source: (password="")
27+
style: secondary
28+
start: 16
29+
end: 29

tests/python/avoid-mktemp-python-test.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
id: avoid-mktemp-python
2+
valid:
3+
- |
4+
5+
invalid:
6+
- |
7+
from tempfile import mktemp
8+
ff = mktemp()

tests/python/python-ldap3-empty-password-python-test.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
id: python-ldap3-empty-password
2+
valid:
3+
- |
4+
ldap3.Connection(password=a)
5+
ldap3.Connection(password=os.env['SECRET'])
6+
ldap3.Connection(password=os.getenv('SECRET'))
7+
invalid:
8+
- |
9+
ldap3.Connection(password="")

0 commit comments

Comments
 (0)