Skip to content

Commit 5fdbbde

Browse files
author
Sakshis
committed
ruby-excon-hardcoded-secret-ruby
1 parent d3972fa commit 5fdbbde

File tree

3 files changed

+450
-0
lines changed

3 files changed

+450
-0
lines changed

rules/ruby/security/ruby-excon-hardcoded-secret-ruby.yml

Lines changed: 244 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,244 @@
1+
id: ruby-excon-hardcoded-secret-ruby
2+
language: ruby
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798] Use of Hard-coded Credentials.
12+
[REFERENCES]
13+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
14+
utils:
15+
Excon.new(..., :password => "...", ...):
16+
# Excon.new(..., :password => "...", ...)
17+
kind: call
18+
all:
19+
- has:
20+
stopBy: neighbor
21+
kind: constant
22+
regex: ^Excon$
23+
- has:
24+
stopBy: neighbor
25+
regex: ^.$
26+
- has:
27+
stopBy: neighbor
28+
kind: identifier
29+
regex: ^new$
30+
- has:
31+
stopBy: neighbor
32+
kind: argument_list
33+
has:
34+
stopBy: end
35+
kind: pair
36+
all:
37+
- has:
38+
stopBy: neighbor
39+
kind: simple_symbol
40+
regex: ^:password$
41+
- has:
42+
stopBy: neighbor
43+
kind: string
44+
has:
45+
stopBy: neighbor
46+
kind: string_content
47+
- inside:
48+
stopBy: end
49+
kind: program
50+
has:
51+
stopBy: end
52+
kind: call
53+
pattern: require 'excon'
54+
Excon.new(..., :password => "...", ...)_with_instance:
55+
# Excon.new(..., :password => "...", ...)
56+
kind: call
57+
all:
58+
- has:
59+
stopBy: neighbor
60+
kind: constant
61+
regex: ^Excon$
62+
- has:
63+
stopBy: neighbor
64+
regex: ^.$
65+
- has:
66+
stopBy: neighbor
67+
kind: identifier
68+
regex: ^new$
69+
- has:
70+
stopBy: neighbor
71+
kind: argument_list
72+
has:
73+
stopBy: end
74+
kind: pair
75+
all:
76+
- has:
77+
stopBy: neighbor
78+
kind: simple_symbol
79+
regex: ^:password$
80+
- has:
81+
stopBy: neighbor
82+
kind: identifier
83+
pattern: $PSWD
84+
- inside:
85+
stopBy: end
86+
kind: assignment
87+
follows:
88+
stopBy: end
89+
kind: assignment
90+
all:
91+
- has:
92+
stopBy: neighbor
93+
kind: identifier
94+
pattern: $PSWD
95+
- has:
96+
stopBy: neighbor
97+
kind: string
98+
has:
99+
stopBy: neighbor
100+
kind: string_content
101+
- inside:
102+
stopBy: end
103+
kind: program
104+
has:
105+
stopBy: end
106+
kind: call
107+
pattern: require 'excon'
108+
Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...):
109+
# Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...)
110+
kind: call
111+
all:
112+
- has:
113+
stopBy: neighbor
114+
kind: constant
115+
regex: ^Excon$
116+
- has:
117+
stopBy: neighbor
118+
regex: ^.$
119+
- has:
120+
stopBy: neighbor
121+
kind: identifier
122+
regex: ^new$
123+
- has:
124+
stopBy: neighbor
125+
kind: argument_list
126+
has:
127+
stopBy: end
128+
kind: pair
129+
all:
130+
- has:
131+
stopBy: neighbor
132+
kind: simple_symbol
133+
regex: ^:password$
134+
- has:
135+
stopBy: neighbor
136+
kind: call
137+
all:
138+
- has:
139+
stopBy: neighbor
140+
kind: scope_resolution
141+
regex: ^Excon::Utils$
142+
- has:
143+
stopBy: neighbor
144+
regex: ^.$
145+
- has:
146+
stopBy: neighbor
147+
kind: identifier
148+
regex: ^escape_uri$
149+
- has:
150+
stopBy: neighbor
151+
kind: argument_list
152+
has:
153+
stopBy: neighbor
154+
kind: string
155+
has:
156+
stopBy: neighbor
157+
kind: string_content
158+
- inside:
159+
stopBy: end
160+
kind: program
161+
has:
162+
stopBy: end
163+
kind: call
164+
pattern: require 'excon'
165+
Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...)_with_instance:
166+
# Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...)
167+
kind: call
168+
all:
169+
- has:
170+
stopBy: neighbor
171+
kind: constant
172+
regex: ^Excon$
173+
- has:
174+
stopBy: neighbor
175+
regex: ^.$
176+
- has:
177+
stopBy: neighbor
178+
kind: identifier
179+
regex: ^new$
180+
- has:
181+
stopBy: neighbor
182+
kind: argument_list
183+
has:
184+
stopBy: end
185+
kind: pair
186+
all:
187+
- has:
188+
stopBy: neighbor
189+
kind: simple_symbol
190+
regex: ^:password$
191+
- has:
192+
stopBy: neighbor
193+
kind: call
194+
all:
195+
- has:
196+
stopBy: neighbor
197+
kind: scope_resolution
198+
regex: ^Excon::Utils$
199+
- has:
200+
stopBy: neighbor
201+
regex: ^.$
202+
- has:
203+
stopBy: neighbor
204+
kind: identifier
205+
regex: ^escape_uri$
206+
- has:
207+
stopBy: neighbor
208+
kind: argument_list
209+
has:
210+
stopBy: neighbor
211+
kind: identifier
212+
pattern: $PASS
213+
- inside:
214+
stopBy: end
215+
kind: program
216+
has:
217+
stopBy: end
218+
kind: call
219+
pattern: require 'excon'
220+
- inside:
221+
stopBy: end
222+
kind: assignment
223+
follows:
224+
stopBy: end
225+
kind: assignment
226+
all:
227+
- has:
228+
stopBy: neighbor
229+
kind: identifier
230+
pattern: $PASS
231+
- has:
232+
stopBy: neighbor
233+
kind: string
234+
has:
235+
stopBy: neighbor
236+
kind: string_content
237+
238+
rule:
239+
kind: call
240+
any:
241+
- matches: Excon.new(..., :password => "...", ...)
242+
- matches: Excon.new(..., :password => "...", ...)_with_instance
243+
- matches: Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...)
244+
- matches: Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...)_with_instance

0 commit comments

Comments
 (0)