Skip to content

Commit 6c13bff

Browse files
ESS-ENNSakshis
ESS-ENN
and
Sakshis
authored
Add security rules and YAML configs for detecting hard-coded secrets (#149)
* removed missing-secure-java * httponly-false-csharp * use-of-md5-digest-utils-java * removing use-of-md5-digest-utils and httponly-false-csharp * ruby-excon-hardcoded-secret-ruby * ruby-octokit-hardcoded-secret-ruby --------- Co-authored-by: Sakshis <sakshil@abc.com>
1 parent 6fa741b commit 6c13bff

8 files changed

+949
-0
lines changed

rules/ruby/security/ruby-excon-hardcoded-secret-ruby.yml

Lines changed: 242 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,242 @@
1+
id: ruby-excon-hardcoded-secret-ruby
2+
language: ruby
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798] Use of Hard-coded Credentials.
12+
[REFERENCES]
13+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
14+
15+
ast-grep-essentials: true
16+
17+
utils:
18+
Excon.new(..., :password => "...", ...):
19+
# Excon.new(..., :password => "...", ...)
20+
kind: call
21+
all:
22+
- has:
23+
stopBy: neighbor
24+
kind: constant
25+
regex: ^Excon$
26+
- has:
27+
stopBy: neighbor
28+
regex: ^.$
29+
- has:
30+
stopBy: neighbor
31+
kind: identifier
32+
regex: ^new$
33+
- has:
34+
stopBy: neighbor
35+
kind: argument_list
36+
has:
37+
stopBy: neighbor
38+
kind: pair
39+
all:
40+
- has:
41+
stopBy: neighbor
42+
kind: simple_symbol
43+
regex: ^:password$
44+
- has:
45+
stopBy: neighbor
46+
kind: string
47+
48+
- any:
49+
- inside:
50+
stopBy: end
51+
follows:
52+
stopBy: end
53+
kind: call
54+
pattern: require 'excon'
55+
- follows:
56+
stopBy: end
57+
kind: call
58+
pattern: require 'excon'
59+
60+
Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...):
61+
# Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...)
62+
kind: call
63+
all:
64+
- has:
65+
stopBy: neighbor
66+
kind: constant
67+
regex: ^Excon$
68+
- has:
69+
stopBy: neighbor
70+
regex: ^.$
71+
- has:
72+
stopBy: neighbor
73+
kind: identifier
74+
regex: ^new$
75+
- has:
76+
stopBy: neighbor
77+
kind: argument_list
78+
has:
79+
stopBy: neighbor
80+
kind: pair
81+
all:
82+
- has:
83+
stopBy: neighbor
84+
kind: simple_symbol
85+
regex: ^:password$
86+
- has:
87+
stopBy: neighbor
88+
kind: call
89+
all:
90+
- has:
91+
stopBy: neighbor
92+
kind: scope_resolution
93+
regex: ^Excon::Utils$
94+
- has:
95+
stopBy: neighbor
96+
regex: ^.$
97+
- has:
98+
stopBy: neighbor
99+
kind: identifier
100+
regex: ^escape_uri$
101+
- has:
102+
stopBy: neighbor
103+
kind: argument_list
104+
has:
105+
stopBy: neighbor
106+
kind: string
107+
- any:
108+
- inside:
109+
stopBy: end
110+
follows:
111+
stopBy: end
112+
kind: call
113+
pattern: require 'excon'
114+
- follows:
115+
stopBy: end
116+
kind: call
117+
pattern: require 'excon'
118+
119+
Excon.new(..., :password => "...", ...)_instance:
120+
# Excon.new(..., :password => "...", ...)
121+
kind: call
122+
all:
123+
- has:
124+
stopBy: neighbor
125+
kind: constant
126+
regex: ^Excon$
127+
- has:
128+
stopBy: neighbor
129+
regex: ^.$
130+
- has:
131+
stopBy: neighbor
132+
kind: identifier
133+
regex: ^new$
134+
- has:
135+
stopBy: neighbor
136+
kind: argument_list
137+
has:
138+
stopBy: neighbor
139+
kind: pair
140+
all:
141+
- has:
142+
stopBy: neighbor
143+
kind: simple_symbol
144+
regex: ^:password$
145+
- has:
146+
stopBy: neighbor
147+
kind: identifier
148+
pattern: $VAR
149+
- any:
150+
- inside:
151+
stopBy: end
152+
follows:
153+
stopBy: end
154+
kind: call
155+
pattern: require 'excon'
156+
- follows:
157+
stopBy: end
158+
kind: call
159+
pattern: require 'excon'
160+
- any:
161+
- inside:
162+
stopBy: end
163+
follows:
164+
stopBy: end
165+
kind: assignment
166+
all:
167+
- has:
168+
kind: identifier
169+
pattern: $VAR
170+
- has:
171+
kind: string
172+
173+
174+
Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...)_instance:
175+
# Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...)
176+
kind: call
177+
all:
178+
- has:
179+
stopBy: neighbor
180+
kind: constant
181+
regex: ^Excon$
182+
- has:
183+
stopBy: neighbor
184+
regex: ^.$
185+
- has:
186+
stopBy: neighbor
187+
kind: identifier
188+
regex: ^new$
189+
- has:
190+
stopBy: neighbor
191+
kind: argument_list
192+
has:
193+
stopBy: neighbor
194+
kind: pair
195+
all:
196+
- has:
197+
stopBy: neighbor
198+
kind: simple_symbol
199+
regex: ^:password$
200+
- has:
201+
kind: identifier
202+
pattern: $VAR
203+
- any:
204+
- inside:
205+
stopBy: end
206+
follows:
207+
stopBy: end
208+
kind: assignment
209+
pattern: $VAR = Excon::Utils.escape_uri('$$$')
210+
- follows:
211+
stopBy: end
212+
kind: assignment
213+
pattern: $VAR = Excon::Utils.escape_uri('$$$')
214+
- any:
215+
- inside:
216+
stopBy: end
217+
follows:
218+
stopBy: end
219+
kind: call
220+
pattern: require 'excon'
221+
- follows:
222+
stopBy: end
223+
kind: call
224+
pattern: require 'excon'
225+
226+
rule:
227+
kind: call
228+
any:
229+
- matches: Excon.new(..., :password => "...", ...)
230+
- matches: Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...)
231+
232+
- matches: Excon.new(..., :password => "...", ...)_instance
233+
- matches: Excon.new(..., :password => Excon::Utils.escape_uri("..."), ...)_instance
234+
all:
235+
- not:
236+
has:
237+
stopBy: end
238+
kind: ERROR
239+
- not:
240+
inside:
241+
stopBy: end
242+
kind: ERROR

rules/ruby/security/ruby-octokit-hardcoded-secret-ruby.yml

Lines changed: 132 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,132 @@
1+
id: ruby-octokit-hardcoded-secret-ruby
2+
language: ruby
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798] Use of Hard-coded Credentials.
12+
[REFERENCES]
13+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
14+
15+
ast-grep-essentials: true
16+
17+
utils:
18+
Octokit::Client.new(password:""):
19+
# Octokit::Client.new(..., password: "", ...)
20+
kind: call
21+
all:
22+
- has:
23+
stopBy: neighbor
24+
kind: scope_resolution
25+
regex: ^Octokit::Client$
26+
- has:
27+
stopBy: neighbor
28+
regex: ^.$
29+
- has:
30+
stopBy: neighbor
31+
kind: identifier
32+
regex: ^new$
33+
- has:
34+
stopBy: neighbor
35+
kind: argument_list
36+
has:
37+
stopBy: neighbor
38+
kind: pair
39+
all:
40+
- has:
41+
stopBy: neighbor
42+
any:
43+
- kind: simple_symbol
44+
regex: ^:password$|^:access_token$|^:client_secret$
45+
- kind: hash_key_symbol
46+
regex: ^password$|^access_token$|^client_secret$
47+
- has:
48+
stopBy: neighbor
49+
kind: string
50+
- any:
51+
- inside:
52+
stopBy: end
53+
follows:
54+
stopBy: end
55+
kind: call
56+
pattern: require 'octokit'
57+
- follows:
58+
stopBy: end
59+
kind: call
60+
pattern: require 'octokit'
61+
Octokit::Client.new(password:"")_Instance:
62+
kind: call
63+
all:
64+
- has:
65+
stopBy: neighbor
66+
kind: scope_resolution
67+
regex: ^Octokit::Client$
68+
- has:
69+
stopBy: neighbor
70+
regex: ^.$
71+
- has:
72+
stopBy: neighbor
73+
kind: identifier
74+
regex: ^new$
75+
- has:
76+
stopBy: neighbor
77+
kind: argument_list
78+
has:
79+
stopBy: neighbor
80+
kind: pair
81+
all:
82+
- has:
83+
stopBy: neighbor
84+
any:
85+
- kind: simple_symbol
86+
regex: ^:password$|^:access_token$|^:client_secret$
87+
- kind: hash_key_symbol
88+
regex: ^password$|^access_token$|^client_secret$
89+
- has:
90+
stopBy: neighbor
91+
kind: identifier
92+
pattern: $SECRET
93+
- any:
94+
- inside:
95+
stopBy: end
96+
follows:
97+
stopBy: end
98+
kind: call
99+
pattern: require 'octokit'
100+
- follows:
101+
stopBy: end
102+
kind: call
103+
pattern: require 'octokit'
104+
- any:
105+
- follows:
106+
stopBy: end
107+
kind: assignment
108+
pattern: $SECRET = $PASS
109+
- inside:
110+
stopBy: end
111+
follows:
112+
stopBy: end
113+
kind: assignment
114+
pattern: $SECRET = $PASS
115+
rule:
116+
kind: call
117+
any:
118+
- matches: Octokit::Client.new(password:"")
119+
- matches: Octokit::Client.new(password:"")_Instance
120+
all:
121+
- not:
122+
has:
123+
stopBy: end
124+
kind: ERROR
125+
- not:
126+
inside:
127+
stopBy: end
128+
kind: ERROR
129+
130+
constraints:
131+
PASS:
132+
kind: string

tests/__snapshots__/insecure-binaryformatter-deserialization-csharp-snapshot.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
id: insecure-binaryformatter-deserialization-csharp
2+
snapshots:
3+
? "using System.Runtime.Serialization.Formatters.Binary; \nnamespace InsecureDeserialization\n{\n public class InsecureBinaryFormatterDeserialization\n {\n public void BinaryFormatterDeserialization(string json)\n {\n try\n {\n BinaryFormatter binaryFormatter = new BinaryFormatter();\n\n MemoryStream memoryStream = new MemoryStream(Encoding.UTF8.GetBytes(json));\n binaryFormatter.Deserialize(memoryStream);\n memoryStream.Close();\n }\n catch (Exception e)\n {\n Console.WriteLine(e);\n }\n }\n}\n}\n"
4+
: labels:
5+
- source: new BinaryFormatter()
6+
style: primary
7+
start: 281
8+
end: 302
9+
- source: using System.Runtime.Serialization.Formatters.Binary;
10+
style: secondary
11+
start: 0
12+
end: 53
13+
- source: using System.Runtime.Serialization.Formatters.Binary;
14+
style: secondary
15+
start: 0
16+
end: 53

0 commit comments

Comments
 (0)