Skip to content

Commit 8379413

Browse files
author
Sakshis
committed
python-mariadb-password-empty-python
1 parent b3b4cd2 commit 8379413

File tree

3 files changed

+385
-0
lines changed

3 files changed

+385
-0
lines changed

rules/python/security/python-mariadb-hardcoded-secret-python.yml

Lines changed: 203 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,203 @@
1+
id: python-mariadb-hardcoded-secret-python
2+
language: python
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798]: Use of Hard-coded Credentials
12+
[OWASP A07:2021]: Identification and Authentication Failures
13+
[REFERENCES]
14+
https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
15+
16+
ast-grep-essentials: true
17+
18+
utils:
19+
define_string:
20+
kind: string
21+
all:
22+
- has:
23+
kind: string_start
24+
nthChild: 1
25+
- has:
26+
kind: string_content
27+
nthChild: 2
28+
- has:
29+
kind: string_end
30+
nthChild: 3
31+
32+
define_password:
33+
any:
34+
- matches: define_string
35+
- kind: identifier
36+
pattern: $PWD_IDENTIFIER
37+
inside:
38+
stopBy: end
39+
follows:
40+
stopBy: end
41+
kind: expression_statement
42+
has:
43+
stopBy: end
44+
kind: assignment
45+
nthChild: 1
46+
all:
47+
- has:
48+
nthChild: 1
49+
kind: identifier
50+
field: left
51+
pattern: $PWD_IDENTIFIER
52+
- has:
53+
nthChild: 2
54+
matches: define_string
55+
56+
rule:
57+
any:
58+
- kind: call
59+
any:
60+
- kind: call
61+
has:
62+
kind: identifier
63+
regex: ^connect$
64+
precedes:
65+
kind: argument_list
66+
has:
67+
stopBy: end
68+
kind: keyword_argument
69+
all:
70+
- has:
71+
nthChild: 1
72+
kind: identifier
73+
regex: ^(password|passwd)$
74+
- has:
75+
nthChild: 2
76+
matches: define_password
77+
inside:
78+
stopBy: end
79+
follows:
80+
stopBy: end
81+
kind: import_from_statement
82+
all:
83+
- has:
84+
nthChild: 1
85+
kind: dotted_name
86+
field: module_name
87+
regex: ^mariadb$
88+
precedes:
89+
stopBy: end
90+
kind: dotted_name
91+
regex: ^connect$
92+
93+
- kind: call
94+
any:
95+
- kind: call
96+
has:
97+
kind: identifier
98+
pattern: $SASL_ALIAS
99+
precedes:
100+
kind: argument_list
101+
has:
102+
stopBy: end
103+
kind: keyword_argument
104+
all:
105+
- has:
106+
nthChild: 1
107+
kind: identifier
108+
regex: ^(password|passwd)$
109+
- has:
110+
nthChild: 2
111+
matches: define_password
112+
inside:
113+
stopBy: end
114+
follows:
115+
stopBy: end
116+
kind: import_from_statement
117+
all:
118+
- has:
119+
nthChild: 1
120+
kind: dotted_name
121+
field: module_name
122+
regex: ^mariadb$
123+
precedes:
124+
stopBy: end
125+
kind: aliased_import
126+
all:
127+
- has:
128+
kind: dotted_name
129+
nthChild: 1
130+
regex: ^connect$
131+
- has:
132+
kind: identifier
133+
field: alias
134+
nthChild: 2
135+
pattern: $SASL_ALIAS
136+
- kind: call
137+
any:
138+
- kind: call
139+
has:
140+
kind: attribute
141+
regex: ^mariadb.connect$
142+
precedes:
143+
kind: argument_list
144+
has:
145+
stopBy: end
146+
kind: keyword_argument
147+
all:
148+
- has:
149+
nthChild: 1
150+
kind: identifier
151+
regex: ^(password|passwd)$
152+
- has:
153+
nthChild: 2
154+
matches: define_password
155+
- kind: call
156+
any:
157+
- kind: call
158+
has:
159+
kind: attribute
160+
all:
161+
- has:
162+
nthChild: 1
163+
kind: identifier
164+
field: object
165+
pattern: $MARIADB_ALIAS
166+
- has:
167+
nthChild: 2
168+
kind: identifier
169+
field: attribute
170+
regex: ^connect$
171+
# regex: ^mariadb.connect$
172+
precedes:
173+
kind: argument_list
174+
has:
175+
stopBy: end
176+
kind: keyword_argument
177+
all:
178+
- has:
179+
nthChild: 1
180+
kind: identifier
181+
regex: ^(password|passwd)$
182+
- has:
183+
nthChild: 2
184+
matches: define_password
185+
inside:
186+
stopBy: end
187+
follows:
188+
stopBy: end
189+
kind: import_statement
190+
has:
191+
nthChild: 1
192+
kind: aliased_import
193+
all:
194+
- has:
195+
nthChild: 1
196+
kind: dotted_name
197+
field: name
198+
regex: ^mariadb$
199+
- has:
200+
nthChild: 2
201+
kind: identifier
202+
field: alias
203+
pattern: $MARIADB_ALIAS

tests/__snapshots__/python-mariadb-hardcoded-secret-python-snapshot.yml

Lines changed: 169 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,169 @@
1+
id: python-mariadb-hardcoded-secret-python
2+
snapshots:
3+
? |
4+
PASSWORD1 = "test"
5+
conn = mariadb.connect(password=PASSWORD1)
6+
: labels:
7+
- source: mariadb.connect(password=PASSWORD1)
8+
style: primary
9+
start: 26
10+
end: 61
11+
- source: password
12+
style: secondary
13+
start: 42
14+
end: 50
15+
- source: PASSWORD1
16+
style: secondary
17+
start: 0
18+
end: 9
19+
- source: '"'
20+
style: secondary
21+
start: 12
22+
end: 13
23+
- source: test
24+
style: secondary
25+
start: 13
26+
end: 17
27+
- source: '"'
28+
style: secondary
29+
start: 17
30+
end: 18
31+
- source: '"test"'
32+
style: secondary
33+
start: 12
34+
end: 18
35+
- source: PASSWORD1 = "test"
36+
style: secondary
37+
start: 0
38+
end: 18
39+
- source: PASSWORD1 = "test"
40+
style: secondary
41+
start: 0
42+
end: 18
43+
- source: PASSWORD1 = "test"
44+
style: secondary
45+
start: 0
46+
end: 18
47+
- source: PASSWORD1
48+
style: secondary
49+
start: 51
50+
end: 60
51+
- source: password=PASSWORD1
52+
style: secondary
53+
start: 42
54+
end: 60
55+
- source: (password=PASSWORD1)
56+
style: secondary
57+
start: 41
58+
end: 61
59+
- source: mariadb.connect
60+
style: secondary
61+
start: 26
62+
end: 41
63+
? |
64+
conn = mariadb.connect(password="test")
65+
: labels:
66+
- source: mariadb.connect(password="test")
67+
style: primary
68+
start: 7
69+
end: 39
70+
- source: password
71+
style: secondary
72+
start: 23
73+
end: 31
74+
- source: '"'
75+
style: secondary
76+
start: 32
77+
end: 33
78+
- source: test
79+
style: secondary
80+
start: 33
81+
end: 37
82+
- source: '"'
83+
style: secondary
84+
start: 37
85+
end: 38
86+
- source: '"test"'
87+
style: secondary
88+
start: 32
89+
end: 38
90+
- source: password="test"
91+
style: secondary
92+
start: 23
93+
end: 38
94+
- source: (password="test")
95+
style: secondary
96+
start: 22
97+
end: 39
98+
- source: mariadb.connect
99+
style: secondary
100+
start: 7
101+
end: 22
102+
? |
103+
import mariadb as mrdbl123
104+
mrdbl123.connect(host="this.is.my.host",user="root",passwd="test",database="aaa")
105+
: labels:
106+
- source: mrdbl123.connect(host="this.is.my.host",user="root",passwd="test",database="aaa")
107+
style: primary
108+
start: 27
109+
end: 108
110+
- source: mrdbl123
111+
style: secondary
112+
start: 27
113+
end: 35
114+
- source: connect
115+
style: secondary
116+
start: 36
117+
end: 43
118+
- source: passwd
119+
style: secondary
120+
start: 79
121+
end: 85
122+
- source: '"'
123+
style: secondary
124+
start: 86
125+
end: 87
126+
- source: test
127+
style: secondary
128+
start: 87
129+
end: 91
130+
- source: '"'
131+
style: secondary
132+
start: 91
133+
end: 92
134+
- source: '"test"'
135+
style: secondary
136+
start: 86
137+
end: 92
138+
- source: passwd="test"
139+
style: secondary
140+
start: 79
141+
end: 92
142+
- source: (host="this.is.my.host",user="root",passwd="test",database="aaa")
143+
style: secondary
144+
start: 43
145+
end: 108
146+
- source: mrdbl123.connect
147+
style: secondary
148+
start: 27
149+
end: 43
150+
- source: mariadb
151+
style: secondary
152+
start: 7
153+
end: 14
154+
- source: mrdbl123
155+
style: secondary
156+
start: 18
157+
end: 26
158+
- source: mariadb as mrdbl123
159+
style: secondary
160+
start: 7
161+
end: 26
162+
- source: import mariadb as mrdbl123
163+
style: secondary
164+
start: 0
165+
end: 26
166+
- source: import mariadb as mrdbl123
167+
style: secondary
168+
start: 0
169+
end: 26

tests/python/python-mariadb-hardcoded-secret-python-test.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
id: python-mariadb-hardcoded-secret-python
2+
valid:
3+
- |
4+
mysql_db1 = MySQLDatabe('my_app', user='app', password=os.env['pass'], host='10.1.0.8', port=3306)
5+
invalid:
6+
- |
7+
PASSWORD1 = "test"
8+
conn = mariadb.connect(password=PASSWORD1)
9+
- |
10+
conn = mariadb.connect(password="test")
11+
- |
12+
import mariadb as mrdbl123
13+
mrdbl123.connect(host="this.is.my.host",user="root",passwd="test",database="aaa")

0 commit comments

Comments
 (0)