File tree 3 files changed +333
-0
lines changed 3 files changed +333
-0
lines changed Original file line number Diff line number Diff line change 1+ id : ruby-mysql2-empty-password-ruby
2+ language : ruby
3+ severity : warning
4+ message : >-
5+ The application creates a database connection with an empty password.
6+ This can lead to unauthorized access by either an internal or external
7+ malicious actor. To prevent this vulnerability, enforce authentication
8+ when connecting to a database by using environment variables to securely
9+ provide credentials or retrieving them from a secure vault or HSM
10+ (Hardware Security Module).
11+ note : >-
12+ [CWE-287]: Improper Authentication
13+ [OWASP A07:2021]: Identification and Authentication Failures
14+ [REFERENCES]
15+ https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
16+
17+ ast-grep-essentials : true
18+
19+ utils :
20+ match_Mysql2:Client :
21+ kind : call
22+ all :
23+ - has :
24+ kind : scope_resolution
25+ all :
26+ - has :
27+ kind : constant
28+ field : scope
29+ regex : " ^Mysql2$"
30+ - has :
31+ kind : constant
32+ field : name
33+ regex : " ^Client$"
34+ - has :
35+ kind : identifier
36+ regex : " ^new$"
37+ - has :
38+ kind : argument_list
39+ has :
40+ kind : pair
41+ all :
42+ - has :
43+ stopBy : end
44+ kind : hash_key_symbol
45+ regex : " ^password$"
46+ - has :
47+ kind : string
48+ not :
49+ has :
50+ kind : string_content
51+ inside :
52+ stopBy : end
53+ follows :
54+ stopBy : end
55+ kind : call
56+ all :
57+ - has :
58+ kind : identifier
59+ regex : " ^require$"
60+ - has :
61+ kind : argument_list
62+ has :
63+ kind : string
64+ has :
65+ kind : string_content
66+ regex : " ^mysql2$"
67+ match_Mysql2:Client_with_identifier :
68+ kind : call
69+ all :
70+ - has :
71+ kind : scope_resolution
72+ all :
73+ - has :
74+ kind : constant
75+ field : scope
76+ regex : " ^Mysql2$"
77+ - has :
78+ kind : constant
79+ field : name
80+ regex : " ^Client$"
81+ - has :
82+ kind : identifier
83+ regex : " ^new$"
84+ - has :
85+ kind : argument_list
86+ has :
87+ kind : pair
88+ all :
89+ - has :
90+ stopBy : end
91+ kind : hash_key_symbol
92+ regex : " ^password$"
93+ - has :
94+ kind : identifier
95+ pattern : $A
96+ inside :
97+ stopBy : end
98+ follows :
99+ stopBy : end
100+ kind : assignment
101+ all :
102+ - has :
103+ kind : identifier
104+ pattern : $A
105+ - has :
106+ kind : string
107+ not :
108+ has :
109+ kind : string_content
110+ follows :
111+ stopBy : end
112+ kind : call
113+ all :
114+ - has :
115+ kind : identifier
116+ regex : " ^require$"
117+ - has :
118+ kind : argument_list
119+ has :
120+ kind : string
121+ has :
122+ kind : string_content
123+ regex : " ^mysql2$"
124+ match_Mysql2:Client_with_identifier2 :
125+ kind : call
126+ all :
127+ - has :
128+ kind : scope_resolution
129+ all :
130+ - has :
131+ kind : constant
132+ field : scope
133+ regex : " ^Mysql2$"
134+ - has :
135+ kind : constant
136+ field : name
137+ regex : " ^Client$"
138+ - has :
139+ kind : identifier
140+ regex : " ^new$"
141+ - has :
142+ kind : argument_list
143+ has :
144+ kind : pair
145+ all :
146+ - has :
147+ kind : hash_key_symbol
148+ regex : " ^password$"
149+ - has :
150+ kind : identifier
151+ pattern : $R
152+ follows :
153+ stopBy : end
154+ kind : assignment
155+ all :
156+ - has :
157+ kind : identifier
158+ pattern : $R
159+ - has :
160+ kind : string
161+ not :
162+ has :
163+ kind : string_content
164+ inside :
165+ stopBy : end
166+ kind : singleton_method
167+ inside :
168+ stopBy : end
169+ follows :
170+ stopBy : end
171+ kind : call
172+ all :
173+ - has :
174+ kind : identifier
175+ regex : " ^require$"
176+ - has :
177+ kind : argument_list
178+ has :
179+ kind : string
180+ has :
181+ kind : string_content
182+ regex : " ^mysql2$"
183+ match_Mysql2_new :
184+ kind : call
185+ all :
186+ - has :
187+ kind : scope_resolution
188+ all :
189+ - has :
190+ kind : constant
191+ field : scope
192+ regex : " ^Mysql2$"
193+ - has :
194+ kind : constant
195+ field : name
196+ regex : " ^Client$"
197+ - has :
198+ kind : identifier
199+ regex : " ^new$"
200+ - has :
201+ kind : argument_list
202+ has :
203+ kind : pair
204+ all :
205+ - has :
206+ stopBy : end
207+ kind : hash_key_symbol
208+ regex : " ^password$"
209+ - has :
210+ kind : string
211+ not :
212+ has :
213+ kind : string_content
214+ follows :
215+ stopBy : end
216+ kind : call
217+ all :
218+ - has :
219+ kind : identifier
220+ regex : " ^require$"
221+ - has :
222+ kind : argument_list
223+ has :
224+ kind : string
225+ has :
226+ kind : string_content
227+ regex : " ^mysql2$"
228+ rule :
229+ any :
230+ - matches : match_Mysql2:Client
231+ - matches : match_Mysql2:Client_with_identifier
232+ - matches : match_Mysql2:Client_with_identifier2
233+ - matches : match_Mysql2_new
234+
Original file line number Diff line number Diff line change 1+ id : ruby-mysql2-empty-password-ruby
2+ snapshots :
3+ ? |
4+ $LOAD_PATH.unshift 'lib'
5+ require 'mysql2'
6+ require 'timeout'
7+ pw = ""
8+ conn1 = Mysql2::Client.new(host : " localhost" , username: "root", password: pw)
9+ : labels :
10+ - source : ' Mysql2::Client.new(host: "localhost", username: "root", password: pw)'
11+ style : primary
12+ start : 76
13+ end : 145
14+ - source : Mysql2
15+ style : secondary
16+ start : 76
17+ end : 82
18+ - source : Client
19+ style : secondary
20+ start : 84
21+ end : 90
22+ - source : Mysql2::Client
23+ style : secondary
24+ start : 76
25+ end : 90
26+ - source : new
27+ style : secondary
28+ start : 91
29+ end : 94
30+ - source : password
31+ style : secondary
32+ start : 132
33+ end : 140
34+ - source : pw
35+ style : secondary
36+ start : 142
37+ end : 144
38+ - source : ' password: pw'
39+ style : secondary
40+ start : 132
41+ end : 144
42+ - source : ' (host: "localhost", username: "root", password: pw)'
43+ style : secondary
44+ start : 94
45+ end : 145
46+ - source : pw
47+ style : secondary
48+ start : 60
49+ end : 62
50+ - source : ' ""'
51+ style : secondary
52+ start : 65
53+ end : 67
54+ - source : require
55+ style : secondary
56+ start : 25
57+ end : 32
58+ - source : mysql2
59+ style : secondary
60+ start : 34
61+ end : 40
62+ - source : ' '' mysql2'' '
63+ style : secondary
64+ start : 33
65+ end : 41
66+ - source : ' '' mysql2'' '
67+ style : secondary
68+ start : 33
69+ end : 41
70+ - source : require 'mysql2'
71+ style : secondary
72+ start : 25
73+ end : 41
74+ - source : pw = ""
75+ style : secondary
76+ start : 60
77+ end : 67
78+ - source : pw = ""
79+ style : secondary
80+ start : 60
81+ end : 67
Original file line number Diff line number Diff line change 1+ id : ruby-mysql2-empty-password-ruby
2+ valid :
3+ - |
4+ conn_ok1 = Mysql2::Client.new(host: "localhost", username: "root")
5+ |
6+ conn_ok3 = Mysql2::Client.new(host: "localhost", username: "root", password: ENV['PASS'])
7+ invalid :
8+ - |
9+ $LOAD_PATH.unshift 'lib'
10+ require 'mysql2'
11+ require 'timeout'
12+ Mysql2::Client.new(host: "localhost", username: "root", password: "").query("SELECT sleep(#{overhead}) as result")
13+ |
14+ $LOAD_PATH.unshift 'lib'
15+ require 'mysql2'
16+ require 'timeout'
17+ pw = ""
18+ conn1 = Mysql2::Client.new(host: "localhost", username: "root", password: pw)
You can’t perform that action at this time.
0 commit comments