Add Peewee ORM security rules for empty passwords and hard-coded secrets (#140)

ESS-ENN · Sakshis · web-flow · commit 991fa004d627 · 2025-01-29T14:57:08.000+05:30
* removed missing-secure-java

* httponly-false-csharp

* use-of-md5-digest-utils-java

* removing use-of-md5-digest-utils and httponly-false-csharp

* python-peewee-pg-empty-password-python

* python-peewee-pg-hardcoded-secret-python

---------

Co-authored-by: Sakshis &lt;sakshil@abc.com&gt;
diff --git a/rules/python/security/python-peewee-pg-empty-password-python.yml b/rules/python/security/python-peewee-pg-empty-password-python.yml
@@ -0,0 +1,56 @@
+id: python-peewee-pg-empty-password-python
+severity: warning
+language: python
+message: >-
+      The application creates a database connection with an empty password.
+      This can lead to unauthorized access by either an internal or external
+      malicious actor. To prevent this vulnerability, enforce authentication
+      when connecting to a database by using environment variables to securely
+      provide credentials or retrieving them from a secure vault or HSM
+      (Hardware Security Module).
+note: >-
+  [CWE-287] Improper Authentication.
+  [REFERENCES]
+      - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+
+ast-grep-essentials: true
+
+utils:
+  $DB(..., password="...",...):
+    # $DB(..., password="...",...)
+    kind: call
+    all:
+    - has:
+        stopBy: neighbor
+        pattern: $DB
+        regex: ^PostgresqlDatabase$|6peewee.PostgresqlDatabase$|^PostgresqlExtDatabase|playhouse.postgres_ext.PostgresqlExtDatabase$|^PooledPostgresqlDatabase$|^playhouse.pool.PooledPostgresqlDatabase$|^CockroachDatabase$|^playhouse.cockroachdb.CockroachDatabase$|^PooledCockroachDatabase$|^playhouse.cockroachdb.PooledCockroachDatabase$
+    - has:
+        stopBy: neighbor
+        kind: argument_list
+        has:
+          stopBy: neighbor
+          kind: keyword_argument
+          all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: ^password$|^passwd$
+            - has:
+                stopBy: neighbor
+                kind: string
+                not:
+                  has:
+                   stopBy: neighbor
+                   kind: string_content
+rule:
+  kind: call
+  matches: $DB(..., password="...",...)
+  all:
+    - not:
+        has:
+          stopBy: end
+          kind: ERROR
+    - not:
+        inside:
+          stopBy: end
+          kind: ERROR
diff --git a/rules/python/security/python-peewee-pg-hardcoded-secret-python.yml b/rules/python/security/python-peewee-pg-hardcoded-secret-python.yml
@@ -0,0 +1,55 @@
+id: python-peewee-pg-hardcoded-secret-python
+severity: warning
+language: python
+message: >-
+      A secret is hard-coded in the application. Secrets stored in source
+      code, such as credentials, identifiers, and other types of sensitive data,
+      can be leaked and used by internal or external malicious actors. Use
+      environment variables to securely provide credentials and other secrets or
+      retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798] Use of Hard-coded Credentials.
+  [REFERENCES]
+      - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+
+ast-grep-essentials: true
+
+utils:
+  $DB(..., password="...",...):
+    # $DB(..., password="...",...)
+    kind: call
+    all:
+    - has:
+        stopBy: neighbor
+        pattern: $DB
+        regex: ^PostgresqlDatabase$|6peewee.PostgresqlDatabase$|^PostgresqlExtDatabase|playhouse.postgres_ext.PostgresqlExtDatabase$|^PooledPostgresqlDatabase$|^playhouse.pool.PooledPostgresqlDatabase$|^CockroachDatabase$|^playhouse.cockroachdb.CockroachDatabase$|^PooledCockroachDatabase$|^playhouse.cockroachdb.PooledCockroachDatabase$
+    - has:
+        stopBy: neighbor
+        kind: argument_list
+        has:
+          stopBy: neighbor
+          kind: keyword_argument
+          all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: ^password$|^passwd$
+            - has:
+                stopBy: neighbor
+                kind: string
+                has:
+                   stopBy: neighbor
+                   kind: string_content
+rule:
+  kind: call
+  matches: $DB(..., password="...",...)
+  all:
+    - not:
+        has:
+          stopBy: end
+          kind: ERROR
+    - not:
+        inside:
+          stopBy: end
+          kind: ERROR
+
diff --git a/tests/__snapshots__/python-peewee-pg-empty-password-python-snapshot.yml b/tests/__snapshots__/python-peewee-pg-empty-password-python-snapshot.yml
@@ -0,0 +1,29 @@
+id: python-peewee-pg-empty-password-python
+snapshots:
+  ? |
+    pg_db1 = PostgresqlDatabase('my_app', user='postgres', password='', host='10.1.0.9', port=5432)
+  : labels:
+    - source: PostgresqlDatabase('my_app', user='postgres', password='', host='10.1.0.9', port=5432)
+      style: primary
+      start: 9
+      end: 95
+    - source: PostgresqlDatabase
+      style: secondary
+      start: 9
+      end: 27
+    - source: password
+      style: secondary
+      start: 55
+      end: 63
+    - source: ''''''
+      style: secondary
+      start: 64
+      end: 66
+    - source: password=''
+      style: secondary
+      start: 55
+      end: 66
+    - source: ('my_app', user='postgres', password='', host='10.1.0.9', port=5432)
+      style: secondary
+      start: 27
+      end: 95
diff --git a/tests/__snapshots__/python-peewee-pg-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-peewee-pg-hardcoded-secret-python-snapshot.yml
@@ -0,0 +1,33 @@
+id: python-peewee-pg-hardcoded-secret-python
+snapshots:
+  ? |
+    pg_db1 = PostgresqlDatabase('my_app', user='postgres', password='password', host='10.1.0.9', port=5432)
+  : labels:
+    - source: PostgresqlDatabase('my_app', user='postgres', password='password', host='10.1.0.9', port=5432)
+      style: primary
+      start: 9
+      end: 103
+    - source: PostgresqlDatabase
+      style: secondary
+      start: 9
+      end: 27
+    - source: password
+      style: secondary
+      start: 55
+      end: 63
+    - source: password
+      style: secondary
+      start: 65
+      end: 73
+    - source: '''password'''
+      style: secondary
+      start: 64
+      end: 74
+    - source: password='password'
+      style: secondary
+      start: 55
+      end: 74
+    - source: ('my_app', user='postgres', password='password', host='10.1.0.9', port=5432)
+      style: secondary
+      start: 27
+      end: 103
diff --git a/tests/python/python-peewee-pg-empty-password-python-test.yml b/tests/python/python-peewee-pg-empty-password-python-test.yml
@@ -0,0 +1,8 @@
+id: python-peewee-pg-empty-password-python
+valid:
+  - |
+    mysql_db1 = MySQLDatabe('my_app', user='app', password=os.env['db_password'], host='10.1.0.8', port=3306)
+invalid:
+  - |
+    pg_db1 = PostgresqlDatabase('my_app', user='postgres', password='', host='10.1.0.9', port=5432)
+  
diff --git a/tests/python/python-peewee-pg-hardcoded-secret-python-test.yml b/tests/python/python-peewee-pg-hardcoded-secret-python-test.yml
@@ -0,0 +1,8 @@
+id: python-peewee-pg-hardcoded-secret-python
+valid:
+  - |
+    mysql_db1 = MySQLDatabe('my_app', user='app', password=os.env['db_password'], host='10.1.0.8', port=3306)
+invalid:
+  - |
+    pg_db1 = PostgresqlDatabase('my_app', user='postgres', password='password', host='10.1.0.9', port=5432)
+  
