Skip to content

Commit 9cbba3f

Browse files
ESS-ENNSakshis
ESS-ENN
and
Sakshis
authored
Add Python MySQL client security analysis rules and tests (#181)
* removed missing-secure-java * httponly-false-csharp * use-of-md5-digest-utils-java * removing use-of-md5-digest-utils and httponly-false-csharp * python-mysqlclient-empty-password-python * python-mysqlclient-hardcoded-secret-python --------- Co-authored-by: Sakshis <sakshil@abc.com>
1 parent 620d83c commit 9cbba3f

6 files changed

+1047
-0
lines changed

rules/python/security/python-mysqlclient-empty-password-python.yml

Lines changed: 201 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,201 @@
1+
id: python-mysqlclient-empty-password-python
2+
language: python
3+
severity: warning
4+
message: >-
5+
The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).
6+
note: >-
7+
[CWE-287]: Improper Authentication
8+
[A07:2021]: Identification and Authentication Failures
9+
[REFERENCES]
10+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
11+
12+
ast-grep-essentials: true
13+
14+
utils:
15+
define_string:
16+
kind: string
17+
all:
18+
- has:
19+
kind: string_start
20+
nthChild: 1
21+
- has:
22+
kind: string_end
23+
nthChild: 2
24+
- not:
25+
has:
26+
kind: string_content
27+
28+
define_password:
29+
any:
30+
- matches: define_string
31+
- kind: identifier
32+
pattern: $PWD_IDENTIFIER
33+
inside:
34+
stopBy: end
35+
follows:
36+
stopBy: end
37+
kind: expression_statement
38+
has:
39+
stopBy: end
40+
kind: assignment
41+
nthChild: 1
42+
all:
43+
- has:
44+
nthChild: 1
45+
kind: identifier
46+
field: left
47+
pattern: $PWD_IDENTIFIER
48+
- has:
49+
nthChild: 2
50+
matches: define_string
51+
52+
keyword_argument_passwd:
53+
kind: keyword_argument
54+
all:
55+
- has:
56+
nthChild: 1
57+
kind: identifier
58+
field: name
59+
regex: ^(passwd)$
60+
- has:
61+
nthChild: 2
62+
matches: define_password
63+
64+
argument_list_util:
65+
kind: argument_list
66+
any:
67+
- has:
68+
matches: keyword_argument_passwd
69+
- all:
70+
- has:
71+
nthChild:
72+
position: 3
73+
ofRule:
74+
not:
75+
kind: comment
76+
matches: define_password
77+
- not:
78+
has:
79+
matches: keyword_argument_passwd
80+
rule:
81+
any:
82+
# MySQLdb.$CONNECT
83+
- kind: call
84+
any:
85+
- kind: call
86+
has:
87+
nthChild: 1
88+
kind: attribute
89+
all:
90+
- has:
91+
nthChild: 1
92+
kind: identifier
93+
field: object
94+
regex: ^MySQLdb$
95+
- has:
96+
nthChild: 2
97+
kind: identifier
98+
field: attribute
99+
pattern: $CONNECT
100+
precedes:
101+
matches: argument_list_util
102+
103+
# MySQLdb._mysql.$CONNECT
104+
- kind: call
105+
any:
106+
- kind: call
107+
has:
108+
nthChild: 1
109+
kind: attribute
110+
all:
111+
- has:
112+
nthChild: 1
113+
regex: ^MySQLdb._mysql$
114+
- has:
115+
nthChild: 2
116+
kind: identifier
117+
field: attribute
118+
pattern: $CONNECT
119+
precedes:
120+
matches: argument_list_util
121+
- kind: call
122+
any:
123+
- kind: call
124+
has:
125+
nthChild: 1
126+
kind: attribute
127+
all:
128+
- has:
129+
nthChild: 1
130+
kind: identifier
131+
field: object
132+
regex: ^_mysql$
133+
- has:
134+
nthChild: 2
135+
kind: identifier
136+
field: attribute
137+
pattern: $CONNECT
138+
precedes:
139+
matches: argument_list_util
140+
inside:
141+
stopBy: end
142+
follows:
143+
stopBy: end
144+
kind: import_from_statement
145+
has:
146+
nthChild: 1
147+
kind: dotted_name
148+
field: module_name
149+
regex: ^MySQLdb$
150+
precedes:
151+
stopBy: end
152+
kind: dotted_name
153+
regex: ^(_mysql)$
154+
155+
- kind: call
156+
any:
157+
- kind: call
158+
has:
159+
nthChild: 1
160+
kind: attribute
161+
all:
162+
- has:
163+
nthChild: 1
164+
kind: identifier
165+
field: object
166+
pattern: $MYSQL_ALIAS
167+
- has:
168+
nthChild: 2
169+
kind: identifier
170+
field: attribute
171+
pattern: $CONNECT
172+
precedes:
173+
matches: argument_list_util
174+
inside:
175+
stopBy: end
176+
follows:
177+
stopBy: end
178+
kind: import_from_statement
179+
has:
180+
nthChild: 1
181+
kind: dotted_name
182+
field: module_name
183+
regex: ^MySQLdb$
184+
precedes:
185+
stopBy: end
186+
kind: aliased_import
187+
all:
188+
- has:
189+
nthChild: 1
190+
kind: dotted_name
191+
field: name
192+
regex: ^_mysql$
193+
- has:
194+
nthChild: 2
195+
kind: identifier
196+
field: alias
197+
pattern: $MYSQL_ALIAS
198+
# constraints:
199+
# CONNECT:
200+
# regex: ^(Connect|connect|Connection|connection)$
201+

0 commit comments

Comments
 (0)