Add security rules for detecting hardcoded tokens and empty passwords (#143)

ESS-ENN · Sakshis · web-flow · commit a26f887b2c5d · 2025-01-29T14:57:34.000+05:30
* removed missing-secure-java

* httponly-false-csharp

* use-of-md5-digest-utils-java

* removing use-of-md5-digest-utils and httponly-false-csharp

* python-elasticsearch-hardcoded-bearer-auth-python

* python-requests-empty-password-python

* Testing

* Testing 2

* Added invalid test case to python-requests-empty-password-python test file

---------

Co-authored-by: Sakshis &lt;sakshil@abc.com&gt;
diff --git a/rules/python/security/python-elasticsearch-hardcoded-bearer-auth-python.yml b/rules/python/security/python-elasticsearch-hardcoded-bearer-auth-python.yml
@@ -0,0 +1,71 @@
+id: python-elasticsearch-hardcoded-bearer-auth-python
+severity: warning
+language: python
+message: >-
+      A secret is hard-coded in the application. Secrets stored in source
+      code, such as credentials, identifiers, and other types of sensitive data,
+      can be leaked and used by internal or external malicious actors. Use
+      environment variables to securely provide credentials and other secrets or
+      retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798] Use of Hard-coded Credentials.
+  [REFERENCES]
+      - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+
+ast-grep-essentials: true
+
+utils:
+  elasticsearch.Elasticsearch(..., bearer_auth="...",...):
+    # elasticsearch.Elasticsearch(..., bearer_auth="...",...)
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: attribute
+          regex: ^elasticsearch.Elasticsearch$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          all:
+          - has:
+             stopBy: end
+             kind: keyword_argument
+             all:
+              - has:
+                  stopBy: neighbor
+                  kind: identifier
+                  regex: ^bearer_auth$
+              - has:
+                  stopBy: neighbor
+                  kind: string
+                  has:
+                    stopBy: end
+                    kind: string_content
+          - not:
+             has:
+              stopBy: end
+              kind: keyword_argument
+              all:
+              - has:
+                  stopBy: neighbor
+                  kind: identifier
+                  regex: ^bearer_auth$
+              - has:
+                  stopBy: neighbor
+                  kind: string
+                  not:
+                    has:
+                     stopBy: end
+                     kind: string_content
+rule:
+  kind: call
+  matches: elasticsearch.Elasticsearch(..., bearer_auth="...",...)
+  not:
+    all:
+      - has:
+          stopBy: end
+          kind: ERROR
+      - inside:
+          stopBy: end
+          kind: ERROR
+
diff --git a/rules/python/security/python-requests-empty-password-python.yml b/rules/python/security/python-requests-empty-password-python.yml
@@ -0,0 +1,56 @@
+id: python-requests-empty-password-python
+severity: warning
+language: python
+message: >-
+      The application creates a database connection with an empty password.
+      This can lead to unauthorized access by either an internal or external
+      malicious actor. To prevent this vulnerability, enforce authentication
+      when connecting to a database by using environment variables to securely
+      provide credentials or retrieving them from a secure vault or HSM
+      (Hardware Security Module).
+note: >-
+  [CWE-287] Improper Authentication.
+  [REFERENCES]
+      - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+
+ast-grep-essentials: true
+
+utils:
+  requests.auth.HTTPBasicAuth($USER,"",...):
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: attribute
+          regex: ^requests.auth.HTTPBasicAuth$|^requests.auth.HTTPDigestAuth$|^requests.auth.HTTPProxyAuth$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+                stopBy: neighbor
+                kind: string
+                nthChild: 2
+                not:
+                  has:
+                    stopBy: end
+                    kind: string_content
+      # - not:
+      #     inside:
+      #       stopBy: end
+      #       kind: argument_list
+      #       follows:
+      #         stopBy: end
+      #         kind: attribute
+      #         regex: ^requests.auth.HTTPBasicAuth$|^requests.auth.HTTPDigestAuth$|^requests.auth.HTTPProxyAuth$
+rule:
+  kind: call  
+  matches: requests.auth.HTTPBasicAuth($USER,"",...)
+  not:
+    all:
+      - has:
+          stopBy: end
+          kind: ERROR
+      - inside:
+          stopBy: end
+          kind: ERROR
+
diff --git a/tests/__snapshots__/python-elasticsearch-hardcoded-bearer-auth-python-snapshot.yml b/tests/__snapshots__/python-elasticsearch-hardcoded-bearer-auth-python-snapshot.yml
@@ -0,0 +1,44 @@
+id: python-elasticsearch-hardcoded-bearer-auth-python
+snapshots:
+  ? |
+    es = elasticsearch.Elasticsearch(
+      "https://localhost:9200",
+      bearer_auth="token-value"
+    )
+  : labels:
+    - source: |-
+        elasticsearch.Elasticsearch(
+          "https://localhost:9200",
+          bearer_auth="token-value"
+        )
+      style: primary
+      start: 5
+      end: 91
+    - source: elasticsearch.Elasticsearch
+      style: secondary
+      start: 5
+      end: 32
+    - source: bearer_auth
+      style: secondary
+      start: 64
+      end: 75
+    - source: token-value
+      style: secondary
+      start: 77
+      end: 88
+    - source: '"token-value"'
+      style: secondary
+      start: 76
+      end: 89
+    - source: bearer_auth="token-value"
+      style: secondary
+      start: 64
+      end: 89
+    - source: |-
+        (
+          "https://localhost:9200",
+          bearer_auth="token-value"
+        )
+      style: secondary
+      start: 32
+      end: 91
diff --git a/tests/__snapshots__/python-requests-empty-password-python-snapshot.yml b/tests/__snapshots__/python-requests-empty-password-python-snapshot.yml
@@ -0,0 +1,20 @@
+id: python-requests-empty-password-python
+snapshots:
+  requests.get('https://httpbin.org/basic-auth/user/pass', auth=requests.auth.HTTPBasicAuth('user', '')):
+    labels:
+    - source: requests.auth.HTTPBasicAuth('user', '')
+      style: primary
+      start: 62
+      end: 101
+    - source: requests.auth.HTTPBasicAuth
+      style: secondary
+      start: 62
+      end: 89
+    - source: ''''''
+      style: secondary
+      start: 98
+      end: 100
+    - source: ('user', '')
+      style: secondary
+      start: 89
+      end: 101
diff --git a/tests/python/python-elasticsearch-hardcoded-bearer-auth-python-test.yml b/tests/python/python-elasticsearch-hardcoded-bearer-auth-python-test.yml
@@ -0,0 +1,15 @@
+id: python-elasticsearch-hardcoded-bearer-auth-python
+valid:
+  - |
+    es = elasticsearch.Elasticsearch(
+      "https://localhost:9200",
+      bearer_auth=os.env["token-value"]
+    )
+    
+invalid:
+  - |
+    es = elasticsearch.Elasticsearch(
+      "https://localhost:9200",
+      bearer_auth="token-value"
+    )
+
diff --git a/tests/python/python-requests-empty-password-python-test.yml b/tests/python/python-requests-empty-password-python-test.yml
@@ -0,0 +1,9 @@
+id: python-requests-empty-password-python
+valid:
+  - |
+    requests.get('https://httpbin.org/basic-auth/user/pass', auth=requests.auth.HTTPBasicAuth('user', os.getenv('pass'))
+invalid:
+  - |
+    requests.get('https://httpbin.org/basic-auth/user/pass', auth=requests.auth.HTTPBasicAuth('user', ''))  
+  - |
+    requests.get('https://httpbin.org/basic-auth/user/pass', auth=requests.auth.HTTPBasicAuth('username', ''))      
