Skip to content

Commit ad3a53a

Browse files
ESS-ENNESS-ENN
committed
secrets-reqwest-hardcoded-auth-rust
1 parent 2f95a8e commit ad3a53a

File tree

3 files changed

+349
-0
lines changed

3 files changed

+349
-0
lines changed

rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml

Lines changed: 142 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,142 @@
1+
id: secrets-reqwest-hardcoded-auth-rust
2+
language: rust
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. It is
8+
recommended to rotate the secret and retrieve them from a secure secret
9+
vault or Hardware Security Module (HSM), alternatively environment
10+
variables can be used if allowed by your company policy.
11+
note: >-
12+
[CWE-798] Use of Hard-coded Credentials.
13+
[REFERENCES]
14+
- https://docs.rs/reqwest/latest/reqwest/
15+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
16+
utils:
17+
MATCH_PATTERN_ONE:
18+
kind: call_expression
19+
all:
20+
- has:
21+
stopBy: neighbor
22+
kind: field_expression
23+
all:
24+
- has:
25+
stopBy: neighbor
26+
kind: call_expression
27+
has:
28+
stopBy: neighbor
29+
kind: field_expression
30+
all:
31+
- has:
32+
stopBy: neighbor
33+
kind: identifier
34+
pattern: $C
35+
- has:
36+
stopBy: neighbor
37+
kind: field_identifier
38+
regex: '^basic_auth$'
39+
- has:
40+
stopBy: neighbor
41+
kind: arguments
42+
all:
43+
- has:
44+
stopBy: neighbor
45+
kind: string_literal
46+
has:
47+
stopBy: neighbor
48+
kind: string_content
49+
- has:
50+
stopBy: neighbor
51+
kind: call_expression
52+
all:
53+
- has:
54+
stopBy: neighbor
55+
kind: identifier
56+
regex: '^Some$'
57+
- has:
58+
stopBy: neighbor
59+
kind: arguments
60+
has:
61+
stopBy: neighbor
62+
kind: string_literal
63+
has:
64+
stopBy: neighbor
65+
kind: string_content
66+
67+
68+
- inside:
69+
stopBy: end
70+
kind: let_declaration
71+
follows:
72+
stopBy: end
73+
kind: let_declaration
74+
all:
75+
- has:
76+
stopBy: neighbor
77+
kind: identifier
78+
pattern: $C
79+
- has:
80+
stopBy: neighbor
81+
kind: call_expression
82+
pattern: reqwest::Client::new($$$)
83+
84+
MATCH_PATTERN_TWO:
85+
kind: call_expression
86+
all:
87+
- has:
88+
stopBy: neighbor
89+
kind: field_expression
90+
all:
91+
- has:
92+
stopBy: neighbor
93+
kind: call_expression
94+
has:
95+
stopBy: neighbor
96+
kind: field_expression
97+
all:
98+
- has:
99+
stopBy: neighbor
100+
kind: identifier
101+
pattern: $C
102+
- has:
103+
stopBy: neighbor
104+
kind: field_identifier
105+
regex: '^bearer_auth|basic_auth$'
106+
- inside:
107+
stopBy: end
108+
kind: let_declaration
109+
follows:
110+
stopBy: end
111+
kind: let_declaration
112+
all:
113+
- has:
114+
stopBy: neighbor
115+
kind: identifier
116+
pattern: $C
117+
- has:
118+
stopBy: neighbor
119+
kind: call_expression
120+
pattern: reqwest::Client::new($$$)
121+
- has:
122+
stopBy: neighbor
123+
kind: arguments
124+
all:
125+
- has:
126+
stopBy: neighbor
127+
kind: string_literal
128+
has:
129+
stopBy: neighbor
130+
kind: string_content
131+
- not:
132+
has:
133+
kind: call_expression
134+
135+
136+
rule:
137+
kind: call_expression
138+
any:
139+
- matches: MATCH_PATTERN_ONE
140+
- matches: MATCH_PATTERN_TWO
141+
142+

tests/__snapshots__/secrets-reqwest-hardcoded-auth-rust-snapshot.yml

Lines changed: 164 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,164 @@
1+
id: secrets-reqwest-hardcoded-auth-rust
2+
snapshots:
3+
? |
4+
async fn test1() -> Result<(), reqwest::Error> {
5+
let client = reqwest::Client::new();
6+
let resp = client.delete("http://httpbin.org/delete")
7+
.basic_auth("admin", Some("hardcoded-password"))
8+
.send()
9+
.await?;
10+
println!("body = {:?}", resp);
11+
Ok(())
12+
}
13+
: labels:
14+
- source: |-
15+
client.delete("http://httpbin.org/delete")
16+
.basic_auth("admin", Some("hardcoded-password"))
17+
style: primary
18+
start: 97
19+
end: 188
20+
- source: client
21+
style: secondary
22+
start: 97
23+
end: 103
24+
- source: client.delete
25+
style: secondary
26+
start: 97
27+
end: 110
28+
- source: client.delete("http://httpbin.org/delete")
29+
style: secondary
30+
start: 97
31+
end: 139
32+
- source: basic_auth
33+
style: secondary
34+
start: 141
35+
end: 151
36+
- source: |-
37+
client.delete("http://httpbin.org/delete")
38+
.basic_auth
39+
style: secondary
40+
start: 97
41+
end: 151
42+
- source: admin
43+
style: secondary
44+
start: 153
45+
end: 158
46+
- source: '"admin"'
47+
style: secondary
48+
start: 152
49+
end: 159
50+
- source: Some
51+
style: secondary
52+
start: 161
53+
end: 165
54+
- source: hardcoded-password
55+
style: secondary
56+
start: 167
57+
end: 185
58+
- source: '"hardcoded-password"'
59+
style: secondary
60+
start: 166
61+
end: 186
62+
- source: ("hardcoded-password")
63+
style: secondary
64+
start: 165
65+
end: 187
66+
- source: Some("hardcoded-password")
67+
style: secondary
68+
start: 161
69+
end: 187
70+
- source: ("admin", Some("hardcoded-password"))
71+
style: secondary
72+
start: 151
73+
end: 188
74+
- source: client
75+
style: secondary
76+
start: 53
77+
end: 59
78+
- source: reqwest::Client::new()
79+
style: secondary
80+
start: 62
81+
end: 84
82+
- source: let client = reqwest::Client::new();
83+
style: secondary
84+
start: 49
85+
end: 85
86+
- source: |-
87+
let resp = client.delete("http://httpbin.org/delete")
88+
.basic_auth("admin", Some("hardcoded-password"))
89+
.send()
90+
.await?;
91+
style: secondary
92+
start: 86
93+
end: 205
94+
? |
95+
async fn test2() -> Result<(), reqwest::Error> {
96+
let client = reqwest::Client::new();
97+
let resp = client.put("http://httpbin.org/delete")
98+
.bearer_auth("hardcoded-token")
99+
.send()
100+
.await?;
101+
println!("body = {:?}", resp);
102+
Ok(())
103+
}
104+
: labels:
105+
- source: |-
106+
client.put("http://httpbin.org/delete")
107+
.bearer_auth("hardcoded-token")
108+
style: primary
109+
start: 97
110+
end: 168
111+
- source: client
112+
style: secondary
113+
start: 97
114+
end: 103
115+
- source: client.put
116+
style: secondary
117+
start: 97
118+
end: 107
119+
- source: client.put("http://httpbin.org/delete")
120+
style: secondary
121+
start: 97
122+
end: 136
123+
- source: bearer_auth
124+
style: secondary
125+
start: 138
126+
end: 149
127+
- source: |-
128+
client.put("http://httpbin.org/delete")
129+
.bearer_auth
130+
style: secondary
131+
start: 97
132+
end: 149
133+
- source: client
134+
style: secondary
135+
start: 53
136+
end: 59
137+
- source: reqwest::Client::new()
138+
style: secondary
139+
start: 62
140+
end: 84
141+
- source: let client = reqwest::Client::new();
142+
style: secondary
143+
start: 49
144+
end: 85
145+
- source: |-
146+
let resp = client.put("http://httpbin.org/delete")
147+
.bearer_auth("hardcoded-token")
148+
.send()
149+
.await?;
150+
style: secondary
151+
start: 86
152+
end: 185
153+
- source: hardcoded-token
154+
style: secondary
155+
start: 151
156+
end: 166
157+
- source: '"hardcoded-token"'
158+
style: secondary
159+
start: 150
160+
end: 167
161+
- source: ("hardcoded-token")
162+
style: secondary
163+
start: 149
164+
end: 168

tests/rust/secrets-reqwest-hardcoded-auth-rust-test.yml

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
id: secrets-reqwest-hardcoded-auth-rust
2+
valid:
3+
- |
4+
async fn test1(pass: &str) -> Result<(), reqwest::Error> {
5+
let client = reqwest::Client::new();
6+
let resp = client.delete("http://httpbin.org/delete")
7+
.basic_auth("admin", Some(pass))
8+
.send()
9+
.await?;
10+
println!("body = {:?}", resp);
11+
Ok(())
12+
}
13+
- |
14+
async fn test3() -> Result<(), reqwest::Error> {
15+
let client = reqwest::Client::new();
16+
let resp = client.post("http://httpbin.org/post")
17+
.bearer_auth("user", Some("hardcoded-password-123"))
18+
.send()
19+
.await?;
20+
println!("body = {:?}", resp);
21+
Ok(())
22+
}
23+
invalid:
24+
- |
25+
async fn test1() -> Result<(), reqwest::Error> {
26+
let client = reqwest::Client::new();
27+
let resp = client.delete("http://httpbin.org/delete")
28+
.basic_auth("admin", Some("hardcoded-password"))
29+
.send()
30+
.await?;
31+
println!("body = {:?}", resp);
32+
Ok(())
33+
}
34+
- |
35+
async fn test2() -> Result<(), reqwest::Error> {
36+
let client = reqwest::Client::new();
37+
let resp = client.put("http://httpbin.org/delete")
38+
.bearer_auth("hardcoded-token")
39+
.send()
40+
.await?;
41+
println!("body = {:?}", resp);
42+
Ok(())
43+
}

0 commit comments

Comments
 (0)