Skip to content

Commit b231b4a

Browse files
ESS-ENNSakshis
ESS-ENN
and
Sakshis
authored
Add YAML security rules and tests for ldap3 and MariaDB (#179)
* python-ldap3-empty-password-python * python-ldap3-hardcoded-secret-python * python-mariadb-hardcoded-secret-python * python-mariadb-password-empty-python --------- Co-authored-by: Sakshis <sakshil@abc.com>
1 parent 69d9cf0 commit b231b4a

12 files changed

+1208
-0
lines changed

rules/python/security/python-ldap3-empty-password-python.yml

Lines changed: 99 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,99 @@
1+
id: python-ldap3-empty-password-python
2+
severity: warning
3+
language: python
4+
message: >-
5+
The application creates a database connection with an empty password.
6+
This can lead to unauthorized access by either an internal or external
7+
malicious actor. To prevent this vulnerability, enforce authentication
8+
when connecting to a database by using environment variables to securely
9+
provide credentials or retrieving them from a secure vault or HSM
10+
(Hardware Security Module).
11+
note: >-
12+
[CWE-287] Improper Authentication.
13+
[REFERENCES]
14+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
15+
16+
ast-grep-essentials: true
17+
18+
utils:
19+
ldap3.Connection(..., password="",...)_INSTANCE:
20+
kind: call
21+
all:
22+
- has:
23+
stopBy: neighbor
24+
kind: attribute
25+
regex: ^ldap3.Connection$
26+
- has:
27+
stopBy: neighbor
28+
kind: argument_list
29+
has:
30+
stopBy: neighbor
31+
kind: keyword_argument
32+
all:
33+
- has:
34+
stopBy: neighbor
35+
kind: identifier
36+
regex: ^password$
37+
nthChild: 1
38+
- has:
39+
stopBy: neighbor
40+
kind: identifier
41+
pattern: $INST
42+
nthChild: 2
43+
- inside:
44+
stopBy: end
45+
follows:
46+
stopBy: end
47+
kind: expression_statement
48+
has:
49+
kind: assignment
50+
all:
51+
- has:
52+
kind: identifier
53+
pattern: $INST
54+
nthChild: 1
55+
- has:
56+
kind: string
57+
not:
58+
has:
59+
kind: string_content
60+
61+
ldap3.Connection(..., password="",...):
62+
kind: call
63+
all:
64+
- has:
65+
stopBy: neighbor
66+
kind: attribute
67+
regex: ^ldap3.Connection$
68+
- has:
69+
stopBy: neighbor
70+
kind: argument_list
71+
has:
72+
stopBy: neighbor
73+
kind: keyword_argument
74+
all:
75+
- has:
76+
stopBy: neighbor
77+
kind: identifier
78+
regex: ^password$
79+
- has:
80+
stopBy: neighbor
81+
kind: string
82+
not:
83+
has:
84+
stopBy: end
85+
kind: string_content
86+
87+
rule:
88+
kind: call
89+
any:
90+
- matches: ldap3.Connection(..., password="",...)_INSTANCE
91+
- matches: ldap3.Connection(..., password="",...)
92+
not:
93+
all:
94+
- has:
95+
stopBy: end
96+
kind: ERROR
97+
- inside:
98+
stopBy: end
99+
kind: ERROR

rules/python/security/python-ldap3-hardcoded-secret-python.yml

Lines changed: 153 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,153 @@
1+
id: python-ldap3-hardcoded-secret-python
2+
language: python
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798]: Use of Hard-coded Credentials
12+
[OWASP A07:2021]: Identification and Authentication Failures
13+
[REFERENCES]
14+
https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
15+
16+
ast-grep-essentials: true
17+
18+
utils:
19+
define_string:
20+
kind: string
21+
all:
22+
- has:
23+
kind: string_start
24+
nthChild: 1
25+
- has:
26+
kind: string_content
27+
nthChild: 2
28+
- has:
29+
kind: string_end
30+
nthChild: 3
31+
32+
define_password:
33+
any:
34+
- matches: define_string
35+
- kind: identifier
36+
pattern: $PWD_IDENTIFIER
37+
inside:
38+
stopBy: end
39+
follows:
40+
stopBy: end
41+
kind: expression_statement
42+
has:
43+
stopBy: end
44+
kind: assignment
45+
nthChild: 1
46+
all:
47+
- has:
48+
nthChild: 1
49+
kind: identifier
50+
field: left
51+
pattern: $PWD_IDENTIFIER
52+
- has:
53+
nthChild: 2
54+
matches: define_string
55+
56+
rule:
57+
any:
58+
- kind: call
59+
any:
60+
- kind: call
61+
has:
62+
kind: identifier
63+
regex: ^Connection$
64+
precedes:
65+
kind: argument_list
66+
has:
67+
stopBy: end
68+
kind: keyword_argument
69+
all:
70+
- has:
71+
nthChild: 1
72+
kind: identifier
73+
regex: ^password$
74+
- has:
75+
nthChild: 2
76+
matches: define_password
77+
inside:
78+
stopBy: end
79+
follows:
80+
stopBy: end
81+
kind: import_from_statement
82+
all:
83+
- has:
84+
nthChild: 1
85+
kind: dotted_name
86+
field: module_name
87+
regex: ^ldap3$
88+
precedes:
89+
stopBy: end
90+
kind: dotted_name
91+
regex: ^Connection$
92+
- kind: call
93+
any:
94+
- kind: call
95+
has:
96+
kind: identifier
97+
pattern: $SASL_ALIAS
98+
precedes:
99+
kind: argument_list
100+
has:
101+
stopBy: end
102+
kind: keyword_argument
103+
all:
104+
- has:
105+
nthChild: 1
106+
kind: identifier
107+
regex: ^password$
108+
- has:
109+
nthChild: 2
110+
matches: define_password
111+
inside:
112+
stopBy: end
113+
follows:
114+
stopBy: end
115+
kind: import_from_statement
116+
all:
117+
- has:
118+
nthChild: 1
119+
kind: dotted_name
120+
field: module_name
121+
regex: ^ldap3$
122+
precedes:
123+
stopBy: end
124+
kind: aliased_import
125+
all:
126+
- has:
127+
kind: dotted_name
128+
nthChild: 1
129+
regex: ^Connection$
130+
- has:
131+
kind: identifier
132+
field: alias
133+
nthChild: 2
134+
pattern: $SASL_ALIAS
135+
- kind: call
136+
any:
137+
- kind: call
138+
has:
139+
kind: attribute
140+
regex: ^ldap3.Connection$
141+
precedes:
142+
kind: argument_list
143+
has:
144+
stopBy: end
145+
kind: keyword_argument
146+
all:
147+
- has:
148+
nthChild: 1
149+
kind: identifier
150+
regex: ^password$
151+
- has:
152+
nthChild: 2
153+
matches: define_password

0 commit comments

Comments
 (0)