1+ id : tokio-postgres-empty-password-rust
2+ language : rust
3+ severity : warning
4+ message : >-
5+ The application uses an empty credential. This can lead to unauthorized
6+ access by either an internal or external malicious actor. It is
7+ recommended to rotate the secret and retrieve them from a secure secret
8+ vault or Hardware Security Module (HSM), alternatively environment
9+ variables can be used if allowed by your company policy.
10+ note : >-
11+ [CWE-287] Improper Authentication.
12+ [REFERENCES]
13+ - https://docs.rs/tokio-postgres/latest/tokio_postgres/
14+ - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
15+ utils :
16+ MATCH_PATTERN_WITH_INSTANCE :
17+ kind : call_expression
18+ all :
19+ - has :
20+ stopBy : neighbor
21+ kind : field_expression
22+ all :
23+ - has :
24+ stopBy : neighbor
25+ kind : call_expression
26+ all :
27+ - has :
28+ stopBy : neighbor
29+ kind : field_expression
30+ all :
31+ - has :
32+ stopBy : end
33+ kind : call_expression
34+ all :
35+ - has :
36+ stopBy : neighbor
37+ kind : field_expression
38+ all :
39+ - has :
40+ stopBy : neighbor
41+ kind : identifier
42+ pattern : $C
43+ - has :
44+ stopBy : neighbor
45+ kind : arguments
46+ - has :
47+ stopBy : neighbor
48+ kind : field_identifier
49+ - has :
50+ stopBy : neighbor
51+ kind : arguments
52+ - has :
53+ stopBy : neighbor
54+ kind : field_identifier
55+ regex : " ^password$"
56+ - has :
57+ stopBy : neighbor
58+ kind : arguments
59+ has :
60+ stopBy : neighbor
61+ kind : string_literal
62+ not :
63+ has :
64+ stopBy : neighbor
65+ kind : string_content
66+ - inside :
67+ stopBy : end
68+ kind : expression_statement
69+ follows :
70+ stopBy : end
71+ kind : let_declaration
72+ all :
73+ - has :
74+ stopBy : neighbor
75+ kind : identifier
76+ pattern : $C
77+ - has :
78+ stopBy : neighbor
79+ kind : call_expression
80+ pattern : tokio_postgres::Config::new()
81+
82+ MATCH_PASSWORD_DIRECTLY :
83+ kind : call_expression
84+ all :
85+ - has :
86+ stopBy : neighbor
87+ kind : field_expression
88+ all :
89+ - has :
90+ stopBy : neighbor
91+ kind : call_expression
92+ all :
93+ - has :
94+ stopBy : neighbor
95+ kind : field_expression
96+ all :
97+ - has :
98+ stopBy : neighbor
99+ kind : call_expression
100+ all :
101+ - has :
102+ stopBy : neighbor
103+ kind : field_expression
104+ has :
105+ stopBy : neighbor
106+ kind : call_expression
107+ pattern : tokio_postgres::Config::new()
108+ - has :
109+ stopBy : neighbor
110+ kind : arguments
111+ - has :
112+ stopBy : neighbor
113+ kind : field_identifier
114+ - has :
115+ stopBy : neighbor
116+ kind : arguments
117+ - has :
118+ stopBy : neighbor
119+ kind : field_identifier
120+ regex : ' ^password$'
121+ - has :
122+ stopBy : end
123+ kind : arguments
124+ has :
125+ stopBy : end
126+ kind : string_literal
127+ not :
128+ has :
129+ stopBy : neighbor
130+ kind : string_content
131+
132+ MATCH_PATTERN_PASSWORD_WITH_ITS_INSTANCE :
133+ kind : call_expression
134+ all :
135+ - has :
136+ stopBy : neighbor
137+ kind : field_expression
138+ all :
139+ - has :
140+ stopBy : neighbor
141+ kind : call_expression
142+ all :
143+ - has :
144+ stopBy : neighbor
145+ kind : field_expression
146+ all :
147+ - has :
148+ stopBy : neighbor
149+ kind : call_expression
150+ all :
151+ - has :
152+ stopBy : neighbor
153+ kind : field_expression
154+ has :
155+ stopBy : neighbor
156+ kind : call_expression
157+ pattern : tokio_postgres::Config::new()
158+ - has :
159+ stopBy : neighbor
160+ kind : arguments
161+ - has :
162+ stopBy : neighbor
163+ kind : field_identifier
164+ - has :
165+ stopBy : neighbor
166+ kind : arguments
167+ - has :
168+ stopBy : neighbor
169+ kind : field_identifier
170+ regex : ' ^password$'
171+ - has :
172+ stopBy : neighbor
173+ kind : arguments
174+ has :
175+ stopBy : neighbor
176+ kind : identifier
177+ pattern : $E
178+ - inside :
179+ stopBy : end
180+ kind : let_declaration
181+ follows :
182+ stopby : end
183+ kind : expression_statement
184+ has :
185+ stopBy : neighbor
186+ kind : assignment_expression
187+ all :
188+ - has :
189+ stopBy : end
190+ kind : identifier
191+ pattern : $E
192+ - has :
193+ stopBy : end
194+ kind : string_literal
195+ not :
196+ has :
197+ stopBy : end
198+ kind : string_content
199+
200+ MATCH_PATTERN_WITH_INSTANCE_&_PASSWORD_WITH_ITS_INSTANCE :
201+ kind : call_expression
202+ all :
203+ - has :
204+ stopBy : neighbor
205+ kind : field_expression
206+ all :
207+ - has :
208+ stopBy : neighbor
209+ kind : call_expression
210+ all :
211+ - has :
212+ stopBy : neighbor
213+ kind : field_expression
214+ all :
215+ - has :
216+ stopBy : end
217+ kind : call_expression
218+ all :
219+ - has :
220+ stopBy : neighbor
221+ kind : field_expression
222+ all :
223+ - has :
224+ stopBy : neighbor
225+ kind : identifier
226+ pattern : $C
227+ - has :
228+ stopBy : neighbor
229+ kind : arguments
230+ - has :
231+ stopBy : neighbor
232+ kind : field_identifier
233+ - has :
234+ stopBy : neighbor
235+ kind : arguments
236+ - has :
237+ stopBy : neighbor
238+ kind : field_identifier
239+ regex : " ^password$"
240+ - has :
241+ stopBy : neighbor
242+ kind : arguments
243+ has :
244+ stopBy : neighbor
245+ kind : identifier
246+ pattern : $Z
247+ - inside :
248+ stopBy : end
249+ kind : expression_statement
250+ follows :
251+ stopBy : end
252+ kind : let_declaration
253+ all :
254+ - has :
255+ stopBy : neighbor
256+ kind : identifier
257+ pattern : $C
258+ - has :
259+ stopBy : neighbor
260+ kind : call_expression
261+ pattern : tokio_postgres::Config::new()
262+ - inside :
263+ stopBy : end
264+ kind : block
265+ has :
266+ stopBy : end
267+ kind : expression_statement
268+ has :
269+ stopBy : neighbor
270+ kind : assignment_expression
271+ all :
272+ - has :
273+ stopBy : neighbor
274+ kind : identifier
275+ pattern : $Z
276+ - has :
277+ stopBy : neighbor
278+ kind : string_literal
279+ not :
280+ has :
281+ stopBy : neighbor
282+ kind : string_content
283+
284+ rule :
285+ kind : call_expression
286+ any :
287+ - matches : MATCH_PATTERN_WITH_INSTANCE
288+ - matches : MATCH_PASSWORD_DIRECTLY
289+ - matches : MATCH_PATTERN_PASSWORD_WITH_ITS_INSTANCE
290+ - matches : MATCH_PATTERN_WITH_INSTANCE_&_PASSWORD_WITH_ITS_INSTANCE
0 commit comments