Skip to content

Commit c2a58ce

Browse files
ESS-ENNESS-ENN
committed
hardcoded-secret-rsa-passphrase-ruby
1 parent bc2b9aa commit c2a58ce

File tree

3 files changed

+304
-0
lines changed

3 files changed

+304
-0
lines changed

rules/ruby/security/hardcoded-secret-rsa-passphrase-ruby.yml

Lines changed: 232 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,232 @@
1+
id: hardcoded-secret-rsa-passphrase-ruby
2+
language: ruby
3+
severity: warning
4+
message: >-
5+
Found the use of an hardcoded passphrase for RSA. The passphrase can be
6+
easily discovered, and therefore should not be stored in source-code. It
7+
is recommended to remove the passphrase from source-code, and use system
8+
environment variables or a restricted configuration file.
9+
note: >-
10+
[CWE-798]: Use of Hard-coded Credentials
11+
[OWASP A07:2021]: Identification and Authentication Failures
12+
[REFERENCES]
13+
https://cwe.mitre.org/data/definitions/522.html
14+
15+
ast-grep-essentials: true
16+
17+
utils:
18+
OpenSSL::PKey::RSA.new(..., '...'):
19+
kind: call
20+
all:
21+
- has:
22+
stopBy: neighbor
23+
kind: scope_resolution
24+
regex: ^OpenSSL::PKey::RSA$
25+
- has:
26+
stopBy: neighbor
27+
regex: ^.$
28+
- has:
29+
stopBy: neighbor
30+
kind: identifier
31+
regex: ^new$
32+
- has:
33+
stopBy: neighbor
34+
kind: argument_list
35+
all:
36+
- has:
37+
stopBy: neighbor
38+
kind: string
39+
nthChild: 2
40+
has:
41+
stopBy: neighbor
42+
kind: string_content
43+
44+
OpenSSL::PKey::RSA.new(...).to_pem(..., '...'):
45+
kind: call
46+
all:
47+
- has:
48+
stopBy: neighbor
49+
kind: call
50+
pattern: OpenSSL::PKey::RSA.new($$$)
51+
- has:
52+
stopBy: neighbor
53+
regex: ^.$
54+
- has:
55+
stopBy: neighbor
56+
kind: identifier
57+
regex: ^to_pem|export$
58+
- has:
59+
stopBy: neighbor
60+
kind: argument_list
61+
has:
62+
stopBy: neighbor
63+
kind: string
64+
nthChild:
65+
position: 2
66+
ofRule:
67+
not:
68+
kind: comment
69+
not:
70+
precedes:
71+
stopBy: end
72+
nthChild: 3
73+
74+
OpenSSL::PKey::RSA.new(..., '...')_with_instance:
75+
kind: call
76+
all:
77+
- has:
78+
stopBy: neighbor
79+
kind: scope_resolution
80+
regex: ^OpenSSL::PKey::RSA$
81+
- has:
82+
stopBy: neighbor
83+
regex: ^.$
84+
- has:
85+
stopBy: neighbor
86+
kind: identifier
87+
regex: ^new$
88+
- has:
89+
stopBy: neighbor
90+
kind: argument_list
91+
all:
92+
- has:
93+
stopBy: neighbor
94+
pattern: $SECRET
95+
nthChild: 2
96+
97+
- inside:
98+
stopBy: end
99+
kind: class
100+
has:
101+
stopBy: end
102+
kind: assignment
103+
pattern: $SECRET = '$SECRET_VALUE'
104+
105+
OpenSSL::PKey::RSA.new(...).to_pem(..., '...')_with_instance:
106+
kind: call
107+
all:
108+
- has:
109+
stopBy: neighbor
110+
kind: call
111+
pattern: OpenSSL::PKey::RSA.new($$$)
112+
- has:
113+
stopBy: neighbor
114+
regex: ^.$
115+
- has:
116+
stopBy: neighbor
117+
kind: identifier
118+
regex: ^to_pem|export$
119+
- has:
120+
stopBy: neighbor
121+
kind: argument_list
122+
all:
123+
- has:
124+
stopBy: neighbor
125+
pattern: $SECRET
126+
nthChild: 2
127+
128+
- inside:
129+
stopBy: end
130+
kind: class
131+
has:
132+
stopBy: end
133+
kind: assignment
134+
pattern: $SECRET = '$SECRET_VALUE'
135+
136+
$OPENSSL.export(...,'...'):
137+
kind: call
138+
all:
139+
- has:
140+
stopBy: neighbor
141+
pattern: $OPENSSL
142+
- has:
143+
stopBy: neighbor
144+
regex: ^.$
145+
- has:
146+
stopBy: neighbor
147+
kind: identifier
148+
regex: ^export|to_pem$
149+
- has:
150+
stopBy: neighbor
151+
kind: argument_list
152+
all:
153+
- has:
154+
stopBy: neighbor
155+
kind: string
156+
nthChild: 2
157+
has:
158+
stopBy: neighbor
159+
kind: string_content
160+
161+
- inside:
162+
stopBy: end
163+
kind: class
164+
has:
165+
stopBy: end
166+
kind: assignment
167+
pattern: $OPENSSL = OpenSSL::PKey::RSA.new
168+
169+
$OPENSSL.to_pem(...,$ASSIGN):
170+
kind: call
171+
all:
172+
- has:
173+
stopBy: neighbor
174+
pattern: $OPENSSL
175+
- has:
176+
stopBy: neighbor
177+
regex: ^.$
178+
- has:
179+
stopBy: neighbor
180+
kind: identifier
181+
regex: ^export|to_pem$
182+
- has:
183+
stopBy: neighbor
184+
kind: argument_list
185+
all:
186+
- has:
187+
stopBy: neighbor
188+
pattern: $SECRET
189+
nthChild: 2
190+
- inside:
191+
stopBy: end
192+
kind: class
193+
all:
194+
- has:
195+
stopBy: end
196+
kind: assignment
197+
pattern: $OPENSSL = OpenSSL::PKey::RSA.new
198+
- has:
199+
stopBy: end
200+
kind: assignment
201+
pattern: $SECRET = '$SECRET_STRING'
202+
203+
match_call:
204+
kind: call
205+
all:
206+
- has:
207+
stopBy: end
208+
kind: identifier
209+
field: receiver
210+
- has:
211+
stopBy: end
212+
kind: identifier
213+
field: method
214+
- has:
215+
stopBy: end
216+
kind: argument_list
217+
field: arguments
218+
all:
219+
- has:
220+
kind: call
221+
- has:
222+
kind: string
223+
rule:
224+
kind: call
225+
any:
226+
- matches: OpenSSL::PKey::RSA.new(..., '...')
227+
- matches: OpenSSL::PKey::RSA.new(...).to_pem(..., '...')
228+
- matches: OpenSSL::PKey::RSA.new(..., '...')_with_instance
229+
- matches: OpenSSL::PKey::RSA.new(...).to_pem(..., '...')_with_instance
230+
- matches: $OPENSSL.export(...,'...')
231+
- matches: $OPENSSL.to_pem(...,$ASSIGN)
232+
- matches: match_call

tests/__snapshots__/hardcoded-secret-rsa-passphrase-ruby-snapshot.yml

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
id: hardcoded-secret-rsa-passphrase-ruby
2+
snapshots:
3+
? |
4+
module Test
5+
require 'openssl'
6+
class Test
7+
$pass = 'super secret'
8+
def initialize(key = nil, iv = nil)
9+
@pass1 = 'my secure pass phrase goes here'
10+
@keypem = 'foo.pem'
11+
OpenSSL::PKey::RSA.new(1024).to_pem(cipher, "secret")
12+
bad
13+
bad1
14+
bad2
15+
bad3
16+
ok
17+
end
18+
: labels:
19+
- source: OpenSSL::PKey::RSA.new(1024).to_pem(cipher, "secret")
20+
style: primary
21+
start: 173
22+
end: 226
23+
- source: OpenSSL::PKey::RSA.new(1024)
24+
style: secondary
25+
start: 173
26+
end: 201
27+
- source: .
28+
style: secondary
29+
start: 201
30+
end: 202
31+
- source: to_pem
32+
style: secondary
33+
start: 202
34+
end: 208
35+
- source: '"secret"'
36+
style: secondary
37+
start: 217
38+
end: 225
39+
- source: (cipher, "secret")
40+
style: secondary
41+
start: 208
42+
end: 226

tests/ruby/hardcoded-secret-rsa-passphrase-ruby-test.yml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
id: hardcoded-secret-rsa-passphrase-ruby
2+
valid:
3+
- |
4+
def ok1
5+
key_data = 'real-key-data'
6+
key = OpenSSL::PKey::RSA.new(key_data, ENV['SECRET_PASSPHRASE'])
7+
end
8+
end
9+
- |
10+
def nested_ok1
11+
rsa_key = OpenSSL::PKey::RSA.new(4096)
12+
pem = rsa_key.to_pem(OpenSSL::Cipher.new('AES-256-CBC'), ENV['SECURE_KEY'])
13+
end
14+
end
15+
invalid:
16+
- |
17+
module Test
18+
require 'openssl'
19+
class Test
20+
$pass = 'super secret'
21+
def initialize(key = nil, iv = nil)
22+
@pass1 = 'my secure pass phrase goes here'
23+
@keypem = 'foo.pem'
24+
OpenSSL::PKey::RSA.new(1024).to_pem(cipher, "secret")
25+
bad
26+
bad1
27+
bad2
28+
bad3
29+
ok
30+
end

0 commit comments

Comments
 (0)