Skip to content

Commit cd70510

Browse files
authored
Two python rules (#33)
1 parent fc491b0 commit cd70510

6 files changed

+288
-0
lines changed
Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
id: avoid-mktemp-python
2+
language: python
3+
severity: warning
4+
message: >-
5+
The function `mktemp` is deprecated. When using this function, it is
6+
possible for an attacker to modify the created file before the filename is
7+
returned. Use `NamedTemporaryFile()` instead and pass it the
8+
`delete=False` parameter.
9+
note: >-
10+
[CWE-377]: Insecure Temporary File
11+
[OWASP A01:2021]: Broken Access Control
12+
[REFERENCES]
13+
https://docs.python.org/3/library/tempfile.html#tempfile.mktemp
14+
https://owasp.org/Top10/A01_2021-Broken_Access_Control
15+
utils:
16+
match_mktemp:
17+
kind: call
18+
has:
19+
kind: identifier
20+
pattern: $R
21+
inside:
22+
stopBy: end
23+
kind: expression_statement
24+
follows:
25+
stopBy: end
26+
kind: import_from_statement
27+
has:
28+
stopBy: end
29+
kind: dotted_name
30+
field: name
31+
has:
32+
stopBy: end
33+
kind: identifier
34+
pattern: $R
35+
rule:
36+
all:
37+
- matches: match_mktemp
Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
id: python-couchbase-empty-password-python
2+
language: python
3+
severity: warning
4+
message: >-
5+
The application creates a database connection with an empty password.
6+
This can lead to unauthorized access by either an internal or external
7+
malicious actor. To prevent this vulnerability, enforce authentication
8+
when connecting to a database by using environment variables to securely
9+
provide credentials or retrieving them from a secure vault or HSM
10+
(Hardware Security Module).
11+
note: >-
12+
[CWE-287]: Improper Authentication
13+
[OWASP A07:2021]: Identification and Authentication Failures
14+
[REFERENCES]
15+
https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
16+
utils:
17+
match_passwordauthenticator:
18+
kind: call
19+
all:
20+
- has:
21+
kind: identifier
22+
pattern: $R
23+
- has:
24+
stopBy: neighbor
25+
kind: argument_list
26+
all:
27+
- has:
28+
stopBy: neighbor
29+
kind: string
30+
has:
31+
stopBy: neighbor
32+
kind: string_content
33+
- has:
34+
stopBy: neighbor
35+
kind: string
36+
not:
37+
has:
38+
stopBy: neighbor
39+
kind: string_content
40+
41+
inside:
42+
stopBy: end
43+
kind: expression_statement
44+
follows:
45+
stopBy: end
46+
kind: import_from_statement
47+
all:
48+
- has:
49+
stopBy: end
50+
kind: dotted_name
51+
field: module_name
52+
all:
53+
- has:
54+
stopBy: end
55+
kind: identifier
56+
regex: couchbase_core
57+
- has:
58+
stopBy: end
59+
kind: identifier
60+
regex: cluster
61+
- has:
62+
stopBy: end
63+
kind: dotted_name
64+
field: name
65+
has:
66+
stopBy: end
67+
kind: identifier
68+
pattern: $R
69+
regex: PasswordAuthenticator
70+
rule:
71+
all:
72+
- matches: match_passwordauthenticator
Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
id: avoid-mktemp-python
2+
snapshots:
3+
? |
4+
from tempfile import mktemp
5+
ff = mktemp()
6+
: labels:
7+
- source: mktemp()
8+
style: primary
9+
start: 33
10+
end: 41
11+
- source: mktemp
12+
style: secondary
13+
start: 21
14+
end: 27
15+
- source: mktemp
16+
style: secondary
17+
start: 21
18+
end: 27
19+
- source: from tempfile import mktemp
20+
style: secondary
21+
start: 0
22+
end: 27
23+
- source: ff = mktemp()
24+
style: secondary
25+
start: 28
26+
end: 41
27+
- source: mktemp
28+
style: secondary
29+
start: 33
30+
end: 39
Lines changed: 118 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,118 @@
1+
id: python-couchbase-empty-password-python
2+
snapshots:
3+
? |
4+
import os
5+
from couchbase.cluster import Cluster, ClusterOptions
6+
from couchbase_core.cluster import PasswordAuthenticator
7+
PasswordAuthenticator('username', '')
8+
: labels:
9+
- source: PasswordAuthenticator('username', '')
10+
style: primary
11+
start: 121
12+
end: 158
13+
- source: PasswordAuthenticator
14+
style: secondary
15+
start: 121
16+
end: 142
17+
- source: username
18+
style: secondary
19+
start: 144
20+
end: 152
21+
- source: '''username'''
22+
style: secondary
23+
start: 143
24+
end: 153
25+
- source: ''''''
26+
style: secondary
27+
start: 155
28+
end: 157
29+
- source: ('username', '')
30+
style: secondary
31+
start: 142
32+
end: 158
33+
- source: couchbase_core
34+
style: secondary
35+
start: 69
36+
end: 83
37+
- source: cluster
38+
style: secondary
39+
start: 84
40+
end: 91
41+
- source: couchbase_core.cluster
42+
style: secondary
43+
start: 69
44+
end: 91
45+
- source: PasswordAuthenticator
46+
style: secondary
47+
start: 99
48+
end: 120
49+
- source: PasswordAuthenticator
50+
style: secondary
51+
start: 99
52+
end: 120
53+
- source: from couchbase_core.cluster import PasswordAuthenticator
54+
style: secondary
55+
start: 64
56+
end: 120
57+
- source: PasswordAuthenticator('username', '')
58+
style: secondary
59+
start: 121
60+
end: 158
61+
? |
62+
import os
63+
from couchbase.cluster import Cluster, ClusterOptions
64+
from couchbase_core.cluster import PasswordAuthenticator
65+
cluster = Cluster('couchbase://localhost', ClusterOptions(PasswordAuthenticator('username', '')))
66+
: labels:
67+
- source: PasswordAuthenticator('username', '')
68+
style: primary
69+
start: 179
70+
end: 216
71+
- source: PasswordAuthenticator
72+
style: secondary
73+
start: 179
74+
end: 200
75+
- source: username
76+
style: secondary
77+
start: 202
78+
end: 210
79+
- source: '''username'''
80+
style: secondary
81+
start: 201
82+
end: 211
83+
- source: ''''''
84+
style: secondary
85+
start: 213
86+
end: 215
87+
- source: ('username', '')
88+
style: secondary
89+
start: 200
90+
end: 216
91+
- source: couchbase_core
92+
style: secondary
93+
start: 69
94+
end: 83
95+
- source: cluster
96+
style: secondary
97+
start: 84
98+
end: 91
99+
- source: couchbase_core.cluster
100+
style: secondary
101+
start: 69
102+
end: 91
103+
- source: PasswordAuthenticator
104+
style: secondary
105+
start: 99
106+
end: 120
107+
- source: PasswordAuthenticator
108+
style: secondary
109+
start: 99
110+
end: 120
111+
- source: from couchbase_core.cluster import PasswordAuthenticator
112+
style: secondary
113+
start: 64
114+
end: 120
115+
- source: cluster = Cluster('couchbase://localhost', ClusterOptions(PasswordAuthenticator('username', '')))
116+
style: secondary
117+
start: 121
118+
end: 218
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
id: avoid-mktemp-python
2+
valid:
3+
- |
4+
5+
invalid:
6+
- |
7+
from tempfile import mktemp
8+
ff = mktemp()
Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
id: python-couchbase-empty-password-python
2+
valid:
3+
- |
4+
import os
5+
from couchbase.cluster import Cluster, ClusterOptions
6+
from couchbase_core.cluster import PasswordAuthenticator
7+
PasswordAuthenticator('username', os.env['pass'])
8+
- |
9+
import os
10+
from couchbase.cluster import Cluster, ClusterOptions
11+
from couchbase_core.cluster import PasswordAuthenticator
12+
PasswordAuthenticator('username', os.getenv(''))
13+
invalid:
14+
- |
15+
import os
16+
from couchbase.cluster import Cluster, ClusterOptions
17+
from couchbase_core.cluster import PasswordAuthenticator
18+
cluster = Cluster('couchbase://localhost', ClusterOptions(PasswordAuthenticator('username', '')))
19+
- |
20+
import os
21+
from couchbase.cluster import Cluster, ClusterOptions
22+
from couchbase_core.cluster import PasswordAuthenticator
23+
PasswordAuthenticator('username', '')

0 commit comments

Comments
 (0)