Skip to content

Commit d684810

Browse files
author
Sakshis
committed
secrets-reqwest-hardcoded-auth-rust
1 parent 81dae56 commit d684810

File tree

3 files changed

+456
-0
lines changed

3 files changed

+456
-0
lines changed

rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml

Lines changed: 302 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,302 @@
1+
id: secrets-reqwest-hardcoded-auth-rust
2+
language: rust
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. It is
8+
recommended to rotate the secret and retrieve them from a secure secret
9+
vault or Hardware Security Module (HSM), alternatively environment
10+
variables can be used if allowed by your company polic
11+
note: >-
12+
[CWE-798]: Use of Hard-coded Credentials
13+
[REFERENCES]
14+
- https://docs.rs/reqwest/latest/reqwest/
15+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
16+
ast-grep-essentials: true
17+
utils:
18+
MATCH_PATTERN_ONE.basic_auth:
19+
kind: call_expression
20+
all:
21+
- has:
22+
stopBy: neighbor
23+
kind: field_expression
24+
all:
25+
- has:
26+
stopBy: end
27+
kind: identifier
28+
pattern: $C
29+
- has:
30+
stopBy: neighbor
31+
kind: field_identifier
32+
regex: ^basic_auth$
33+
- has:
34+
stopBy: end
35+
kind: arguments
36+
not:
37+
has:
38+
nthChild:
39+
position: 3
40+
ofRule:
41+
not:
42+
kind: line_comment
43+
has:
44+
stopBy: neighbor
45+
kind: call_expression
46+
nthChild:
47+
position: 2
48+
ofRule:
49+
not:
50+
kind: line_comment
51+
all:
52+
- has:
53+
stopBy: neighbor
54+
kind: identifier
55+
regex: ^Some$
56+
- has:
57+
stopBy: neighbor
58+
kind: arguments
59+
has:
60+
stopBy: neighbor
61+
kind: string_literal
62+
has:
63+
kind: string_content
64+
- inside:
65+
stopBy: end
66+
all:
67+
- follows:
68+
stopBy: end
69+
kind: let_declaration
70+
all:
71+
- has:
72+
stopBy: neighbor
73+
kind: identifier
74+
pattern: $C
75+
- has:
76+
stopBy: neighbor
77+
kind: call_expression
78+
pattern: reqwest::Client::new($$$)
79+
# - inside:
80+
# stopBy: end
81+
# kind: block
82+
83+
84+
MATCH_PATTERN_TWO.bearer_auth:
85+
kind: call_expression
86+
all:
87+
- has:
88+
stopBy: neighbor
89+
kind: field_expression
90+
all:
91+
- has:
92+
stopBy: end
93+
kind: identifier
94+
pattern: $C
95+
- has:
96+
stopBy: neighbor
97+
kind: field_identifier
98+
regex: ^bearer_auth$
99+
- inside:
100+
stopBy: end
101+
follows:
102+
stopBy: end
103+
kind: let_declaration
104+
all:
105+
- has:
106+
stopBy: neighbor
107+
kind: identifier
108+
pattern: $C
109+
- has:
110+
stopBy: neighbor
111+
kind: call_expression
112+
pattern: reqwest::Client::new($$$)
113+
- has:
114+
stopBy: neighbor
115+
kind: arguments
116+
has:
117+
stopBy: neighbor
118+
kind: string_literal
119+
nthChild:
120+
position: 1
121+
ofRule:
122+
not:
123+
kind: line_comment
124+
has:
125+
stopBy: neighbor
126+
kind: string_content
127+
not:
128+
has:
129+
nthChild: 2
130+
- not:
131+
has:
132+
stopBy: end
133+
kind: call_expression
134+
all:
135+
- has:
136+
stopBy: neighbor
137+
kind: identifier
138+
regex: ^Some$
139+
- has:
140+
stopBy: neighbor
141+
kind: arguments
142+
has:
143+
stopBy: neighbor
144+
kind: identifier
145+
146+
MATCH_PATTERN_ONE.basic_auth_Instance:
147+
kind: call_expression
148+
all:
149+
- has:
150+
stopBy: neighbor
151+
kind: field_expression
152+
all:
153+
- has:
154+
stopBy: end
155+
kind: identifier
156+
pattern: $C
157+
- has:
158+
stopBy: neighbor
159+
kind: field_identifier
160+
regex: ^basic_auth$
161+
- has:
162+
stopBy: end
163+
kind: arguments
164+
not:
165+
has:
166+
nthChild:
167+
position: 3
168+
ofRule:
169+
not:
170+
kind: line_comment
171+
has:
172+
stopBy: neighbor
173+
kind: call_expression
174+
nthChild:
175+
position: 2
176+
ofRule:
177+
not:
178+
kind: line_comment
179+
all:
180+
- has:
181+
stopBy: neighbor
182+
kind: identifier
183+
regex: ^Some$
184+
- has:
185+
stopBy: neighbor
186+
kind: arguments
187+
has:
188+
stopBy: neighbor
189+
kind: identifier
190+
pattern: $PASSWORD
191+
- inside:
192+
stopBy: end
193+
all:
194+
- follows:
195+
stopBy: end
196+
kind: let_declaration
197+
all:
198+
- has:
199+
stopBy: neighbor
200+
kind: identifier
201+
pattern: $C
202+
- has:
203+
stopBy: neighbor
204+
kind: call_expression
205+
pattern: reqwest::Client::new($$$)
206+
- follows:
207+
stopBy: end
208+
kind: let_declaration
209+
all:
210+
- has:
211+
kind: identifier
212+
pattern: $PASSWORD
213+
nthChild:
214+
position: 1
215+
ofRule:
216+
not:
217+
kind: line_comment
218+
- has:
219+
kind: string_literal
220+
has:
221+
kind: string_content
222+
- inside:
223+
stopBy: end
224+
kind: block
225+
226+
MATCH_PATTERN_TWO.bearer_auth_Instance:
227+
kind: call_expression
228+
all:
229+
- has:
230+
stopBy: neighbor
231+
kind: field_expression
232+
all:
233+
- has:
234+
stopBy: end
235+
kind: identifier
236+
pattern: $C
237+
- has:
238+
stopBy: neighbor
239+
kind: field_identifier
240+
regex: ^bearer_auth$
241+
- inside:
242+
stopBy: end
243+
all:
244+
- follows:
245+
stopBy: end
246+
kind: let_declaration
247+
all:
248+
- has:
249+
stopBy: neighbor
250+
kind: identifier
251+
pattern: $C
252+
- has:
253+
stopBy: neighbor
254+
kind: call_expression
255+
pattern: reqwest::Client::new($$$)
256+
- follows:
257+
stopBy: end
258+
kind: let_declaration
259+
all:
260+
- has:
261+
kind: identifier
262+
pattern: $PASSWORD
263+
nthChild: 1
264+
- has:
265+
kind: string_literal
266+
has:
267+
kind: string_content
268+
- inside:
269+
stopBy: end
270+
kind: block
271+
- has:
272+
stopBy: end
273+
kind: arguments
274+
has:
275+
stopBy: neighbor
276+
kind: identifier
277+
pattern: $PASS
278+
nthChild:
279+
position: 1
280+
ofRule:
281+
not:
282+
kind: line_comment
283+
not:
284+
has:
285+
nthChild: 2
286+
287+
288+
rule:
289+
kind: call_expression
290+
any:
291+
- matches: MATCH_PATTERN_ONE.basic_auth
292+
- matches: MATCH_PATTERN_TWO.bearer_auth
293+
- matches: MATCH_PATTERN_ONE.basic_auth_Instance
294+
- matches: MATCH_PATTERN_TWO.bearer_auth_Instance
295+
not:
296+
all:
297+
- has:
298+
stopBy: end
299+
kind: ERROR
300+
- inside:
301+
stopBy: end
302+
kind: ERROR

0 commit comments

Comments
 (0)