python-psycopg2-empty-password-python

Sakshis · Sakshis · commit d7e75313e1a7 · 2024-12-11T06:55:05.000Z
diff --git a/rules/python/security/python-psycopg2-empty-password-python.yml b/rules/python/security/python-psycopg2-empty-password-python.yml
@@ -0,0 +1,89 @@
+id: python-psycopg2-empty-password-python
+severity: warning
+language: python
+message: >-
+      The application creates a database connection with an empty password.
+      This can lead to unauthorized access by either an internal or external
+      malicious actor. To prevent this vulnerability, enforce authentication
+      when connecting to a database by using environment variables to securely
+      provide credentials or retrieving them from a secure vault or HSM
+      (Hardware Security Module).
+note: >-
+  [CWE-287] Improper Authentication.
+  [REFERENCES]
+      - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+utils:
+  psycopg2.connect(..., password="",...):
+   kind: call
+   all:
+     - has:
+         stopBy: neighbor
+         kind: attribute
+         regex: ^psycopg2.connect$
+     - has:
+         stopBy: neighbor
+         kind: argument_list
+         has:
+           stopBy: end
+           kind: keyword_argument
+           all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: ^password$
+            - has:
+                stopBy: neighbor
+                kind: string
+                not:
+                 has:
+                  stopBy: neighbor
+                  kind: string_content
+  psycopg2.connect(..., password=$VAR,...)_with_instance:
+   kind: call
+   all:
+     - has:
+         stopBy: neighbor
+         kind: attribute
+         regex: ^psycopg2.connect$
+     - has:
+         stopBy: neighbor
+         kind: argument_list
+         has:
+           stopBy: end
+           kind: keyword_argument
+           all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: ^password$
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                pattern: $PSWD
+                nthChild: 2
+     - inside:
+         stopBy: end
+         kind: expression_statement
+         follows:
+          stopBy: end
+          kind: expression_statement
+          has:
+            stopBy: neighbor
+            kind: assignment
+            all:
+              - has:
+                  stopBy: neighbor
+                  kind: identifier
+                  pattern: $PSWD
+              - has:
+                  stopBy: neighbor
+                  kind: string
+                  not:
+                    has:
+                      stopBy: neighbor
+                      kind: string_content
+rule:
+  kind: call
+  any:
+    - matches: psycopg2.connect(..., password="",...)
+    - matches: psycopg2.connect(..., password=$VAR,...)_with_instance
diff --git a/tests/__snapshots__/python-psycopg2-empty-password-python-snapshot.yml b/tests/__snapshots__/python-psycopg2-empty-password-python-snapshot.yml
@@ -0,0 +1,77 @@
+id: python-psycopg2-empty-password-python
+snapshots:
+  ? |
+    PASSWORD = ""
+    psycopg2.connect(password=PASSWORD)
+  : labels:
+    - source: psycopg2.connect(password=PASSWORD)
+      style: primary
+      start: 14
+      end: 49
+    - source: psycopg2.connect
+      style: secondary
+      start: 14
+      end: 30
+    - source: password
+      style: secondary
+      start: 31
+      end: 39
+    - source: PASSWORD
+      style: secondary
+      start: 40
+      end: 48
+    - source: password=PASSWORD
+      style: secondary
+      start: 31
+      end: 48
+    - source: (password=PASSWORD)
+      style: secondary
+      start: 30
+      end: 49
+    - source: PASSWORD
+      style: secondary
+      start: 0
+      end: 8
+    - source: '""'
+      style: secondary
+      start: 11
+      end: 13
+    - source: PASSWORD = ""
+      style: secondary
+      start: 0
+      end: 13
+    - source: PASSWORD = ""
+      style: secondary
+      start: 0
+      end: 13
+    - source: psycopg2.connect(password=PASSWORD)
+      style: secondary
+      start: 14
+      end: 49
+  ? |
+    psycopg2.connect(password="")
+  : labels:
+    - source: psycopg2.connect(password="")
+      style: primary
+      start: 0
+      end: 29
+    - source: psycopg2.connect
+      style: secondary
+      start: 0
+      end: 16
+    - source: password
+      style: secondary
+      start: 17
+      end: 25
+    - source: '""'
+      style: secondary
+      start: 26
+      end: 28
+    - source: password=""
+      style: secondary
+      start: 17
+      end: 28
+    - source: (password="")
+      style: secondary
+      start: 16
+      end: 29
diff --git a/tests/python/python-psycopg2-empty-password-python-test.yml b/tests/python/python-psycopg2-empty-password-python-test.yml
@@ -0,0 +1,10 @@
+id: python-psycopg2-empty-password-python
+valid:
+  - |
+    psycopg2.connect(password="password")
+invalid:
+  - |
+    psycopg2.connect(password="")
+  - |
+    PASSWORD = ""
+    psycopg2.connect(password=PASSWORD)
