Skip to content

Commit deb96b1

Browse files
ESS-ENNESS-ENN
authored
Two Rust rules (#36)
1 parent c752f2e commit deb96b1

6 files changed

+505
-0
lines changed

rules/rust/security/tokio-postgres-empty-password-rust.yml

Lines changed: 124 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,124 @@
1+
id: tokio-postgres-empty-password-rust
2+
language: rust
3+
severity: warning
4+
message: >-
5+
The application uses an empty credential. This can lead to unauthorized
6+
access by either an internal or external malicious actor. It is
7+
recommended to rotate the secret and retrieve them from a secure secret
8+
vault or Hardware Security Module (HSM), alternatively environment
9+
variables can be used if allowed by your company policy.
10+
note: >-
11+
[CWE-287] Improper Authentication.
12+
[REFERENCES]
13+
- https://docs.rs/tokio-postgres/latest/tokio_postgres/
14+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
15+
utils:
16+
MATCH_PATTERN_WITH_INSTANCE:
17+
kind: call_expression
18+
all:
19+
- has:
20+
stopBy: neighbor
21+
kind: field_expression
22+
all:
23+
- has:
24+
stopBy: neighbor
25+
kind: call_expression
26+
all:
27+
- has:
28+
stopBy: neighbor
29+
kind: field_expression
30+
all:
31+
- has:
32+
stopBy: end
33+
kind: call_expression
34+
all:
35+
- has:
36+
stopBy: neighbor
37+
kind: field_expression
38+
all:
39+
- has:
40+
stopBy: neighbor
41+
kind: identifier
42+
pattern: $C
43+
- has:
44+
stopBy: neighbor
45+
kind: arguments
46+
- has:
47+
stopBy: neighbor
48+
kind: field_identifier
49+
- has:
50+
stopBy: neighbor
51+
kind: arguments
52+
- has:
53+
stopBy: neighbor
54+
kind: field_identifier
55+
regex: "^password$"
56+
- has:
57+
stopBy: neighbor
58+
kind: arguments
59+
regex: \(\s*\"\"\s*\)
60+
- inside:
61+
stopBy: end
62+
kind: expression_statement
63+
follows:
64+
stopBy: end
65+
kind: let_declaration
66+
all:
67+
- has:
68+
stopBy: neighbor
69+
kind: identifier
70+
pattern: $C
71+
- has:
72+
stopBy: neighbor
73+
kind: call_expression
74+
pattern: tokio_postgres::Config::new()
75+
76+
MATCH_PATTERN_DIRECTLY:
77+
kind: call_expression
78+
all:
79+
- has:
80+
stopBy: neighbor
81+
kind: field_expression
82+
all:
83+
- has:
84+
stopBy: neighbor
85+
kind: call_expression
86+
all:
87+
- has:
88+
stopBy: neighbor
89+
kind: field_expression
90+
all:
91+
- has:
92+
stopBy: neighbor
93+
kind: call_expression
94+
all:
95+
- has:
96+
stopBy: neighbor
97+
kind: field_expression
98+
has:
99+
stopBy: neighbor
100+
kind: call_expression
101+
pattern: tokio_postgres::Config::new()
102+
- has:
103+
stopBy: neighbor
104+
kind: arguments
105+
- has:
106+
stopBy: neighbor
107+
kind: field_identifier
108+
- has:
109+
stopBy: neighbor
110+
kind: arguments
111+
- has:
112+
stopBy: neighbor
113+
kind: field_identifier
114+
regex: "^password$"
115+
- has:
116+
stopBy: neighbor
117+
kind: arguments
118+
regex: \(\s*\"\"\s*\)
119+
120+
rule:
121+
kind: call_expression
122+
any:
123+
- matches: MATCH_PATTERN_WITH_INSTANCE
124+
- matches: MATCH_PATTERN_DIRECTLY

rules/rust/security/tokio-postgres-hardcoded-password-rust.yml

Lines changed: 135 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,135 @@
1+
id: tokio-postgres-hardcoded-password-rust
2+
language: rust
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. It is
8+
recommended to rotate the secret and retrieve them from a secure secret
9+
vault or Hardware Security Module (HSM), alternatively environment
10+
variables can be used if allowed by your company policy.
11+
note: >-
12+
[CWE-798] Use of Hard-coded Credentials.
13+
[REFERENCES]
14+
- https://docs.rs/tokio-postgres/latest/tokio_postgres/
15+
- https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
16+
utils:
17+
MATCH_PATTERN_WITH_INSTANCE:
18+
kind: call_expression
19+
all:
20+
- has:
21+
stopBy: neighbor
22+
kind: field_expression
23+
all:
24+
- has:
25+
stopBy: neighbor
26+
kind: call_expression
27+
all:
28+
- has:
29+
stopBy: neighbor
30+
kind: field_expression
31+
all:
32+
- has:
33+
stopBy: end
34+
kind: call_expression
35+
all:
36+
- has:
37+
stopBy: neighbor
38+
kind: field_expression
39+
all:
40+
- has:
41+
stopBy: neighbor
42+
kind: identifier
43+
pattern: $C
44+
- has:
45+
stopBy: neighbor
46+
kind: arguments
47+
- has:
48+
stopBy: neighbor
49+
kind: field_identifier
50+
- has:
51+
stopBy: neighbor
52+
kind: arguments
53+
- has:
54+
stopBy: neighbor
55+
kind: field_identifier
56+
regex: "^password$"
57+
- has:
58+
stopBy: neighbor
59+
kind: arguments
60+
has:
61+
stopBy: neighbor
62+
kind: string_literal
63+
has:
64+
stopBy: neighbor
65+
kind: string_content
66+
- inside:
67+
stopBy: end
68+
kind: expression_statement
69+
follows:
70+
stopBy: end
71+
kind: let_declaration
72+
all:
73+
- has:
74+
stopBy: neighbor
75+
kind: identifier
76+
pattern: $C
77+
- has:
78+
stopBy: neighbor
79+
kind: call_expression
80+
pattern: tokio_postgres::Config::new()
81+
82+
MATCH_PATTERN_DIRECTLY:
83+
kind: call_expression
84+
all:
85+
- has:
86+
stopBy: neighbor
87+
kind: field_expression
88+
all:
89+
- has:
90+
stopBy: neighbor
91+
kind: call_expression
92+
all:
93+
- has:
94+
stopBy: neighbor
95+
kind: field_expression
96+
all:
97+
- has:
98+
stopBy: neighbor
99+
kind: call_expression
100+
all:
101+
- has:
102+
stopBy: neighbor
103+
kind: field_expression
104+
has:
105+
stopBy: neighbor
106+
kind: call_expression
107+
pattern: tokio_postgres::Config::new()
108+
- has:
109+
stopBy: neighbor
110+
kind: arguments
111+
- has:
112+
stopBy: neighbor
113+
kind: field_identifier
114+
- has:
115+
stopBy: neighbor
116+
kind: arguments
117+
- has:
118+
stopBy: neighbor
119+
kind: field_identifier
120+
regex: "^password$"
121+
- has:
122+
stopBy: neighbor
123+
kind: arguments
124+
has:
125+
stopBy: neighbor
126+
kind: string_literal
127+
has:
128+
stopBy: neighbor
129+
kind: string_content
130+
131+
rule:
132+
kind: call_expression
133+
any:
134+
- matches: MATCH_PATTERN_WITH_INSTANCE
135+
- matches: MATCH_PATTERN_DIRECTLY

tests/__snapshots__/tokio-postgres-empty-password-rust-snapshot.yml

Lines changed: 100 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,100 @@
1+
id: tokio-postgres-empty-password-rust
2+
snapshots:
3+
? |
4+
async fn test1() -> Result<(), anyhow::Error> {
5+
let mut config = tokio_postgres::Config::new();
6+
config
7+
.host(std::env::var("HOST").expect("set HOST"))
8+
.user(std::env::var("USER").expect("set USER"))
9+
.password("")
10+
.port(std::env::var("PORT").expect("set PORT"));
11+
Ok(())
12+
}
13+
: labels:
14+
- source: |-
15+
config
16+
.host(std::env::var("HOST").expect("set HOST"))
17+
.user(std::env::var("USER").expect("set USER"))
18+
.password("")
19+
style: primary
20+
start: 96
21+
end: 212
22+
- source: config
23+
style: secondary
24+
start: 96
25+
end: 102
26+
- source: |-
27+
config
28+
.host
29+
style: secondary
30+
start: 96
31+
end: 108
32+
- source: (std::env::var("HOST").expect("set HOST"))
33+
style: secondary
34+
start: 108
35+
end: 150
36+
- source: |-
37+
config
38+
.host(std::env::var("HOST").expect("set HOST"))
39+
style: secondary
40+
start: 96
41+
end: 150
42+
- source: user
43+
style: secondary
44+
start: 152
45+
end: 156
46+
- source: |-
47+
config
48+
.host(std::env::var("HOST").expect("set HOST"))
49+
.user
50+
style: secondary
51+
start: 96
52+
end: 156
53+
- source: (std::env::var("USER").expect("set USER"))
54+
style: secondary
55+
start: 156
56+
end: 198
57+
- source: |-
58+
config
59+
.host(std::env::var("HOST").expect("set HOST"))
60+
.user(std::env::var("USER").expect("set USER"))
61+
style: secondary
62+
start: 96
63+
end: 198
64+
- source: password
65+
style: secondary
66+
start: 200
67+
end: 208
68+
- source: |-
69+
config
70+
.host(std::env::var("HOST").expect("set HOST"))
71+
.user(std::env::var("USER").expect("set USER"))
72+
.password
73+
style: secondary
74+
start: 96
75+
end: 208
76+
- source: ("")
77+
style: secondary
78+
start: 208
79+
end: 212
80+
- source: config
81+
style: secondary
82+
start: 56
83+
end: 62
84+
- source: tokio_postgres::Config::new()
85+
style: secondary
86+
start: 65
87+
end: 94
88+
- source: let mut config = tokio_postgres::Config::new();
89+
style: secondary
90+
start: 48
91+
end: 95
92+
- source: |-
93+
config
94+
.host(std::env::var("HOST").expect("set HOST"))
95+
.user(std::env::var("USER").expect("set USER"))
96+
.password("")
97+
.port(std::env::var("PORT").expect("set PORT"));
98+
style: secondary
99+
start: 96
100+
end: 261

0 commit comments

Comments
 (0)