Skip to content

Commit df66482

Browse files
ESS-ENNESS-ENN
committed
ruby-octokit-hardcoded-secret-ruby
1 parent 0601dad commit df66482

File tree

3 files changed

+389
-0
lines changed

3 files changed

+389
-0
lines changed

rules/ruby/security/ruby-octokit-hardcoded-secret-ruby.yml

Lines changed: 132 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,132 @@
1+
id: ruby-octokit-hardcoded-secret-ruby
2+
language: ruby
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798] Use of Hard-coded Credentials.
12+
[REFERENCES]
13+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
14+
15+
ast-grep-essentials: true
16+
17+
utils:
18+
Octokit::Client.new(password:""):
19+
# Octokit::Client.new(..., password: "", ...)
20+
kind: call
21+
all:
22+
- has:
23+
stopBy: neighbor
24+
kind: scope_resolution
25+
regex: ^Octokit::Client$
26+
- has:
27+
stopBy: neighbor
28+
regex: ^.$
29+
- has:
30+
stopBy: neighbor
31+
kind: identifier
32+
regex: ^new$
33+
- has:
34+
stopBy: neighbor
35+
kind: argument_list
36+
has:
37+
stopBy: neighbor
38+
kind: pair
39+
all:
40+
- has:
41+
stopBy: neighbor
42+
any:
43+
- kind: simple_symbol
44+
regex: ^:password$|^:access_token$|^:client_secret$
45+
- kind: hash_key_symbol
46+
regex: ^password$|^access_token$|^client_secret$
47+
- has:
48+
stopBy: neighbor
49+
kind: string
50+
- any:
51+
- inside:
52+
stopBy: end
53+
follows:
54+
stopBy: end
55+
kind: call
56+
pattern: require 'octokit'
57+
- follows:
58+
stopBy: end
59+
kind: call
60+
pattern: require 'octokit'
61+
Octokit::Client.new(password:"")_Instance:
62+
kind: call
63+
all:
64+
- has:
65+
stopBy: neighbor
66+
kind: scope_resolution
67+
regex: ^Octokit::Client$
68+
- has:
69+
stopBy: neighbor
70+
regex: ^.$
71+
- has:
72+
stopBy: neighbor
73+
kind: identifier
74+
regex: ^new$
75+
- has:
76+
stopBy: neighbor
77+
kind: argument_list
78+
has:
79+
stopBy: neighbor
80+
kind: pair
81+
all:
82+
- has:
83+
stopBy: neighbor
84+
any:
85+
- kind: simple_symbol
86+
regex: ^:password$|^:access_token$|^:client_secret$
87+
- kind: hash_key_symbol
88+
regex: ^password$|^access_token$|^client_secret$
89+
- has:
90+
stopBy: neighbor
91+
kind: identifier
92+
pattern: $SECRET
93+
- any:
94+
- inside:
95+
stopBy: end
96+
follows:
97+
stopBy: end
98+
kind: call
99+
pattern: require 'octokit'
100+
- follows:
101+
stopBy: end
102+
kind: call
103+
pattern: require 'octokit'
104+
- any:
105+
- follows:
106+
stopBy: end
107+
kind: assignment
108+
pattern: $SECRET = $PASS
109+
- inside:
110+
stopBy: end
111+
follows:
112+
stopBy: end
113+
kind: assignment
114+
pattern: $SECRET = $PASS
115+
rule:
116+
kind: call
117+
any:
118+
- matches: Octokit::Client.new(password:"")
119+
- matches: Octokit::Client.new(password:"")_Instance
120+
all:
121+
- not:
122+
has:
123+
stopBy: end
124+
kind: ERROR
125+
- not:
126+
inside:
127+
stopBy: end
128+
kind: ERROR
129+
130+
constraints:
131+
PASS:
132+
kind: string

tests/__snapshots__/ruby-octokit-hardcoded-secret-ruby-snapshot.yml

Lines changed: 232 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,232 @@
1+
id: ruby-octokit-hardcoded-secret-ruby
2+
snapshots:
3+
? |
4+
require 'octokit'
5+
Octokit::Client.new(access_token: "<your 40 char token>", per_page: 100)
6+
: labels:
7+
- source: 'Octokit::Client.new(access_token: "<your 40 char token>", per_page: 100)'
8+
style: primary
9+
start: 18
10+
end: 90
11+
- source: Octokit::Client
12+
style: secondary
13+
start: 18
14+
end: 33
15+
- source: .
16+
style: secondary
17+
start: 33
18+
end: 34
19+
- source: new
20+
style: secondary
21+
start: 34
22+
end: 37
23+
- source: access_token
24+
style: secondary
25+
start: 38
26+
end: 50
27+
- source: '"<your 40 char token>"'
28+
style: secondary
29+
start: 52
30+
end: 74
31+
- source: 'access_token: "<your 40 char token>"'
32+
style: secondary
33+
start: 38
34+
end: 74
35+
- source: '(access_token: "<your 40 char token>", per_page: 100)'
36+
style: secondary
37+
start: 37
38+
end: 90
39+
- source: require 'octokit'
40+
style: secondary
41+
start: 0
42+
end: 17
43+
? |
44+
require 'octokit'
45+
client = Octokit::Client.new \
46+
:client_id => "<your 20 char id>",
47+
:client_secret => "<your 40 char secret>"
48+
: labels:
49+
- source: |-
50+
Octokit::Client.new \
51+
:client_id => "<your 20 char id>",
52+
:client_secret => "<your 40 char secret>"
53+
style: primary
54+
start: 27
55+
end: 129
56+
- source: Octokit::Client
57+
style: secondary
58+
start: 27
59+
end: 42
60+
- source: .
61+
style: secondary
62+
start: 42
63+
end: 43
64+
- source: new
65+
style: secondary
66+
start: 43
67+
end: 46
68+
- source: :client_secret
69+
style: secondary
70+
start: 88
71+
end: 102
72+
- source: '"<your 40 char secret>"'
73+
style: secondary
74+
start: 106
75+
end: 129
76+
- source: :client_secret => "<your 40 char secret>"
77+
style: secondary
78+
start: 88
79+
end: 129
80+
- source: |-
81+
:client_id => "<your 20 char id>",
82+
:client_secret => "<your 40 char secret>"
83+
style: secondary
84+
start: 49
85+
end: 129
86+
- source: require 'octokit'
87+
style: secondary
88+
start: 0
89+
end: 17
90+
- source: require 'octokit'
91+
style: secondary
92+
start: 0
93+
end: 17
94+
? |
95+
require 'octokit'
96+
client = Octokit::Client.new \
97+
:login => 'defunkt',
98+
:password => 'c0d3b4ssssss!'
99+
: labels:
100+
- source: |-
101+
Octokit::Client.new \
102+
:login => 'defunkt',
103+
:password => 'c0d3b4ssssss!'
104+
style: primary
105+
start: 27
106+
end: 101
107+
- source: Octokit::Client
108+
style: secondary
109+
start: 27
110+
end: 42
111+
- source: .
112+
style: secondary
113+
start: 42
114+
end: 43
115+
- source: new
116+
style: secondary
117+
start: 43
118+
end: 46
119+
- source: :password
120+
style: secondary
121+
start: 73
122+
end: 82
123+
- source: '''c0d3b4ssssss!'''
124+
style: secondary
125+
start: 86
126+
end: 101
127+
- source: :password => 'c0d3b4ssssss!'
128+
style: secondary
129+
start: 73
130+
end: 101
131+
- source: |-
132+
:login => 'defunkt',
133+
:password => 'c0d3b4ssssss!'
134+
style: secondary
135+
start: 49
136+
end: 101
137+
- source: require 'octokit'
138+
style: secondary
139+
start: 0
140+
end: 17
141+
- source: require 'octokit'
142+
style: secondary
143+
start: 0
144+
end: 17
145+
? |
146+
require 'octokit'
147+
client = Octokit::Client.new(:access_token => "<your 40 char token>")
148+
: labels:
149+
- source: Octokit::Client.new(:access_token => "<your 40 char token>")
150+
style: primary
151+
start: 27
152+
end: 87
153+
- source: Octokit::Client
154+
style: secondary
155+
start: 27
156+
end: 42
157+
- source: .
158+
style: secondary
159+
start: 42
160+
end: 43
161+
- source: new
162+
style: secondary
163+
start: 43
164+
end: 46
165+
- source: :access_token
166+
style: secondary
167+
start: 47
168+
end: 60
169+
- source: '"<your 40 char token>"'
170+
style: secondary
171+
start: 64
172+
end: 86
173+
- source: :access_token => "<your 40 char token>"
174+
style: secondary
175+
start: 47
176+
end: 86
177+
- source: (:access_token => "<your 40 char token>")
178+
style: secondary
179+
start: 46
180+
end: 87
181+
- source: require 'octokit'
182+
style: secondary
183+
start: 0
184+
end: 17
185+
- source: require 'octokit'
186+
style: secondary
187+
start: 0
188+
end: 17
189+
? |
190+
require 'octokit'
191+
client = Octokit::Client.new(:login => 'defunkt', :password => 'c0d3b4ssssss!')
192+
: labels:
193+
- source: Octokit::Client.new(:login => 'defunkt', :password => 'c0d3b4ssssss!')
194+
style: primary
195+
start: 27
196+
end: 97
197+
- source: Octokit::Client
198+
style: secondary
199+
start: 27
200+
end: 42
201+
- source: .
202+
style: secondary
203+
start: 42
204+
end: 43
205+
- source: new
206+
style: secondary
207+
start: 43
208+
end: 46
209+
- source: :password
210+
style: secondary
211+
start: 68
212+
end: 77
213+
- source: '''c0d3b4ssssss!'''
214+
style: secondary
215+
start: 81
216+
end: 96
217+
- source: :password => 'c0d3b4ssssss!'
218+
style: secondary
219+
start: 68
220+
end: 96
221+
- source: (:login => 'defunkt', :password => 'c0d3b4ssssss!')
222+
style: secondary
223+
start: 46
224+
end: 97
225+
- source: require 'octokit'
226+
style: secondary
227+
start: 0
228+
end: 17
229+
- source: require 'octokit'
230+
style: secondary
231+
start: 0
232+
end: 17

tests/ruby/ruby-octokit-hardcoded-secret-ruby-test.yml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
id: ruby-octokit-hardcoded-secret-ruby
2+
valid:
3+
- |
4+
require 'octokit'
5+
Octokit::Client.new(access_token: token, per_page: 100)
6+
invalid:
7+
- |
8+
require 'octokit'
9+
Octokit::Client.new(access_token: "<your 40 char token>", per_page: 100)
10+
- |
11+
require 'octokit'
12+
client = Octokit::Client.new \
13+
:client_id => "<your 20 char id>",
14+
:client_secret => "<your 40 char secret>"
15+
- |
16+
require 'octokit'
17+
client = Octokit::Client.new \
18+
:login => 'defunkt',
19+
:password => 'c0d3b4ssssss!'
20+
- |
21+
require 'octokit'
22+
client = Octokit::Client.new(:login => 'defunkt', :password => 'c0d3b4ssssss!')
23+
- |
24+
require 'octokit'
25+
client = Octokit::Client.new(:access_token => "<your 40 char token>")

0 commit comments

Comments
 (0)