Skip to content

Commit e637b6a

Browse files
author
Sakshis
committed
python-mysql-empty-password-python
1 parent 2f95a8e commit e637b6a

File tree

3 files changed

+208
-0
lines changed

3 files changed

+208
-0
lines changed

rules/python/security/python-mysql-empty-password-python.yml

Lines changed: 88 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,88 @@
1+
id: python-mysql-empty-password-python
2+
language: python
3+
severity: warning
4+
message: >-
5+
The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).
6+
note: >-
7+
[CWE-287]: Improper Authentication
8+
[A07:2021]: Identification and Authentication Failures
9+
[REFERENCES]
10+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
11+
12+
rule:
13+
any:
14+
- kind: call
15+
has:
16+
kind: attribute
17+
field: function
18+
regex: ^mysql.connector.connect$
19+
precedes:
20+
kind: argument_list
21+
has:
22+
kind: keyword_argument
23+
all:
24+
- has:
25+
kind: identifier
26+
nthChild: 1
27+
regex: ^(password|passwd)$
28+
- has:
29+
kind: string
30+
nthChild: 2
31+
all:
32+
- has:
33+
kind: string_start
34+
nthChild: 1
35+
- has:
36+
kind: string_end
37+
nthChild: 2
38+
inside:
39+
stopBy: end
40+
follows:
41+
stopBy: end
42+
kind: import_statement
43+
has:
44+
kind: dotted_name
45+
nthChild: 1
46+
regex: ^mysql.connector$
47+
- kind: call
48+
has:
49+
kind: attribute
50+
field: function
51+
pattern: $CONNECTOR_ALIAS.connect
52+
precedes:
53+
kind: argument_list
54+
has:
55+
kind: keyword_argument
56+
all:
57+
- has:
58+
kind: identifier
59+
nthChild: 1
60+
regex: ^(password|passwd)$
61+
- has:
62+
kind: string
63+
nthChild: 2
64+
all:
65+
- has:
66+
kind: string_start
67+
nthChild: 1
68+
- has:
69+
kind: string_end
70+
nthChild: 2
71+
inside:
72+
stopBy: end
73+
follows:
74+
stopBy: end
75+
kind: import_statement
76+
has:
77+
kind: aliased_import
78+
nthChild: 1
79+
all:
80+
- has:
81+
kind: dotted_name
82+
nthChild: 1
83+
regex: ^mysql.connector$
84+
- has:
85+
kind: identifier
86+
field: alias
87+
nthChild: 2
88+
pattern: $CONNECTOR_ALIAS

tests/__snapshots__/python-mysql-empty-password-python-snapshot.yml

Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
id: python-mysql-empty-password-python
2+
snapshots:
3+
? |
4+
import mysql.connector
5+
conn = mysql.connector.connect(username="abcz", passwd="")
6+
: labels:
7+
- source: mysql.connector.connect(username="abcz", passwd="")
8+
style: primary
9+
start: 30
10+
end: 81
11+
- source: mysql.connector
12+
style: secondary
13+
start: 7
14+
end: 22
15+
- source: import mysql.connector
16+
style: secondary
17+
start: 0
18+
end: 22
19+
- source: import mysql.connector
20+
style: secondary
21+
start: 0
22+
end: 22
23+
- source: passwd
24+
style: secondary
25+
start: 71
26+
end: 77
27+
- source: '"'
28+
style: secondary
29+
start: 78
30+
end: 79
31+
- source: '"'
32+
style: secondary
33+
start: 79
34+
end: 80
35+
- source: '""'
36+
style: secondary
37+
start: 78
38+
end: 80
39+
- source: passwd=""
40+
style: secondary
41+
start: 71
42+
end: 80
43+
- source: (username="abcz", passwd="")
44+
style: secondary
45+
start: 53
46+
end: 81
47+
- source: mysql.connector.connect
48+
style: secondary
49+
start: 30
50+
end: 53
51+
? |
52+
import mysql.connector as mysql123
53+
def my_function():
54+
mysql123.connect(host="localhost",user="root",passwd="",database="aaa")
55+
: labels:
56+
- source: mysql123.connect(host="localhost",user="root",passwd="",database="aaa")
57+
style: primary
58+
start: 56
59+
end: 127
60+
- source: mysql.connector
61+
style: secondary
62+
start: 7
63+
end: 22
64+
- source: mysql123
65+
style: secondary
66+
start: 26
67+
end: 34
68+
- source: mysql.connector as mysql123
69+
style: secondary
70+
start: 7
71+
end: 34
72+
- source: import mysql.connector as mysql123
73+
style: secondary
74+
start: 0
75+
end: 34
76+
- source: import mysql.connector as mysql123
77+
style: secondary
78+
start: 0
79+
end: 34
80+
- source: passwd
81+
style: secondary
82+
start: 102
83+
end: 108
84+
- source: '"'
85+
style: secondary
86+
start: 109
87+
end: 110
88+
- source: '"'
89+
style: secondary
90+
start: 110
91+
end: 111
92+
- source: '""'
93+
style: secondary
94+
start: 109
95+
end: 111
96+
- source: passwd=""
97+
style: secondary
98+
start: 102
99+
end: 111
100+
- source: (host="localhost",user="root",passwd="",database="aaa")
101+
style: secondary
102+
start: 72
103+
end: 127
104+
- source: mysql123.connect
105+
style: secondary
106+
start: 56
107+
end: 72

tests/python/python-mysql-empty-password-python-test.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
id: python-mysql-empty-password-python
2+
valid:
3+
- |
4+
import mysql.connector
5+
conn = mysql.connector.connect(username="abcz", passwd="abc")
6+
invalid:
7+
- |
8+
import mysql.connector
9+
conn = mysql.connector.connect(username="abcz", passwd="")
10+
- |
11+
import mysql.connector as mysql123
12+
def my_function():
13+
mysql123.connect(host="localhost",user="root",passwd="",database="aaa")

0 commit comments

Comments
 (0)