Skip to content

Commit e773b57

Browse files
author
Sakshis
committed
ruby-octokit-hardcoded-secret-ruby
1 parent 5fdbbde commit e773b57

File tree

3 files changed

+398
-0
lines changed

3 files changed

+398
-0
lines changed

rules/ruby/security/ruby-octokit-hardcoded-secret-ruby.yml

Lines changed: 103 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,103 @@
1+
id: ruby-octokit-hardcoded-secret-ruby
2+
language: ruby
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798] Use of Hard-coded Credentials.
12+
[REFERENCES]
13+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
14+
utils:
15+
Octokit::Client.new(password:""):
16+
# Octokit::Client.new(..., password: "", ...)
17+
kind: call
18+
all:
19+
- has:
20+
stopBy: neighbor
21+
kind: scope_resolution
22+
regex: ^Octokit::Client$
23+
- has:
24+
stopBy: neighbor
25+
regex: ^.$
26+
- has:
27+
stopBy: neighbor
28+
kind: identifier
29+
regex: ^new$
30+
- has:
31+
stopBy: neighbor
32+
kind: argument_list
33+
has:
34+
stopBy: end
35+
kind: pair
36+
all:
37+
- has:
38+
stopBy: neighbor
39+
regex: ^:password|:access_token|:client_secret|password|access_token|client_secret$
40+
- has:
41+
stopBy: neighbor
42+
kind: string
43+
has:
44+
stopBy: neighbor
45+
kind: string_content
46+
- inside:
47+
stopBy: end
48+
kind: program
49+
has:
50+
stopBy: end
51+
kind: call
52+
pattern: require 'octokit'
53+
Octokit::Client.new(password:"")with_instance:
54+
# Octokit::Client.new(..., password: "", ...)
55+
kind: assignment
56+
all:
57+
- has:
58+
stopBy: end
59+
kind: call
60+
all:
61+
- has:
62+
stopBy: neighbor
63+
kind: scope_resolution
64+
regex: ^Octokit::Client$
65+
- has:
66+
stopBy: neighbor
67+
regex: ^.$
68+
- has:
69+
stopBy: neighbor
70+
kind: identifier
71+
regex: ^new$
72+
- has:
73+
stopBy: neighbor
74+
kind: argument_list
75+
has:
76+
stopBy: end
77+
kind: pair
78+
all:
79+
- has:
80+
stopBy: neighbor
81+
regex: ^:password|:access_token|:client_secret|password|access_token|client_secret$
82+
- has:
83+
stopBy: neighbor
84+
kind: identifier
85+
nthChild: 2
86+
pattern: $PASS
87+
- follows:
88+
stopBy: end
89+
kind: assignment
90+
pattern: $PASS = '$$$'
91+
- inside:
92+
stopBy: end
93+
kind: program
94+
has:
95+
stopBy: end
96+
kind: call
97+
pattern: require 'octokit'
98+
rule:
99+
any:
100+
- kind: call
101+
matches: Octokit::Client.new(password:"")
102+
- kind: assignment
103+
matches: Octokit::Client.new(password:"")with_instance

tests/__snapshots__/ruby-octokit-hardcoded-secret-ruby-snapshot.yml

Lines changed: 270 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,270 @@
1+
id: ruby-octokit-hardcoded-secret-ruby
2+
snapshots:
3+
? |
4+
require 'octokit'
5+
Octokit::Client.new(access_token: "<your 40 char token>", per_page: 100)
6+
: labels:
7+
- source: 'Octokit::Client.new(access_token: "<your 40 char token>", per_page: 100)'
8+
style: primary
9+
start: 18
10+
end: 90
11+
- source: Octokit::Client
12+
style: secondary
13+
start: 18
14+
end: 33
15+
- source: .
16+
style: secondary
17+
start: 33
18+
end: 34
19+
- source: new
20+
style: secondary
21+
start: 34
22+
end: 37
23+
- source: access_token
24+
style: secondary
25+
start: 38
26+
end: 50
27+
- source: <your 40 char token>
28+
style: secondary
29+
start: 53
30+
end: 73
31+
- source: '"<your 40 char token>"'
32+
style: secondary
33+
start: 52
34+
end: 74
35+
- source: 'access_token: "<your 40 char token>"'
36+
style: secondary
37+
start: 38
38+
end: 74
39+
- source: '(access_token: "<your 40 char token>", per_page: 100)'
40+
style: secondary
41+
start: 37
42+
end: 90
43+
- source: require 'octokit'
44+
style: secondary
45+
start: 0
46+
end: 17
47+
- source: |
48+
require 'octokit'
49+
Octokit::Client.new(access_token: "<your 40 char token>", per_page: 100)
50+
style: secondary
51+
start: 0
52+
end: 91
53+
? |
54+
require 'octokit'
55+
client = Octokit::Client.new \
56+
:client_id => "<your 20 char id>",
57+
:client_secret => "<your 40 char secret>"
58+
: labels:
59+
- source: |-
60+
Octokit::Client.new \
61+
:client_id => "<your 20 char id>",
62+
:client_secret => "<your 40 char secret>"
63+
style: primary
64+
start: 27
65+
end: 129
66+
- source: Octokit::Client
67+
style: secondary
68+
start: 27
69+
end: 42
70+
- source: .
71+
style: secondary
72+
start: 42
73+
end: 43
74+
- source: new
75+
style: secondary
76+
start: 43
77+
end: 46
78+
- source: :client_secret
79+
style: secondary
80+
start: 88
81+
end: 102
82+
- source: <your 40 char secret>
83+
style: secondary
84+
start: 107
85+
end: 128
86+
- source: '"<your 40 char secret>"'
87+
style: secondary
88+
start: 106
89+
end: 129
90+
- source: :client_secret => "<your 40 char secret>"
91+
style: secondary
92+
start: 88
93+
end: 129
94+
- source: |-
95+
:client_id => "<your 20 char id>",
96+
:client_secret => "<your 40 char secret>"
97+
style: secondary
98+
start: 49
99+
end: 129
100+
- source: require 'octokit'
101+
style: secondary
102+
start: 0
103+
end: 17
104+
- source: |
105+
require 'octokit'
106+
client = Octokit::Client.new \
107+
:client_id => "<your 20 char id>",
108+
:client_secret => "<your 40 char secret>"
109+
style: secondary
110+
start: 0
111+
end: 130
112+
? |
113+
require 'octokit'
114+
client = Octokit::Client.new \
115+
:login => 'defunkt',
116+
:password => 'c0d3b4ssssss!'
117+
: labels:
118+
- source: |-
119+
Octokit::Client.new \
120+
:login => 'defunkt',
121+
:password => 'c0d3b4ssssss!'
122+
style: primary
123+
start: 27
124+
end: 101
125+
- source: Octokit::Client
126+
style: secondary
127+
start: 27
128+
end: 42
129+
- source: .
130+
style: secondary
131+
start: 42
132+
end: 43
133+
- source: new
134+
style: secondary
135+
start: 43
136+
end: 46
137+
- source: :password
138+
style: secondary
139+
start: 73
140+
end: 82
141+
- source: c0d3b4ssssss!
142+
style: secondary
143+
start: 87
144+
end: 100
145+
- source: '''c0d3b4ssssss!'''
146+
style: secondary
147+
start: 86
148+
end: 101
149+
- source: :password => 'c0d3b4ssssss!'
150+
style: secondary
151+
start: 73
152+
end: 101
153+
- source: |-
154+
:login => 'defunkt',
155+
:password => 'c0d3b4ssssss!'
156+
style: secondary
157+
start: 49
158+
end: 101
159+
- source: require 'octokit'
160+
style: secondary
161+
start: 0
162+
end: 17
163+
- source: |
164+
require 'octokit'
165+
client = Octokit::Client.new \
166+
:login => 'defunkt',
167+
:password => 'c0d3b4ssssss!'
168+
style: secondary
169+
start: 0
170+
end: 102
171+
? |
172+
require 'octokit'
173+
client = Octokit::Client.new(:access_token => "<your 40 char token>")
174+
: labels:
175+
- source: Octokit::Client.new(:access_token => "<your 40 char token>")
176+
style: primary
177+
start: 27
178+
end: 87
179+
- source: Octokit::Client
180+
style: secondary
181+
start: 27
182+
end: 42
183+
- source: .
184+
style: secondary
185+
start: 42
186+
end: 43
187+
- source: new
188+
style: secondary
189+
start: 43
190+
end: 46
191+
- source: :access_token
192+
style: secondary
193+
start: 47
194+
end: 60
195+
- source: <your 40 char token>
196+
style: secondary
197+
start: 65
198+
end: 85
199+
- source: '"<your 40 char token>"'
200+
style: secondary
201+
start: 64
202+
end: 86
203+
- source: :access_token => "<your 40 char token>"
204+
style: secondary
205+
start: 47
206+
end: 86
207+
- source: (:access_token => "<your 40 char token>")
208+
style: secondary
209+
start: 46
210+
end: 87
211+
- source: require 'octokit'
212+
style: secondary
213+
start: 0
214+
end: 17
215+
- source: |
216+
require 'octokit'
217+
client = Octokit::Client.new(:access_token => "<your 40 char token>")
218+
style: secondary
219+
start: 0
220+
end: 88
221+
? |
222+
require 'octokit'
223+
client = Octokit::Client.new(:login => 'defunkt', :password => 'c0d3b4ssssss!')
224+
: labels:
225+
- source: Octokit::Client.new(:login => 'defunkt', :password => 'c0d3b4ssssss!')
226+
style: primary
227+
start: 27
228+
end: 97
229+
- source: Octokit::Client
230+
style: secondary
231+
start: 27
232+
end: 42
233+
- source: .
234+
style: secondary
235+
start: 42
236+
end: 43
237+
- source: new
238+
style: secondary
239+
start: 43
240+
end: 46
241+
- source: :password
242+
style: secondary
243+
start: 68
244+
end: 77
245+
- source: c0d3b4ssssss!
246+
style: secondary
247+
start: 82
248+
end: 95
249+
- source: '''c0d3b4ssssss!'''
250+
style: secondary
251+
start: 81
252+
end: 96
253+
- source: :password => 'c0d3b4ssssss!'
254+
style: secondary
255+
start: 68
256+
end: 96
257+
- source: (:login => 'defunkt', :password => 'c0d3b4ssssss!')
258+
style: secondary
259+
start: 46
260+
end: 97
261+
- source: require 'octokit'
262+
style: secondary
263+
start: 0
264+
end: 17
265+
- source: |
266+
require 'octokit'
267+
client = Octokit::Client.new(:login => 'defunkt', :password => 'c0d3b4ssssss!')
268+
style: secondary
269+
start: 0
270+
end: 98

0 commit comments

Comments
 (0)