Skip to content

Commit fe79543

Browse files
author
Sakshis
committed
hardcoded-secret-in-credentials-java
1 parent 9e70ab5 commit fe79543

File tree

3 files changed

+295
-0
lines changed

3 files changed

+295
-0
lines changed

rules/java/security/hardcoded-secret-in-credentials-java.yml

Lines changed: 197 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,197 @@
1+
id: hardcoded-secret-in-credentials-java
2+
language: java
3+
severity: warning
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798]: Use of Hard-coded Credentials
12+
[OWASP A07:2021]: Identification and Authentication Failures
13+
[REFERENCES]
14+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
15+
utils:
16+
match_local_variable_declaration_with_username:
17+
kind: local_variable_declaration
18+
all:
19+
- has:
20+
stopBy: end
21+
kind: type_identifier
22+
field: type
23+
- has:
24+
stopBy: end
25+
kind: variable_declarator
26+
field: declarator
27+
has:
28+
stopBy: end
29+
kind: identifier
30+
field: name
31+
- has:
32+
stopBy: end
33+
kind: method_invocation
34+
all:
35+
- has:
36+
stopBy: end
37+
kind: identifier
38+
field: object
39+
regex: "^Credentials$"
40+
- has:
41+
stopBy: end
42+
kind: identifier
43+
field: name
44+
regex: "^basic$"
45+
- has:
46+
stopBy: end
47+
kind: argument_list
48+
field: arguments
49+
all:
50+
- has:
51+
stopBy: end
52+
kind: identifier
53+
pattern: $USERNAME
54+
- has:
55+
kind: string_literal
56+
pattern: $STRING
57+
inside:
58+
stopBy: end
59+
kind: method_declaration
60+
follows:
61+
stopBy: end
62+
kind: field_declaration
63+
all:
64+
- has:
65+
stopBy: end
66+
kind: modifiers
67+
- has:
68+
stopBy: end
69+
kind: type_identifier
70+
field: type
71+
- has:
72+
stopBy: end
73+
kind: variable_declarator
74+
field: declarator
75+
all:
76+
- has:
77+
stopBy: end
78+
kind: identifier
79+
field: name
80+
pattern: $USERNAME
81+
- has:
82+
stopBy: end
83+
kind: string_literal
84+
field: value
85+
match_local_variable_declaration_with_instance:
86+
kind: local_variable_declaration
87+
all:
88+
- has:
89+
stopBy: end
90+
kind: type_identifier
91+
field: type
92+
- has:
93+
stopBy: end
94+
kind: variable_declarator
95+
field: declarator
96+
all:
97+
- has:
98+
stopBy: end
99+
kind: identifier
100+
field: name
101+
- has:
102+
stopBy: end
103+
kind: method_invocation
104+
all:
105+
- has:
106+
stopBy: end
107+
kind: identifier
108+
field: object
109+
regex: "^Credentials$"
110+
- has:
111+
stopBy: end
112+
kind: identifier
113+
field: name
114+
regex: "^basic$"
115+
- has:
116+
stopBy: end
117+
kind: argument_list
118+
all:
119+
- has:
120+
stopBy: end
121+
kind: identifier
122+
pattern: $USERNAME
123+
nthChild: 1
124+
- has:
125+
stopBy: end
126+
kind: identifier
127+
pattern: $PASS
128+
nthChild: 2
129+
- not:
130+
has:
131+
stopBy: end
132+
kind: identifier
133+
nthChild: 3
134+
- all:
135+
- inside:
136+
stopBy: end
137+
kind: method_declaration
138+
follows:
139+
stopBy: end
140+
kind: field_declaration
141+
all:
142+
- has:
143+
stopBy: end
144+
kind: modifiers
145+
- has:
146+
stopBy: end
147+
kind: type_identifier
148+
- has:
149+
stopBy: end
150+
kind: variable_declarator
151+
field: declarator
152+
all:
153+
- has:
154+
stopBy: end
155+
kind: identifier
156+
field: name
157+
pattern: $PASS
158+
- has:
159+
stopBy: end
160+
kind: string_literal
161+
field: value
162+
pattern: $STRING
163+
- inside:
164+
stopBy: end
165+
kind: method_declaration
166+
follows:
167+
stopBy: end
168+
kind: field_declaration
169+
all:
170+
- has:
171+
stopBy: end
172+
kind: modifiers
173+
- has:
174+
stopBy: end
175+
kind: type_identifier
176+
- has:
177+
stopBy: end
178+
kind: variable_declarator
179+
field: declarator
180+
all:
181+
- has:
182+
stopBy: end
183+
kind: identifier
184+
field: name
185+
pattern: $USERNAME
186+
- has:
187+
stopBy: end
188+
kind: string_literal
189+
field: value
190+
rule:
191+
any:
192+
- matches: match_local_variable_declaration_with_username
193+
- matches: match_local_variable_declaration_with_instance
194+
constraints:
195+
STRING:
196+
not:
197+
regex: ^""$

tests/__snapshots__/hardcoded-secret-in-credentials-java-snapshot.yml

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,83 @@
1+
id: hardcoded-secret-in-credentials-java
2+
snapshots:
3+
? |
4+
import okhttp3.Request;
5+
import okhttp3.RequestBody;
6+
import okhttp3.Credentials;
7+
public class OkhttpSecretBasicAuth {
8+
private String username = "wowee";
9+
private String password = "hi";
10+
private String empty = "";
11+
public void run() {
12+
String credential = Credentials.basic(username, "asdf");
13+
: labels:
14+
- source: String credential = Credentials.basic(username, "asdf");
15+
style: primary
16+
start: 231
17+
end: 287
18+
- source: String
19+
style: secondary
20+
start: 231
21+
end: 237
22+
- source: credential
23+
style: secondary
24+
start: 238
25+
end: 248
26+
- source: credential = Credentials.basic(username, "asdf")
27+
style: secondary
28+
start: 238
29+
end: 286
30+
- source: Credentials
31+
style: secondary
32+
start: 251
33+
end: 262
34+
- source: basic
35+
style: secondary
36+
start: 263
37+
end: 268
38+
- source: username
39+
style: secondary
40+
start: 269
41+
end: 277
42+
- source: '"asdf"'
43+
style: secondary
44+
start: 279
45+
end: 285
46+
- source: (username, "asdf")
47+
style: secondary
48+
start: 268
49+
end: 286
50+
- source: Credentials.basic(username, "asdf")
51+
style: secondary
52+
start: 251
53+
end: 286
54+
- source: private
55+
style: secondary
56+
start: 117
57+
end: 124
58+
- source: String
59+
style: secondary
60+
start: 125
61+
end: 131
62+
- source: username
63+
style: secondary
64+
start: 132
65+
end: 140
66+
- source: '"wowee"'
67+
style: secondary
68+
start: 143
69+
end: 150
70+
- source: username = "wowee"
71+
style: secondary
72+
start: 132
73+
end: 150
74+
- source: private String username = "wowee";
75+
style: secondary
76+
start: 117
77+
end: 151
78+
- source: |-
79+
public void run() {
80+
String credential = Credentials.basic(username, "asdf");
81+
style: secondary
82+
start: 211
83+
end: 287

tests/java/hardcoded-secret-in-credentials-java-test.yml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
id: hardcoded-secret-in-credentials-java
2+
valid:
3+
- |
4+
String credential = Credentials.basic(username, System.getenv("PASSWORD"));
5+
invalid:
6+
- |
7+
import okhttp3.Request;
8+
import okhttp3.RequestBody;
9+
import okhttp3.Credentials;
10+
public class OkhttpSecretBasicAuth {
11+
private String username = "wowee";
12+
private String password = "hi";
13+
private String empty = "";
14+
public void run() {
15+
String credential = Credentials.basic(username, "asdf");

0 commit comments

Comments
 (0)