Skip to content

Add Java rules for detecting hardcoded secrets in System.setProperty and OkHttp #175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Mar 12, 2025
Merged

Add Java rules for detecting hardcoded secrets in System.setProperty and OkHttp #175

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e3d6bae
system-setproperty-hardcoded-secret-java
Mar 11, 2025
6902686
hardcoded-secret-in-credentials-java
Mar 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
292 changes: 292 additions & 0 deletions rules/java/security/hardcoded-secret-in-credentials-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,292 @@
id: hardcoded-secret-in-credentials-java
severity: warning
language: java
message: >-
A secret is hard-coded in the application. Secrets stored in source
code, such as credentials, identifiers, and other types of sensitive data,
can be leaked and used by internal or external malicious actors. Use
environment variables to securely provide credentials and other secrets or
retrieve them from a secure vault or Hardware Security Module (HSM).
note: >-
[CWE-798] Use of Hard-coded Credentials.
[REFERENCES]
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html

ast-grep-essentials: true
utils:
Credentials.basic($USERNAME, "..."):
kind: method_invocation
all:
- has:
kind: identifier
nthChild: 1
regex: ^Credentials$
- has:
kind: identifier
nthChild: 2
regex: ^basic$
- has:
kind: argument_list
all:
- not:
has:
nthChild:
position: 3
ofRule:
not:
kind: line_comment
- has:
kind: string_literal
nthChild:
position: 2
ofRule:
not:
kind: line_comment
has:
kind: string_fragment
- inside:
stopBy: end
follows:
stopBy: end
kind: import_declaration
any:
- pattern: import okhttp3.Credentials.*;
- pattern: import okhttp3.*;

Credentials.basic($USERNAME, "...")_with_Instance:
kind: method_invocation
all:
- has:
kind: identifier
nthChild: 1
regex: ^Credentials$
- has:
kind: identifier
nthChild: 2
regex: ^basic$
- has:
kind: argument_list
all:
- not:
has:
nthChild:
position: 3
ofRule:
not:
kind: line_comment
- has:
kind: identifier
pattern: $PASSWORD
nthChild:
position: 2
ofRule:
not:
kind: line_comment
- inside:
stopBy: end
follows:
stopBy: end
kind: import_declaration
any:
- pattern: import okhttp3.Credentials.*;
- pattern: import okhttp3.*;
- inside:
stopBy: end
follows:
stopBy: end
any:
- kind: field_declaration
has:
kind: variable_declarator
all:
- has:
kind: identifier
pattern: $PASSWORD
- has:
kind: string_literal
has:
kind: string_fragment

basic($USERNAME, "..."):
kind: method_invocation
all:
- has:
kind: identifier
nthChild: 1
regex: ^basic$
- has:
kind: argument_list
all:
- not:
has:
nthChild:
position: 3
ofRule:
not:
kind: line_comment
- has:
kind: string_literal
nthChild:
position: 2
ofRule:
not:
kind: line_comment
has:
kind: string_fragment
- inside:
stopBy: end
follows:
stopBy: end
kind: import_declaration
any:
- pattern: import okhttp3.Credentials.*;

basic($USERNAME, "...")_with_Instance:
kind: method_invocation
all:
- has:
kind: identifier
nthChild: 1
regex: ^basic$
- has:
kind: argument_list
all:
- not:
has:
nthChild:
position: 3
ofRule:
not:
kind: line_comment
- has:
kind: identifier
pattern: $PASSWORD
nthChild:
position: 2
ofRule:
not:
kind: line_comment
- inside:
stopBy: end
follows:
stopBy: end
kind: import_declaration
any:
- pattern: import okhttp3.Credentials.*;

okhttp3.Credentials.basic($USERNAME, "..."):
kind: method_invocation
all:
- has:
kind: field_access
all:
- has:
kind: identifier
nthChild: 1
regex: ^okhttp3$
- has:
kind: identifier
nthChild: 2
regex: ^Credentials$
- has:
kind: identifier
nthChild: 2
regex: ^basic$
- has:
kind: argument_list
all:
- not:
has:
nthChild:
position: 3
ofRule:
not:
kind: line_comment
- has:
kind: string_literal
nthChild:
position: 2
ofRule:
not:
kind: line_comment
has:
kind: string_fragment
- inside:
stopBy: end
follows:
stopBy: end
kind: import_declaration
any:
- pattern: import okhttp3.Credentials.*;
- pattern: import okhttp3.Credentials;

okhttp3.Credentials.basic($USERNAME, "...")_with_Instance:
kind: method_invocation
all:
- has:
kind: field_access
all:
- has:
kind: identifier
nthChild: 1
regex: ^okhttp3$
- has:
kind: identifier
nthChild: 2
regex: ^Credentials$
- has:
kind: identifier
nthChild: 2
regex: ^basic$
- has:
kind: argument_list
all:
- not:
has:
nthChild:
position: 3
ofRule:
not:
kind: line_comment
- has:
kind: identifier
pattern: $PASSWORD
nthChild:
position: 2
ofRule:
not:
kind: line_comment
- inside:
stopBy: end
follows:
stopBy: end
kind: import_declaration
any:
- pattern: import okhttp3.Credentials.*;
- pattern: import okhttp3.Credentials;
- inside:
stopBy: end
follows:
stopBy: end
any:
- kind: field_declaration
has:
kind: variable_declarator
all:
- has:
kind: identifier
pattern: $PASSWORD
- has:
kind: string_literal
has:
kind: string_fragment

rule:
any:
- matches: Credentials.basic($USERNAME, "...")
- matches: Credentials.basic($USERNAME, "...")_with_Instance
- matches: basic($USERNAME, "...")
- matches: basic($USERNAME, "...")_with_Instance
- matches: okhttp3.Credentials.basic($USERNAME, "...")
- matches: okhttp3.Credentials.basic($USERNAME, "...")_with_Instance

Loading