From bb7b8e1ad0e345862980a163b688f4554ebc1df8 Mon Sep 17 00:00:00 2001 From: Sakshis Date: Mon, 16 Dec 2024 13:09:06 +0000 Subject: [PATCH 1/8] removed missing-secure-java --- rules/java/security/missing-secure-java.yml | 70 ------------------- .../missing-secure-java-snapshot.yml | 32 --------- tests/java/missing-secure-java-test.yml | 15 ---- 3 files changed, 117 deletions(-) delete mode 100644 rules/java/security/missing-secure-java.yml delete mode 100644 tests/__snapshots__/missing-secure-java-snapshot.yml delete mode 100644 tests/java/missing-secure-java-test.yml diff --git a/rules/java/security/missing-secure-java.yml b/rules/java/security/missing-secure-java.yml deleted file mode 100644 index 755e6660..00000000 --- a/rules/java/security/missing-secure-java.yml +++ /dev/null @@ -1,70 +0,0 @@ -id: missing-secure-java -language: java -severity: warning -message: >- - Detected a cookie where the `Secure` flag is either missing or - disabled. The `Secure` cookie flag instructs the browser to forbid sending - the cookie over an insecure HTTP request. Set the `Secure` flag to `true` - so the cookie will only be sent over HTTPS. -note: >- - [CWE-614]: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute - [OWASP A05:2021]: Security Misconfiguration - [REFERENCES] - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration -utils: - match_without_httponly: - kind: argument_list - has: - kind: object_creation_expression - inside: - stopBy: end - kind: method_invocation - - match_cookie_last: - kind: argument_list - has: - kind: method_invocation - has: - kind: argument_list - has: - kind: string_literal - - match_instance: - kind: local_variable_declaration - has: - stopBy: end - kind: identifier - follows: - stopBy: end - kind: variable_declarator - - match_identifier_with_simplecookie: - kind: identifier - inside: - stopBy: end - kind: local_variable_declaration - all: - - has: - stopBy: end - kind: type_identifier - regex: '^SimpleCookie$|^Cookie$' - - has: - stopBy: neighbor - kind: variable_declarator - all: - - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: object_creation_expression - - not: - precedes: - stopBy: neighbor - kind: expression_statement -rule: - any: - - matches: match_instance - - matches: match_without_httponly - - matches: match_cookie_last - - matches: match_identifier_with_simplecookie diff --git a/tests/__snapshots__/missing-secure-java-snapshot.yml b/tests/__snapshots__/missing-secure-java-snapshot.yml deleted file mode 100644 index 3931463b..00000000 --- a/tests/__snapshots__/missing-secure-java-snapshot.yml +++ /dev/null @@ -1,32 +0,0 @@ -id: missing-secure-java -snapshots: - ? | - SimpleCookie s = new SimpleCookie("foo", "bar"); - .orElse( new NettyCookie( "foo", "bar" ) ); - Cookie z = new NettyCookie("foo", "bar"); - return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); - : labels: - - source: s - style: primary - start: 13 - end: 14 - - source: SimpleCookie - style: secondary - start: 0 - end: 12 - - source: s - style: secondary - start: 13 - end: 14 - - source: new SimpleCookie("foo", "bar") - style: secondary - start: 17 - end: 47 - - source: s = new SimpleCookie("foo", "bar") - style: secondary - start: 13 - end: 47 - - source: SimpleCookie s = new SimpleCookie("foo", "bar"); - style: secondary - start: 0 - end: 48 diff --git a/tests/java/missing-secure-java-test.yml b/tests/java/missing-secure-java-test.yml deleted file mode 100644 index 507f951f..00000000 --- a/tests/java/missing-secure-java-test.yml +++ /dev/null @@ -1,15 +0,0 @@ -id: missing-secure-java -valid: - - | - Cookie c1 = getCookieSomewhere(); - return HttpResponse.ok().cookie(Cookie.of("foo", "bar").secure(true)); - Cookie cookie = request.getCookies().findCookie( "foobar" ) - Cookie c = new NettyCookie("foo", "bar"); - c.secure(true); - NettyCookie r = new NettyCookie("foo", "bar").secure(true); -invalid: - - | - SimpleCookie s = new SimpleCookie("foo", "bar"); - .orElse( new NettyCookie( "foo", "bar" ) ); - Cookie z = new NettyCookie("foo", "bar"); - return HttpResponse.ok().cookie(Cookie.of("zzz", "ddd")); From 12bb3aab8d57915cd459d2e2ac04c42dfb2dca48 Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Wed, 22 Jan 2025 18:58:13 +0530 Subject: [PATCH 2/8] httponly-false-csharp --- rules/csharp/security/httponly-false-csharp | 48 +++++++++++++++++++++ tests/csharp/httponly-false-csharp-test.yml | 9 ++++ 2 files changed, 57 insertions(+) create mode 100644 rules/csharp/security/httponly-false-csharp create mode 100644 tests/csharp/httponly-false-csharp-test.yml diff --git a/rules/csharp/security/httponly-false-csharp b/rules/csharp/security/httponly-false-csharp new file mode 100644 index 00000000..af939938 --- /dev/null +++ b/rules/csharp/security/httponly-false-csharp @@ -0,0 +1,48 @@ +id: httponly-false-csharp +language: csharp +severity: warning +message: >- + "Detected a cookie where the `HttpOnly` flag is either missing or + disabled. The `HttpOnly` cookie flag instructs the browser to forbid + client-side JavaScript to read the cookie. If JavaScript interaction is + required, you can ignore this finding. However, set the `HttpOnly` flag to + `true` in all other cases. If this wasn't intentional, it's recommended to + set the HttpOnly flag to true so the cookie will not be accessible through + client-side scripts or to use the Cookie Policy Middleware to globally set + the HttpOnly flag. You can then use the CookieOptions class when + instantiating the cookie, which inherits these settings and will require + future developers to have to explicitly override them on a case-by-case + basis if needed. This approach ensures cookies are secure by default." +note: >- + [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag" + [REFERENCES] + - https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware + - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions + - https://owasp.org/Top10/A05_2021-Security_Misconfiguration + + +ast-grep-essentials: true + +rule: + kind: boolean_literal + pattern: $LITERAL + follows: + regex: ^=$ + follows: + kind: member_access_expression + inside: + kind: assignment_expression + all: + - has: + kind: member_access_expression + nthChild: 1 + regex: \.Cookie$ + - has: + kind: identifier + nthChild: 2 + regex: ^HttpOnly$ + +constraints: + LITERAL: + regex: ^false$ + diff --git a/tests/csharp/httponly-false-csharp-test.yml b/tests/csharp/httponly-false-csharp-test.yml new file mode 100644 index 00000000..e29a7eab --- /dev/null +++ b/tests/csharp/httponly-false-csharp-test.yml @@ -0,0 +1,9 @@ +id: httponly-false-csharp +valid: + - | + myHttpOnlyCookie.HttpOnly = true; + - | + options.Cookie.HttpOnly = true; +invalid: + - | + options.Cookie.HttpOnly = false; From 2c5ea88476cdca70b993026ce65cb1435e602119 Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Wed, 22 Jan 2025 19:00:33 +0530 Subject: [PATCH 3/8] use-of-md5-digest-utils-java --- .../security/use-of-md5-digest-utils-java.yml | 42 +++++++++++++++++++ .../use-of-md5-digest-utils-java-snapshot.yml | 29 +++++++++++++ .../use-of-md5-digest-utils-java-test.yml | 7 ++++ 3 files changed, 78 insertions(+) create mode 100644 rules/java/security/use-of-md5-digest-utils-java.yml create mode 100644 tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml create mode 100644 tests/java/use-of-md5-digest-utils-java-test.yml diff --git a/rules/java/security/use-of-md5-digest-utils-java.yml b/rules/java/security/use-of-md5-digest-utils-java.yml new file mode 100644 index 00000000..553bac8a --- /dev/null +++ b/rules/java/security/use-of-md5-digest-utils-java.yml @@ -0,0 +1,42 @@ +id: use-of-md5-digest-utils-java +language: java +severity: warning +message: >- + 'Detected MD5 hash algorithm which is considered insecure. MD5 is not + collision resistant and is therefore not suitable as a cryptographic + signature. Use HMAC instead.' +note: >- + [CWE-328] Use of Weak Hash + [REFERENCES] + - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + +ast-grep-essentials: true + +rule: + kind: identifier + regex: ^getMd5Digest$ + nthChild: 2 + precedes: + nthChild: 3 + kind: argument_list + not: + has: + nthChild: 1 + inside: + kind: method_invocation + nthChild: 1 + inside: + kind: method_invocation + all: + - has: + kind: identifier + nthChild: 2 + regex: ^digest$ + - has: + kind: argument_list + nthChild: 3 + - not: + has: + stopBy: end + kind: ERROR + diff --git a/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml b/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml new file mode 100644 index 00000000..2e74b70e --- /dev/null +++ b/tests/__snapshots__/use-of-md5-digest-utils-java-snapshot.yml @@ -0,0 +1,29 @@ +id: use-of-md5-digest-utils-java +snapshots: + ? | + byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); + : labels: + - source: getMd5Digest + style: primary + start: 31 + end: 43 + - source: digest + style: secondary + start: 46 + end: 52 + - source: (password.getBytes()) + style: secondary + start: 52 + end: 73 + - source: DigestUtils.getMd5Digest().digest(password.getBytes()) + style: secondary + start: 19 + end: 73 + - source: DigestUtils.getMd5Digest() + style: secondary + start: 19 + end: 45 + - source: () + style: secondary + start: 43 + end: 45 diff --git a/tests/java/use-of-md5-digest-utils-java-test.yml b/tests/java/use-of-md5-digest-utils-java-test.yml new file mode 100644 index 00000000..769a4b52 --- /dev/null +++ b/tests/java/use-of-md5-digest-utils-java-test.yml @@ -0,0 +1,7 @@ +id: use-of-md5-digest-utils-java +valid: + - | + byte[] hashValue = DigestUtils.getSha512Digest().digest(password.getBytes()); +invalid: + - | + byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); From d3067f11ba31741fd738392f2d2efb1702116dcf Mon Sep 17 00:00:00 2001 From: ESS ENN Date: Wed, 22 Jan 2025 19:05:33 +0530 Subject: [PATCH 4/8] removing use-of-md5-digest-utils and httponly-false-csharp --- rules/csharp/security/httponly-false-csharp | 48 ------------------- .../security/use-of-md5-digest-utils-java.yml | 42 ---------------- tests/csharp/httponly-false-csharp-test.yml | 9 ---- .../use-of-md5-digest-utils-java-test.yml | 7 --- 4 files changed, 106 deletions(-) delete mode 100644 rules/csharp/security/httponly-false-csharp delete mode 100644 rules/java/security/use-of-md5-digest-utils-java.yml delete mode 100644 tests/csharp/httponly-false-csharp-test.yml delete mode 100644 tests/java/use-of-md5-digest-utils-java-test.yml diff --git a/rules/csharp/security/httponly-false-csharp b/rules/csharp/security/httponly-false-csharp deleted file mode 100644 index af939938..00000000 --- a/rules/csharp/security/httponly-false-csharp +++ /dev/null @@ -1,48 +0,0 @@ -id: httponly-false-csharp -language: csharp -severity: warning -message: >- - "Detected a cookie where the `HttpOnly` flag is either missing or - disabled. The `HttpOnly` cookie flag instructs the browser to forbid - client-side JavaScript to read the cookie. If JavaScript interaction is - required, you can ignore this finding. However, set the `HttpOnly` flag to - `true` in all other cases. If this wasn't intentional, it's recommended to - set the HttpOnly flag to true so the cookie will not be accessible through - client-side scripts or to use the Cookie Policy Middleware to globally set - the HttpOnly flag. You can then use the CookieOptions class when - instantiating the cookie, which inherits these settings and will require - future developers to have to explicitly override them on a case-by-case - basis if needed. This approach ensures cookies are secure by default." -note: >- - [CWE-1004] Sensitive Cookie Without 'HttpOnly' Flag" - [REFERENCES] - - https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware - - https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions - - https://owasp.org/Top10/A05_2021-Security_Misconfiguration - - -ast-grep-essentials: true - -rule: - kind: boolean_literal - pattern: $LITERAL - follows: - regex: ^=$ - follows: - kind: member_access_expression - inside: - kind: assignment_expression - all: - - has: - kind: member_access_expression - nthChild: 1 - regex: \.Cookie$ - - has: - kind: identifier - nthChild: 2 - regex: ^HttpOnly$ - -constraints: - LITERAL: - regex: ^false$ - diff --git a/rules/java/security/use-of-md5-digest-utils-java.yml b/rules/java/security/use-of-md5-digest-utils-java.yml deleted file mode 100644 index 553bac8a..00000000 --- a/rules/java/security/use-of-md5-digest-utils-java.yml +++ /dev/null @@ -1,42 +0,0 @@ -id: use-of-md5-digest-utils-java -language: java -severity: warning -message: >- - 'Detected MD5 hash algorithm which is considered insecure. MD5 is not - collision resistant and is therefore not suitable as a cryptographic - signature. Use HMAC instead.' -note: >- - [CWE-328] Use of Weak Hash - [REFERENCES] - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures - -ast-grep-essentials: true - -rule: - kind: identifier - regex: ^getMd5Digest$ - nthChild: 2 - precedes: - nthChild: 3 - kind: argument_list - not: - has: - nthChild: 1 - inside: - kind: method_invocation - nthChild: 1 - inside: - kind: method_invocation - all: - - has: - kind: identifier - nthChild: 2 - regex: ^digest$ - - has: - kind: argument_list - nthChild: 3 - - not: - has: - stopBy: end - kind: ERROR - diff --git a/tests/csharp/httponly-false-csharp-test.yml b/tests/csharp/httponly-false-csharp-test.yml deleted file mode 100644 index e29a7eab..00000000 --- a/tests/csharp/httponly-false-csharp-test.yml +++ /dev/null @@ -1,9 +0,0 @@ -id: httponly-false-csharp -valid: - - | - myHttpOnlyCookie.HttpOnly = true; - - | - options.Cookie.HttpOnly = true; -invalid: - - | - options.Cookie.HttpOnly = false; diff --git a/tests/java/use-of-md5-digest-utils-java-test.yml b/tests/java/use-of-md5-digest-utils-java-test.yml deleted file mode 100644 index 769a4b52..00000000 --- a/tests/java/use-of-md5-digest-utils-java-test.yml +++ /dev/null @@ -1,7 +0,0 @@ -id: use-of-md5-digest-utils-java -valid: - - | - byte[] hashValue = DigestUtils.getSha512Digest().digest(password.getBytes()); -invalid: - - | - byte[] hashValue = DigestUtils.getMd5Digest().digest(password.getBytes()); From 45d0e9f7c0b2699946e67424547122b6ee1e5279 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 27 Mar 2025 19:11:52 +0530 Subject: [PATCH 5/8] scrypt-hardcoded-secret-swift --- .../scrypt-hardcoded-secret-swift.yml | 417 ++++++++++++++++++ ...scrypt-hardcoded-secret-swift-snapshot.yml | 2 + .../scrypt-hardcoded-secret-swift-test.yml | 10 + 3 files changed, 429 insertions(+) create mode 100644 rules/swift/security/scrypt-hardcoded-secret-swift.yml create mode 100644 tests/__snapshots__/scrypt-hardcoded-secret-swift-snapshot.yml create mode 100644 tests/swift/scrypt-hardcoded-secret-swift-test.yml diff --git a/rules/swift/security/scrypt-hardcoded-secret-swift.yml b/rules/swift/security/scrypt-hardcoded-secret-swift.yml new file mode 100644 index 00000000..942442f1 --- /dev/null +++ b/rules/swift/security/scrypt-hardcoded-secret-swift.yml @@ -0,0 +1,417 @@ +id: scrypt-hardcoded-secret-swift +language: swift +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [OWASP A07:2021]:Identification and Authentication Failures + [CWE-798]: Use of Hard-coded Credentials + [REFERENCES] + https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + +ast-grep-essentials: true + +utils: + match_pattern_Scrypt_expression_with_instance: + kind: call_expression + all: + - not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Scrypt$ + - not: + inside: + kind: function_declaration + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Scrypt$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + kind: simple_identifier + nthChild: 2 + pattern: $R + - not: + inside: + stopBy: neighbor + kind: try_expression + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + - follows: + stopBy: end + kind: property_declaration + all: + - has: + stopBy: end + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + + match_pattern_try_expression_with_instance: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Scrypt$ + all: + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Scrypt$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + kind: simple_identifier + nthChild: 2 + pattern: $R + - any: + - inside: + stopBy: end + kind: property_declaration + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + kind: call_expression + pattern: Array($SECRET.utf8) + - follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + kind: call_expression + pattern: Array($SECRET.utf8) + + match_pattern_Scrypt_expression_directly: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Scrypt$ + all: + - not: + inside: + kind: function_declaration + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Scrypt$" + - has: + stopBy: neighbor + kind: call_suffix + all: + - has: + stopBy: neighbor + kind: value_arguments + has: + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - not: + inside: + stopBy: end + kind: try_expression + + match_pattern_try_expression_directly: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Scrypt$ + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Scrypt$" + - has: + stopBy: neighbor + kind: call_suffix + all: + - has: + stopBy: neighbor + kind: value_arguments + has: + kind: value_argument + all: + - has: + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + + match_pattern_Scrypt_expression_with_utf8: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Scrypt$ + all: + - not: + inside: + kind: function_declaration + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Scrypt$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Array$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + has: + stopBy: neighbor + kind: navigation_expression + all: + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - has: + stopBy: neighbor + kind: navigation_suffix + has: + stopBy: neighbor + kind: simple_identifier + regex: "^utf8$" + - not: + inside: + stopBy: end + kind: try_expression + + match_pattern_try_expression_with_utf8: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^Scrypt$ + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Scrypt$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Array$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: neighbor + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + has: + stopBy: neighbor + kind: navigation_expression + all: + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - has: + stopBy: neighbor + kind: navigation_suffix + has: + stopBy: neighbor + kind: simple_identifier + regex: "^utf8$" + +rule: + any: + - kind: try_expression + any: + - matches: match_pattern_try_expression_directly + - matches: match_pattern_try_expression_with_instance + - matches: match_pattern_try_expression_with_utf8 + - kind: call_expression + any: + - matches: match_pattern_Scrypt_expression_directly + - matches: match_pattern_Scrypt_expression_with_instance + - matches: match_pattern_Scrypt_expression_with_utf8 +constraints: + SECRET: + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + field: text diff --git a/tests/__snapshots__/scrypt-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/scrypt-hardcoded-secret-swift-snapshot.yml new file mode 100644 index 00000000..d5fc76ad --- /dev/null +++ b/tests/__snapshots__/scrypt-hardcoded-secret-swift-snapshot.yml @@ -0,0 +1,2 @@ +id: scrypt-hardcoded-secret-swift +snapshots: {} diff --git a/tests/swift/scrypt-hardcoded-secret-swift-test.yml b/tests/swift/scrypt-hardcoded-secret-swift-test.yml new file mode 100644 index 00000000..c8be624d --- /dev/null +++ b/tests/swift/scrypt-hardcoded-secret-swift-test.yml @@ -0,0 +1,10 @@ +id: scrypt-hardcoded-secret-swift +valid: + - | + try Scrypt(password: config, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() +invalid: + - | + let ishan: Array = Array("s33krit".utf8) + let key = try Scrypt(password: ishan, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + - | + try Scrypt(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() From 924123fd6c6631a85dfe1ccdbfc20be9ef9a0186 Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 27 Mar 2025 19:13:42 +0530 Subject: [PATCH 6/8] pkcs5-hardcoded-secret-swift --- .../security/pkcs5-hardcoded-secret-swift.yml | 242 ++++++++++++++++++ .../pkcs5-hardcoded-secret-swift-test.yml | 38 +++ 2 files changed, 280 insertions(+) create mode 100644 rules/swift/security/pkcs5-hardcoded-secret-swift.yml create mode 100644 tests/swift/pkcs5-hardcoded-secret-swift-test.yml diff --git a/rules/swift/security/pkcs5-hardcoded-secret-swift.yml b/rules/swift/security/pkcs5-hardcoded-secret-swift.yml new file mode 100644 index 00000000..faeafb4a --- /dev/null +++ b/rules/swift/security/pkcs5-hardcoded-secret-swift.yml @@ -0,0 +1,242 @@ +id: pkcs5-hardcoded-secret-swift +language: swift +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798]: Use of Hard-coded Credentials + [REFERENCES] + https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + +ast-grep-essentials: true + +utils: + tryPKCS5.$FUNC(password:""): + kind: try_expression + has: + stopBy: end + kind: call_expression + all: + - has: + kind: navigation_expression + all: + - has: + kind: simple_identifier + regex: ^PKCS5$ + - has: + kind: navigation_suffix + - has: + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + kind: simple_identifier + regex: ^password$ + - has: + kind: line_string_literal + has: + kind: line_str_text + + PKCS5.$FUNC(password:""): + kind: call_expression + all: + - not: + inside: + stopBy: end + kind: try_expression + - has: + kind: navigation_expression + all: + - has: + kind: simple_identifier + regex: ^PKCS5$ + - has: + kind: navigation_suffix + - has: + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + kind: simple_identifier + regex: ^password$ + - has: + kind: line_string_literal + has: + kind: line_str_text + + tryPKCS5.$FUNC(password:Array("...".utf8)): + kind: try_expression + has: + stopBy: end + kind: call_expression + all: + - has: + kind: navigation_expression + all: + - has: + kind: simple_identifier + regex: ^PKCS5$ + - has: + kind: navigation_suffix + - has: + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + kind: simple_identifier + regex: ^password$ + - has: + kind: call_expression + pattern: Array("$PASS".utf8) + + PKCS5.$FUNC(password:Array("...".utf8)): + kind: call_expression + all: + - not: + inside: + stopBy: end + kind: try_expression + - has: + kind: navigation_expression + all: + - has: + kind: simple_identifier + regex: ^PKCS5$ + - has: + kind: navigation_suffix + - has: + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + kind: simple_identifier + regex: ^password$ + - has: + kind: call_expression + pattern: Array("$PASS".utf8) + + tryPKCS5.$FUNC(password:"")_with_Instance: + kind: try_expression + has: + stopBy: end + kind: call_expression + all: + - has: + kind: navigation_expression + all: + - has: + kind: simple_identifier + regex: ^PKCS5$ + - has: + kind: navigation_suffix + - has: + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + kind: simple_identifier + regex: ^password$ + nthChild: 1 + - has: + kind: simple_identifier + nthChild: 2 + pattern: $PSWD + - inside: + stopBy: end + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $PSWD + - has: + kind: call_expression + pattern: Array("$PASS".utf8) + + PKCS5.$FUNC(password:"")_with_Instance: + kind: call_expression + all: + - not: + inside: + stopBy: end + kind: try_expression + - has: + kind: navigation_expression + all: + - has: + kind: simple_identifier + regex: ^PKCS5$ + - has: + kind: navigation_suffix + - has: + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + kind: simple_identifier + regex: ^password$ + nthChild: 1 + - has: + kind: simple_identifier + nthChild: 2 + pattern: $PSWD + - inside: + stopBy: end + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $PSWD + - has: + kind: call_expression + pattern: Array("$PASS".utf8) + +rule: + any: + - matches: tryPKCS5.$FUNC(password:"") + - matches: PKCS5.$FUNC(password:"") + - matches: tryPKCS5.$FUNC(password:Array("...".utf8)) + - matches: PKCS5.$FUNC(password:Array("...".utf8)) + - matches: tryPKCS5.$FUNC(password:"")_with_Instance + - matches: PKCS5.$FUNC(password:"")_with_Instance diff --git a/tests/swift/pkcs5-hardcoded-secret-swift-test.yml b/tests/swift/pkcs5-hardcoded-secret-swift-test.yml new file mode 100644 index 00000000..72dd3bd1 --- /dev/null +++ b/tests/swift/pkcs5-hardcoded-secret-swift-test.yml @@ -0,0 +1,38 @@ +id: pkcs5-hardcoded-secret-swift +valid: + - | + PKCS5.PBKDF2(password: password1, salt: salt, iterations: 4096, variant: .sha256).calculate() +invalid: + - | + let password: Array = Array("s33krit".utf8) + try PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256).calculate() + - | + PKCS5.PBKDF2(password: "123", salt: salt, iterations: 4096, variant: .sha256).calculate() + - | + import Foundation + import CryptoSwift + func main() { + do { + let password = Array("s33krit".utf8) + let salt: Array = Array("nacllcan".utf8) + try PKCS5.h(password: password) + } catch { + print("Error: \(error)") + } + } + main() + - | + import Foundation + import CryptoSwift + func main() { + do { + let password = Array("s33krit".utf8) + let salt: Array = Array("nacllcan".utf8) + PKCS5.PBKDF2(password: password, salt: salt, iterations: 4096, variant: .sha256).calculate() + } catch { + print("Error: \(error)") + } + } + main() + - | + try PKCS5.ggg(password: "123", salt: salt, iterations: 4096, variant: .sha256).calculate() From 43658e4214dae6ede5357e38466dfaaf5f457fbb Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 27 Mar 2025 19:15:14 +0530 Subject: [PATCH 7/8] hkdf-hardcoded-secret-swift --- .../security/hdkf-hardcoded-secret-swift.yml | 416 ++++++++++++++++++ .../hkdf-hardcoded-secret-swift-snapshot.yml | 175 ++++++++ .../pkcs5-hardcoded-secret-swift-snapshot.yml | 2 + .../hdkf-hardcoded-secret-swift-test.yml | 11 + 4 files changed, 604 insertions(+) create mode 100644 rules/swift/security/hdkf-hardcoded-secret-swift.yml create mode 100644 tests/__snapshots__/hkdf-hardcoded-secret-swift-snapshot.yml create mode 100644 tests/__snapshots__/pkcs5-hardcoded-secret-swift-snapshot.yml create mode 100644 tests/swift/hdkf-hardcoded-secret-swift-test.yml diff --git a/rules/swift/security/hdkf-hardcoded-secret-swift.yml b/rules/swift/security/hdkf-hardcoded-secret-swift.yml new file mode 100644 index 00000000..989fb1de --- /dev/null +++ b/rules/swift/security/hdkf-hardcoded-secret-swift.yml @@ -0,0 +1,416 @@ +id: hkdf-hardcoded-secret-swift +severity: warning +language: swift +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + +ast-grep-essentials: true + +utils: + match_pattern_HKDF_expression_with_instance: + kind: call_expression + all: + - not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^HKDF$ + - not: + inside: + kind: function_declaration + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^HKDF$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + kind: simple_identifier + nthChild: 2 + pattern: $R + - not: + inside: + stopBy: neighbor + kind: try_expression + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + - follows: + stopBy: end + kind: property_declaration + all: + - has: + stopBy: end + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + stopBy: neighbor + kind: call_expression + pattern: Array($SECRET.utf8) + + match_pattern_try_expression_with_instance: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^HKDF$ + all: + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^HKDF$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + kind: simple_identifier + nthChild: 2 + pattern: $R + - any: + - inside: + stopBy: end + kind: property_declaration + follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + kind: call_expression + pattern: Array($SECRET.utf8) + - follows: + stopBy: end + kind: property_declaration + all: + - has: + kind: pattern + has: + kind: simple_identifier + pattern: $R + - has: + kind: call_expression + pattern: Array($SECRET.utf8) + + match_pattern_HKDF_expression_directly: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^HKDF$ + all: + - not: + inside: + kind: function_declaration + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^HKDF$" + - has: + stopBy: neighbor + kind: call_suffix + all: + - has: + stopBy: end + kind: value_arguments + has: + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - not: + inside: + stopBy: end + kind: try_expression + + match_pattern_try_expression_directly: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^HKDF$ + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^HKDF$" + - has: + stopBy: neighbor + kind: call_suffix + all: + - has: + stopBy: end + kind: value_arguments + has: + kind: value_argument + all: + - has: + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + + match_pattern_HKDF_expression_with_utf8: + kind: call_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^HKDF$ + all: + - not: + inside: + kind: function_declaration + - not: + follows: + stopBy: end + kind: throw_keyword + - not: + inside: + stopBy: end + kind: throw_keyword + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^HKDF$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Array$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + has: + stopBy: neighbor + kind: navigation_expression + all: + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - has: + stopBy: neighbor + kind: navigation_suffix + has: + stopBy: neighbor + kind: simple_identifier + regex: "^utf8$" + - not: + inside: + stopBy: end + kind: try_expression + + match_pattern_try_expression_with_utf8: + kind: try_expression + not: + inside: + stopBy: end + kind: call_expression + has: + kind: simple_identifier + regex: ^HKDF$ + has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^HKDF$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: end + kind: value_argument + all: + - has: + stopBy: end + kind: simple_identifier + regex: "^password$" + nthChild: 1 + - has: + stopBy: neighbor + kind: call_expression + all: + - has: + stopBy: neighbor + kind: simple_identifier + regex: "^Array$" + - has: + stopBy: neighbor + kind: call_suffix + has: + stopBy: end + kind: value_arguments + has: + stopBy: neighbor + kind: value_argument + has: + stopBy: neighbor + kind: navigation_expression + all: + - has: + stopBy: neighbor + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + - has: + stopBy: neighbor + kind: navigation_suffix + has: + stopBy: neighbor + kind: simple_identifier + regex: "^utf8$" + +rule: + any: + - kind: try_expression + any: + - matches: match_pattern_try_expression_directly + - matches: match_pattern_try_expression_with_instance + - matches: match_pattern_try_expression_with_utf8 + - kind: call_expression + any: + - matches: match_pattern_HKDF_expression_directly + - matches: match_pattern_HKDF_expression_with_instance + - matches: match_pattern_HKDF_expression_with_utf8 +constraints: + SECRET: + kind: line_string_literal + has: + stopBy: neighbor + kind: line_str_text + field: text diff --git a/tests/__snapshots__/hkdf-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/hkdf-hardcoded-secret-swift-snapshot.yml new file mode 100644 index 00000000..412e99fc --- /dev/null +++ b/tests/__snapshots__/hkdf-hardcoded-secret-swift-snapshot.yml @@ -0,0 +1,175 @@ +id: hkdf-hardcoded-secret-swift +snapshots: + ? | + HKDF(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + : labels: + - source: 'HKDF(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: primary + start: 0 + end: 66 + - source: HKDF + style: secondary + start: 0 + end: 4 + - source: password + style: secondary + start: 5 + end: 13 + - source: '123' + style: secondary + start: 16 + end: 19 + - source: '"123"' + style: secondary + start: 15 + end: 20 + - source: 'password: "123"' + style: secondary + start: 5 + end: 20 + - source: '(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 4 + end: 66 + - source: '(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 4 + end: 66 + ? | + HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + : labels: + - source: 'HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: primary + start: 0 + end: 80 + - source: HKDF + style: secondary + start: 0 + end: 4 + - source: password + style: secondary + start: 5 + end: 13 + - source: Array + style: secondary + start: 15 + end: 20 + - source: hello + style: secondary + start: 22 + end: 27 + - source: '"hello"' + style: secondary + start: 21 + end: 28 + - source: utf8 + style: secondary + start: 29 + end: 33 + - source: .utf8 + style: secondary + start: 28 + end: 33 + - source: '"hello".utf8' + style: secondary + start: 21 + end: 33 + - source: '"hello".utf8' + style: secondary + start: 21 + end: 33 + - source: ("hello".utf8) + style: secondary + start: 20 + end: 34 + - source: ("hello".utf8) + style: secondary + start: 20 + end: 34 + - source: Array("hello".utf8) + style: secondary + start: 15 + end: 34 + - source: 'password: Array("hello".utf8)' + style: secondary + start: 5 + end: 34 + - source: '(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 4 + end: 80 + - source: '(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 4 + end: 80 + ? | + try HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + : labels: + - source: 'try HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: primary + start: 0 + end: 84 + - source: HKDF + style: secondary + start: 4 + end: 8 + - source: password + style: secondary + start: 9 + end: 17 + - source: Array + style: secondary + start: 19 + end: 24 + - source: hello + style: secondary + start: 26 + end: 31 + - source: '"hello"' + style: secondary + start: 25 + end: 32 + - source: utf8 + style: secondary + start: 33 + end: 37 + - source: .utf8 + style: secondary + start: 32 + end: 37 + - source: '"hello".utf8' + style: secondary + start: 25 + end: 37 + - source: '"hello".utf8' + style: secondary + start: 25 + end: 37 + - source: ("hello".utf8) + style: secondary + start: 24 + end: 38 + - source: ("hello".utf8) + style: secondary + start: 24 + end: 38 + - source: Array("hello".utf8) + style: secondary + start: 19 + end: 38 + - source: 'password: Array("hello".utf8)' + style: secondary + start: 9 + end: 38 + - source: '(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 8 + end: 84 + - source: '(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 8 + end: 84 + - source: 'HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1)' + style: secondary + start: 4 + end: 84 diff --git a/tests/__snapshots__/pkcs5-hardcoded-secret-swift-snapshot.yml b/tests/__snapshots__/pkcs5-hardcoded-secret-swift-snapshot.yml new file mode 100644 index 00000000..e366644b --- /dev/null +++ b/tests/__snapshots__/pkcs5-hardcoded-secret-swift-snapshot.yml @@ -0,0 +1,2 @@ +id: pkcs5-hardcoded-secret-swift +snapshots: {} diff --git a/tests/swift/hdkf-hardcoded-secret-swift-test.yml b/tests/swift/hdkf-hardcoded-secret-swift-test.yml new file mode 100644 index 00000000..f62690a9 --- /dev/null +++ b/tests/swift/hdkf-hardcoded-secret-swift-test.yml @@ -0,0 +1,11 @@ +id: hkdf-hardcoded-secret-swift +valid: + - | + let key = try HKDF(password: password, salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() +invalid: + - | + HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + - | + try HKDF(password: Array("hello".utf8), salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() + - | + HKDF(password: "123", salt: salt, dkLen: 64, N: 16384, r: 8, p: 1).calculate() From 8a39ca37bd6387365b105bd83dffbbc97c05da5e Mon Sep 17 00:00:00 2001 From: ESS-ENN Date: Thu, 27 Mar 2025 19:16:27 +0530 Subject: [PATCH 8/8] Removed python-neo4j extra files --- ... python-neo4j-hardcoded-secret-python.yml} | 0 ...-hardcoded-secret-auth-python-snapshot.yml | 276 ------------------ 2 files changed, 276 deletions(-) rename rules/python/security/{python-neo4j-hardcoded-secret-auth-python.yml => python-neo4j-hardcoded-secret-python.yml} (100%) delete mode 100644 tests/__snapshots__/python-neo4j-hardcoded-secret-auth-python-snapshot.yml diff --git a/rules/python/security/python-neo4j-hardcoded-secret-auth-python.yml b/rules/python/security/python-neo4j-hardcoded-secret-python.yml similarity index 100% rename from rules/python/security/python-neo4j-hardcoded-secret-auth-python.yml rename to rules/python/security/python-neo4j-hardcoded-secret-python.yml diff --git a/tests/__snapshots__/python-neo4j-hardcoded-secret-auth-python-snapshot.yml b/tests/__snapshots__/python-neo4j-hardcoded-secret-auth-python-snapshot.yml deleted file mode 100644 index 110188d4..00000000 --- a/tests/__snapshots__/python-neo4j-hardcoded-secret-auth-python-snapshot.yml +++ /dev/null @@ -1,276 +0,0 @@ -id: python-neo4j-hardcoded-secret-python -snapshots: - ? | - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - password = "NEO4J_PASSWORD" - driver = AsyncGraphDatabase.driver(url, auth=basic_auth(username, password)) - : labels: - - source: basic_auth(username, password) - style: primary - start: 157 - end: 187 - - source: password - style: secondary - start: 83 - end: 91 - - source: '"' - style: secondary - start: 94 - end: 95 - - source: NEO4J_PASSWORD - style: secondary - start: 95 - end: 109 - - source: '"' - style: secondary - start: 109 - end: 110 - - source: '"NEO4J_PASSWORD"' - style: secondary - start: 94 - end: 110 - - source: password = "NEO4J_PASSWORD" - style: secondary - start: 83 - end: 110 - - source: password = "NEO4J_PASSWORD" - style: secondary - start: 83 - end: 110 - - source: password = "NEO4J_PASSWORD" - style: secondary - start: 83 - end: 110 - - source: password - style: secondary - start: 178 - end: 186 - - source: (username, password) - style: secondary - start: 167 - end: 187 - - source: basic_auth - style: secondary - start: 157 - end: 167 - - source: basic_auth - style: secondary - start: 20 - end: 30 - - source: neo4j - style: secondary - start: 5 - end: 10 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - ? | - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - driver = AsyncGraphDatabase.driver(url, auth=basic_auth(username, "NEO4J_PASSWORD")) - : labels: - - source: basic_auth(username, "NEO4J_PASSWORD") - style: primary - start: 127 - end: 165 - - source: '"' - style: secondary - start: 148 - end: 149 - - source: NEO4J_PASSWORD - style: secondary - start: 149 - end: 163 - - source: '"' - style: secondary - start: 163 - end: 164 - - source: '"NEO4J_PASSWORD"' - style: secondary - start: 148 - end: 164 - - source: (username, "NEO4J_PASSWORD") - style: secondary - start: 137 - end: 165 - - source: basic_auth - style: secondary - start: 127 - end: 137 - - source: basic_auth - style: secondary - start: 20 - end: 30 - - source: neo4j - style: secondary - start: 5 - end: 10 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - ? |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - driver = GraphDatabase.driver(uri, auth=bearer_auth("token")) - : labels: - - source: bearer_auth("token") - style: primary - start: 122 - end: 142 - - source: '"' - style: secondary - start: 134 - end: 135 - - source: token - style: secondary - start: 135 - end: 140 - - source: '"' - style: secondary - start: 140 - end: 141 - - source: '"token"' - style: secondary - start: 134 - end: 141 - - source: ("token") - style: secondary - start: 133 - end: 142 - - source: bearer_auth - style: secondary - start: 122 - end: 133 - - source: bearer_auth - style: secondary - start: 47 - end: 58 - - source: neo4j - style: secondary - start: 5 - end: 10 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - ? "from neo4j import (\nbasic_auth,\nkerberos_auth,\nbearer_auth,\nAsyncGraphDatabase,\n)\nuri = \"neo4j://example.com:7687\" \ndriver = GraphDatabase.driver(uri, auth=kerberos_auth(\"token\"))\n" - : labels: - - source: kerberos_auth("token") - style: primary - start: 156 - end: 178 - - source: '"' - style: secondary - start: 170 - end: 171 - - source: token - style: secondary - start: 171 - end: 176 - - source: '"' - style: secondary - start: 176 - end: 177 - - source: '"token"' - style: secondary - start: 170 - end: 177 - - source: ("token") - style: secondary - start: 169 - end: 178 - - source: kerberos_auth - style: secondary - start: 156 - end: 169 - - source: kerberos_auth - style: secondary - start: 32 - end: 45 - - source: neo4j - style: secondary - start: 5 - end: 10 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81 - - source: |- - from neo4j import ( - basic_auth, - kerberos_auth, - bearer_auth, - AsyncGraphDatabase, - ) - style: secondary - start: 0 - end: 81