diff --git a/rules/javascript/security/node-sequelize-empty-password-argument-javascript.yml b/rules/javascript/security/node-sequelize-empty-password-argument-javascript.yml deleted file mode 100644 index eaabe687..00000000 --- a/rules/javascript/security/node-sequelize-empty-password-argument-javascript.yml +++ /dev/null @@ -1,78 +0,0 @@ -id: node-sequelize-empty-password-argument-javascript -language: javascript -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -utils: - MATCH_BLANK_PASSWORD: - kind: string - pattern: $Q - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: new_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: arguments - nthChild: 2 - has: - stopBy: end - kind: string - nthChild: 3 - pattern: $Q - not: - has: - stopBy: end - kind: string_fragment - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: identifier - pattern: $E - - follows: - stopBy: end - kind: import_statement - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: identifier - pattern: $E - - follows: - stopBy: end - kind: import_statement - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: identifier - pattern: $E - -rule: - kind: string - matches: MATCH_BLANK_PASSWORD diff --git a/rules/python/security/python-cassandra-empty-password-python.yml b/rules/python/security/python-cassandra-empty-password-python.yml deleted file mode 100644 index 060ce96d..00000000 --- a/rules/python/security/python-cassandra-empty-password-python.yml +++ /dev/null @@ -1,51 +0,0 @@ -id: python-cassandra-empty-password-python -language: python -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287]: Improper Authentication - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html - -utils: - from_imported_module: - any: - - pattern: PlainTextAuthProvider($USER, $QUOTES) - - pattern: PlainTextAuthProvider($USER, $QUOTES, $$$) - - pattern: PlainTextAuthProvider($$$, password=$QUOTES) - - pattern: PlainTextAuthProvider($$$, password=$QUOTES, $$$) - - pattern: SaslAuthProvider($$$, password=$QUOTES) - - pattern: SaslAuthProvider($$$, password=$QUOTES, $$$) - - pattern: PlainTextAuthProvider(username='user', password='') - - inside_module_with_import_statement: - inside: - stopBy: end - kind: module - has: - kind: import_from_statement - pattern: from cassandra.auth import PlainTextAuthProvider - -rule: - any: - - pattern: cassandra.auth.PlainTextAuthProvider($USER, $QUOTES) - - pattern: cassandra.auth.PlainTextAuthProvider($USER, $QUOTES, $$$) - - pattern: cassandra.auth.PlainTextAuthProvider($$$, password=$QUOTES) - - pattern: cassandra.auth.PlainTextAuthProvider($$$, password=$QUOTES, $$$) - - pattern: cassandra.auth.SaslAuthProvider($$$, password=$QUOTES) - - pattern: cassandra.auth.SaslAuthProvider($$$, password=$QUOTES, $$$) - - any: - - matches: from_imported_module - follows: - stopBy: end - matches: inside_module_with_import_statement - -constraints: - QUOTES: - regex: (''|""|``) diff --git a/rules/python/security/python-couchbase-empty-password-python.yml b/rules/python/security/python-couchbase-empty-password-python.yml deleted file mode 100644 index c5178d17..00000000 --- a/rules/python/security/python-couchbase-empty-password-python.yml +++ /dev/null @@ -1,76 +0,0 @@ -id: python-couchbase-empty-password-python -language: python -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287]: Improper Authentication - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -utils: - match_passwordauthenticator: - kind: call - all: - - has: - kind: identifier - pattern: $R - - has: - stopBy: neighbor - kind: argument_list - all: - - any: - - has: - stopBy: end - kind: attribute - has: - stopBy: neighbor - kind: identifier - - has: - stopBy: neighbor - kind: string - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: neighbor - kind: string_content - - - inside: - stopBy: end - kind: module - has: - stopBy: end - kind: import_from_statement - all: - - has: - stopBy: end - kind: dotted_name - field: module_name - all: - - has: - stopBy: end - kind: identifier - regex: couchbase_core - - has: - stopBy: end - kind: identifier - regex: cluster - - has: - stopBy: end - kind: dotted_name - field: name - has: - stopBy: end - kind: identifier - pattern: $R - regex: PasswordAuthenticator -rule: - all: - - matches: match_passwordauthenticator diff --git a/rules/python/security/python-ldap3-empty-password-python.yml b/rules/python/security/python-ldap3-empty-password-python.yml deleted file mode 100644 index 9d58d450..00000000 --- a/rules/python/security/python-ldap3-empty-password-python.yml +++ /dev/null @@ -1,43 +0,0 @@ -id: python-ldap3-empty-password-python -language: python -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [OWASP A07:2021]: Identification and Authentication Failures - [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -utils: - match_empty_password: - kind: expression_statement - all: - - has: - stopBy: end - kind: attribute - - has: - stopBy: end - kind: argument_list - all: - - has: - stopBy: end - kind: keyword_argument - all: - - has: - stopBy: end - kind: identifier - regex: "^password$" - - has: - stopBy: neighbor - kind: string - not: - has: - stopBy: neighbor - kind: string_content -rule: - any: - - matches: match_empty_password diff --git a/rules/typescript/security/node-sequelize-empty-password-argument-typescript.yml b/rules/typescript/security/node-sequelize-empty-password-argument-typescript.yml deleted file mode 100644 index a5eab9dd..00000000 --- a/rules/typescript/security/node-sequelize-empty-password-argument-typescript.yml +++ /dev/null @@ -1,78 +0,0 @@ -id: node-sequelize-empty-password-argument-typescript -language: typescript -severity: warning -message: >- - The application creates a database connection with an empty password. - This can lead to unauthorized access by either an internal or external - malicious actor. To prevent this vulnerability, enforce authentication - when connecting to a database by using environment variables to securely - provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). -note: >- - [CWE-287] Improper Authentication. - [REFERENCES] - - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html -utils: - MATCH_BLANK_PASSWORD: - kind: string - pattern: $Q - inside: - stopBy: end - kind: lexical_declaration - all: - - has: - stopBy: end - kind: new_expression - all: - - has: - stopBy: end - kind: identifier - pattern: $E - - has: - stopBy: end - kind: arguments - nthChild: 2 - has: - stopBy: end - kind: string - nthChild: 3 - pattern: $Q - not: - has: - stopBy: end - kind: string_fragment - - any: - - follows: - stopBy: end - kind: lexical_declaration - has: - stopBy: end - kind: variable_declarator - has: - stopBy: end - kind: identifier - pattern: $E - - follows: - stopBy: end - kind: import_statement - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: identifier - pattern: $E - - follows: - stopBy: end - kind: import_statement - has: - stopBy: end - kind: import_clause - has: - stopBy: end - kind: identifier - pattern: $E - -rule: - kind: string - matches: MATCH_BLANK_PASSWORD