Skip to content

Add security rules for ARC4, hard-coded secrets, and passwords in Python and Ruby #71

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Dec 16, 2024
Merged

Add security rules for ARC4, hard-coded secrets, and passwords in Python and Ruby #71

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f732bc5
openai-hardcoded-secret-python
ESS-ENN Dec 4, 2024
7c10c88
insecure-cipher-algorithm-rc4-python
ESS-ENN Dec 4, 2024
4afc0df
hardcoded-http-auth-in-controller-ruby
ESS-ENN Dec 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 85 additions & 0 deletions rules/python/security/insecure-cipher-algorithm-rc4-python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
id: insecure-cipher-algorithm-rc4-python
severity: warning
language: python
message: >-
Detected ARC4 cipher algorithm which is considered insecure. This
algorithm is not cryptographically secure and can be reversed easily. Use
secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block
cipher such as AES with a block size of 128 bits. When using a block
cipher, use a modern mode of operation that also provides authentication,
such as GCM.
note: >-
[CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
[REFERENCES]
- https://cwe.mitre.org/data/definitions/326.html
- https://www.pycryptodome.org/src/cipher/cipher
utils:
MATCH_PATTERN_arc4.new:
kind: call
all:
- has:
stopBy: end
kind: attribute
all:
- has:
stopBy: neighbor
kind: identifier
pattern: $X
- has:
stopBy: neighbor
kind: identifier
regex: '^new$'
- has:
stopBy: neighbor
kind: argument_list
has:
stopBy: neighbor
kind: identifier
- inside:
stopBy: end
kind: expression_statement
follows:
stopBy: end
kind: import_from_statement
all:
- has:
stopBy: neighbor
kind: dotted_name
all:
- has:
stopBy: neighbor
kind: identifier
regex: '^Crypto$|^Cryptodome$'
- has:
stopBy: neighbor
kind: identifier
regex: '^Cipher$'
- has:
stopBy: neighbor
kind: aliased_import
all:
- has:
stopBy: neighbor
kind: dotted_name
has:
stopBy: neighbor
kind: identifier
regex: '^ARC4$'
- has:
stopBy: neighbor
kind: identifier
pattern: $X

rule:
kind: call
any:
- matches: MATCH_PATTERN_arc4.new
- pattern: Cryptodome.Cipher.ARC4.new($$$)
- pattern: Crypto.Cipher.ARC4.new($$$)







24 changes: 24 additions & 0 deletions rules/python/security/openai-hardcoded-secret-python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
id: openai-hardcoded-secret-python
language: python
severity: warning
message: >-
A secret is hard-coded in the application. Secrets stored in source
code, such as credentials, identifiers, and other types of sensitive data,
can be leaked and used by internal or external malicious actors. Use
environment variables to securely provide credentials and other secrets or
retrieve them from a secure vault or Hardware Security Module (HSM).
note: >-
[CWE-798]: Use of Hard-coded Credentials
[OWASP A07:2021]: Identification and Authentication Failures
[REFERENCES]
https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
utils:
match_api_key:
kind: string_content
regex: \b(sk-[[:alnum:]]{20}T3BlbkFJ[[:alnum:]]{20})\b
inside:
stopBy: end
kind: string
rule:
all:
- matches: match_api_key
59 changes: 59 additions & 0 deletions rules/ruby/security/hardcoded-http-auth-in-controller-ruby.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
id: hardcoded-http-auth-in-controller-ruby
language: ruby
severity: warning
message: >-
Detected hardcoded password used in basic authentication in a
controller class. Including this password in version control could expose
this credential. Consider refactoring to use environment variables or
configuration files
note: >-
[CWE-798] Use of Hard-coded Credentials.
[REFERENCES]
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
utils:
MATCH_PASSWORD_STRING:
kind: string
inside:
stopBy: end
kind: pair
all:
- has:
stopBy: neighbor
kind: simple_symbol
regex: '^:password$'
- has:
stopBy: neighbor
kind: string
- inside:
stopBy: neighbor
kind: argument_list
inside:
stopBy: end
kind: call
all:
- has:
stopBy: neighbor
kind: identifier
regex: '^http_basic_authenticate_with$'
- inside:
stopBy: neighbor
kind: body_statement
inside:
stopBy: end
kind: class
all:
- has:
stopBy: neighbor
kind: constant
- has:
stopBy: end
kind: superclass
has:
stopBy: neighbor
kind: constant
regex: '^ApplicationController$'

rule:
kind: string
matches: MATCH_PASSWORD_STRING

62 changes: 62 additions & 0 deletions tests/__snapshots__/hardcoded-http-auth-in-controller-ruby-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
id: hardcoded-http-auth-in-controller-ruby
snapshots:
? |-
class DangerousController < ApplicationController
http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
puts "do more stuff"
end
: labels:
- source: '"secret"'
style: primary
start: 108
end: 116
- source: :password
style: secondary
start: 95
end: 104
- source: '"secret"'
style: secondary
start: 108
end: 116
- source: http_basic_authenticate_with
style: secondary
start: 50
end: 78
- source: DangerousController
style: secondary
start: 6
end: 25
- source: ApplicationController
style: secondary
start: 28
end: 49
- source: < ApplicationController
style: secondary
start: 26
end: 49
- source: |-
class DangerousController < ApplicationController
http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
puts "do more stuff"
end
style: secondary
start: 0
end: 160
- source: |-
http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
puts "do more stuff"
style: secondary
start: 50
end: 156
- source: http_basic_authenticate_with :name => "dhh", :password => "secret", :except => :index
style: secondary
start: 50
end: 135
- source: :name => "dhh", :password => "secret", :except => :index
style: secondary
start: 79
end: 135
- source: :password => "secret"
style: secondary
start: 95
end: 116
157 changes: 157 additions & 0 deletions tests/__snapshots__/insecure-cipher-algorithm-rc4-python-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,157 @@
id: insecure-cipher-algorithm-rc4-python
snapshots:
? |
Crypto.Cipher.ARC4.new()
: labels:
- source: Crypto.Cipher.ARC4.new()
style: primary
start: 0
end: 24
? |
Crypto.Cipher.ARC4.new(adasfdasfs)
: labels:
- source: Crypto.Cipher.ARC4.new(adasfdasfs)
style: primary
start: 0
end: 34
? |
Cryptodome.Cipher.ARC4.new()
: labels:
- source: Cryptodome.Cipher.ARC4.new()
style: primary
start: 0
end: 28
Cryptodome.Cipher.ARC4.new(asdsd):
labels:
- source: Cryptodome.Cipher.ARC4.new(asdsd)
style: primary
start: 0
end: 33
? |
from Crypto.Cipher import ARC4 as pycrypto_arc4
cipher = pycrypto_arc4.new(tempkey)
: labels:
- source: pycrypto_arc4.new(tempkey)
style: primary
start: 57
end: 83
- source: pycrypto_arc4
style: secondary
start: 57
end: 70
- source: new
style: secondary
start: 71
end: 74
- source: pycrypto_arc4.new
style: secondary
start: 57
end: 74
- source: tempkey
style: secondary
start: 75
end: 82
- source: (tempkey)
style: secondary
start: 74
end: 83
- source: Crypto
style: secondary
start: 5
end: 11
- source: Cipher
style: secondary
start: 12
end: 18
- source: Crypto.Cipher
style: secondary
start: 5
end: 18
- source: ARC4
style: secondary
start: 26
end: 30
- source: ARC4
style: secondary
start: 26
end: 30
- source: pycrypto_arc4
style: secondary
start: 34
end: 47
- source: ARC4 as pycrypto_arc4
style: secondary
start: 26
end: 47
- source: from Crypto.Cipher import ARC4 as pycrypto_arc4
style: secondary
start: 0
end: 47
- source: cipher = pycrypto_arc4.new(tempkey)
style: secondary
start: 48
end: 83
? |
from Cryptodome.Cipher import ARC4 as pycryptodomex_arc4
cipher = pycryptodomex_arc4.new(tempkey)
: labels:
- source: pycryptodomex_arc4.new(tempkey)
style: primary
start: 66
end: 97
- source: pycryptodomex_arc4
style: secondary
start: 66
end: 84
- source: new
style: secondary
start: 85
end: 88
- source: pycryptodomex_arc4.new
style: secondary
start: 66
end: 88
- source: tempkey
style: secondary
start: 89
end: 96
- source: (tempkey)
style: secondary
start: 88
end: 97
- source: Cryptodome
style: secondary
start: 5
end: 15
- source: Cipher
style: secondary
start: 16
end: 22
- source: Cryptodome.Cipher
style: secondary
start: 5
end: 22
- source: ARC4
style: secondary
start: 30
end: 34
- source: ARC4
style: secondary
start: 30
end: 34
- source: pycryptodomex_arc4
style: secondary
start: 38
end: 56
- source: ARC4 as pycryptodomex_arc4
style: secondary
start: 30
end: 56
- source: from Cryptodome.Cipher import ARC4 as pycryptodomex_arc4
style: secondary
start: 0
end: 56
- source: cipher = pycryptodomex_arc4.new(tempkey)
style: secondary
start: 57
end: 97
Loading