From ae6f55d144a6a1f186acb83ae61ae1b978e38043 Mon Sep 17 00:00:00 2001 From: Sakshis Date: Fri, 6 Dec 2024 05:37:42 +0000 Subject: [PATCH 1/3] python-ldap3-hardcoded-secret-python --- .../python-ldap3-hardcoded-secret-python.yml | 25 +++++++++++++++++++ ...ldap3-hardcoded-secret-python-snapshot.yml | 21 ++++++++++++++++ ...hon-ldap3-hardcoded-secret-python-test.yml | 7 ++++++ 3 files changed, 53 insertions(+) create mode 100644 rules/python/security/python-ldap3-hardcoded-secret-python.yml create mode 100644 tests/__snapshots__/python-ldap3-hardcoded-secret-python-snapshot.yml create mode 100644 tests/python/python-ldap3-hardcoded-secret-python-test.yml diff --git a/rules/python/security/python-ldap3-hardcoded-secret-python.yml b/rules/python/security/python-ldap3-hardcoded-secret-python.yml new file mode 100644 index 00000000..f76b9771 --- /dev/null +++ b/rules/python/security/python-ldap3-hardcoded-secret-python.yml @@ -0,0 +1,25 @@ +id: python-ldap3-hardcoded-secret-python +language: python +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798]: Use of Hard-coded Credentials + [A07:2021]: Identification and Authentication Failures + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +rule: + pattern: ldap3.Connection(password=$STR) +constraints: + STR: + kind: string + all: + - has: + nthChild: 1 + kind: string_start + - has: + nthChild: 2 + kind: string_content + - has: + nthChild: 3 + kind: string_end diff --git a/tests/__snapshots__/python-ldap3-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-ldap3-hardcoded-secret-python-snapshot.yml new file mode 100644 index 00000000..192ef6eb --- /dev/null +++ b/tests/__snapshots__/python-ldap3-hardcoded-secret-python-snapshot.yml @@ -0,0 +1,21 @@ +id: python-ldap3-hardcoded-secret-python +snapshots: + ? | + ldap3.Connection(password="notreal") + : labels: + - source: ldap3.Connection(password="notreal") + style: primary + start: 0 + end: 36 + - source: '"' + style: secondary + start: 26 + end: 27 + - source: notreal + style: secondary + start: 27 + end: 34 + - source: '"' + style: secondary + start: 34 + end: 35 diff --git a/tests/python/python-ldap3-hardcoded-secret-python-test.yml b/tests/python/python-ldap3-hardcoded-secret-python-test.yml new file mode 100644 index 00000000..d02349c0 --- /dev/null +++ b/tests/python/python-ldap3-hardcoded-secret-python-test.yml @@ -0,0 +1,7 @@ +id: python-ldap3-hardcoded-secret-python +valid: + - | + ldap3.Connection(password=os.env['SECRET']) +invalid: + - | + ldap3.Connection(password="notreal") From fa88d3705d5d8e43b3f902f857070409267e932e Mon Sep 17 00:00:00 2001 From: Sakshis Date: Fri, 6 Dec 2024 05:40:15 +0000 Subject: [PATCH 2/3] python-mariadb-empty-password-python --- .../python-mariadb-empty-password-python.yml | 86 +++++++++++++++++++ ...mariadb-empty-password-python-snapshot.yml | 68 +++++++++++++++ ...hon-mariadb-empty-password-python-test.yml | 13 +++ 3 files changed, 167 insertions(+) create mode 100644 rules/python/security/python-mariadb-empty-password-python.yml create mode 100644 tests/__snapshots__/python-mariadb-empty-password-python-snapshot.yml create mode 100644 tests/python/python-mariadb-empty-password-python-test.yml diff --git a/rules/python/security/python-mariadb-empty-password-python.yml b/rules/python/security/python-mariadb-empty-password-python.yml new file mode 100644 index 00000000..28925abc --- /dev/null +++ b/rules/python/security/python-mariadb-empty-password-python.yml @@ -0,0 +1,86 @@ +id: python-mariadb-empty-password-python +language: python +severity: warning +message: >- + The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module). +note: >- + [CWE-287]: Improper Authentication + [A07:2021]: Identification and Authentication Failures + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + +rule: + any: + - kind: call + has: + nthChild: 1 + kind: attribute + regex: ^mariadb.connect$ + precedes: + kind: argument_list + has: + kind: keyword_argument + has: + kind: identifier + regex: ^(password|passwd)$ + precedes: + stopBy: end + kind: string + all: + - has: + kind: string_start + nthChild: 1 + - has: + kind: string_end + nthChild: 2 + inside: + stopBy: end + follows: + stopBy: end + kind: import_statement + has: + kind: dotted_name + nthChild: 1 + regex: ^mariadb$ + - kind: call + has: + nthChild: 1 + kind: attribute + all: + - has: + nthChild: 1 + pattern: $ALAIS + - has: + nthChild: 2 + regex: ^connect$ + precedes: + kind: argument_list + has: + kind: keyword_argument + has: + kind: identifier + regex: ^(password|passwd)$ + precedes: + stopBy: end + kind: string + all: + - has: + kind: string_start + nthChild: 1 + - has: + kind: string_end + nthChild: 2 + inside: + stopBy: end + follows: + stopBy: end + kind: import_statement + has: + kind: aliased_import + all: + - has: + kind: dotted_name + regex: ^mariadb$ + - has: + kind: identifier + pattern: $ALAIS diff --git a/tests/__snapshots__/python-mariadb-empty-password-python-snapshot.yml b/tests/__snapshots__/python-mariadb-empty-password-python-snapshot.yml new file mode 100644 index 00000000..431d1e93 --- /dev/null +++ b/tests/__snapshots__/python-mariadb-empty-password-python-snapshot.yml @@ -0,0 +1,68 @@ +id: python-mariadb-empty-password-python +snapshots: + ? | + import mariadb as mrdbl123 + { + mrdbl123.connect(host="this.is.my.host",user="root",passwd="",database="aaa") + } + : labels: + - source: mrdbl123.connect(host="this.is.my.host",user="root",passwd="",database="aaa") + style: primary + start: 31 + end: 108 + - source: mariadb + style: secondary + start: 7 + end: 14 + - source: mrdbl123 + style: secondary + start: 18 + end: 26 + - source: mariadb as mrdbl123 + style: secondary + start: 7 + end: 26 + - source: import mariadb as mrdbl123 + style: secondary + start: 0 + end: 26 + - source: import mariadb as mrdbl123 + style: secondary + start: 0 + end: 26 + - source: mrdbl123 + style: secondary + start: 31 + end: 39 + - source: connect + style: secondary + start: 40 + end: 47 + - source: '"' + style: secondary + start: 90 + end: 91 + - source: '"' + style: secondary + start: 91 + end: 92 + - source: '""' + style: secondary + start: 90 + end: 92 + - source: passwd + style: secondary + start: 83 + end: 89 + - source: passwd="" + style: secondary + start: 83 + end: 92 + - source: (host="this.is.my.host",user="root",passwd="",database="aaa") + style: secondary + start: 47 + end: 108 + - source: mrdbl123.connect + style: secondary + start: 31 + end: 47 diff --git a/tests/python/python-mariadb-empty-password-python-test.yml b/tests/python/python-mariadb-empty-password-python-test.yml new file mode 100644 index 00000000..0c66360d --- /dev/null +++ b/tests/python/python-mariadb-empty-password-python-test.yml @@ -0,0 +1,13 @@ +id: python-mariadb-empty-password-python +valid: + - | + import mariadb as mrdbl123 + { + mrdbl123.connect(host="this.is.my.host",user="root",passwd="password",database="aaa") + } +invalid: + - | + import mariadb as mrdbl123 + { + mrdbl123.connect(host="this.is.my.host",user="root",passwd="",database="aaa") + } From 39648d4b861dcfcd5a2fa69c29a90b1b1d9b3a81 Mon Sep 17 00:00:00 2001 From: Sakshis Date: Fri, 6 Dec 2024 07:34:57 +0000 Subject: [PATCH 3/3] python-mariadb-hardcoded-secret-python --- ...python-mariadb-hardcoded-secret-python.yml | 94 +++++++++++++++++++ ...n-mariadb-hardcoded-secret-python-test.yml | 13 +++ 2 files changed, 107 insertions(+) create mode 100644 rules/python/security/python-mariadb-hardcoded-secret-python.yml create mode 100644 tests/python/python-mariadb-hardcoded-secret-python-test.yml diff --git a/rules/python/security/python-mariadb-hardcoded-secret-python.yml b/rules/python/security/python-mariadb-hardcoded-secret-python.yml new file mode 100644 index 00000000..63931164 --- /dev/null +++ b/rules/python/security/python-mariadb-hardcoded-secret-python.yml @@ -0,0 +1,94 @@ +id: python-mariadb-hardcoded-secret-python +language: python +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-287]: Improper Authentication + [A07:2021]: Identification and Authentication Failures + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + +rule: + any: + - kind: call + has: + nthChild: 1 + kind: attribute + regex: ^mariadb.connect$ + precedes: + kind: argument_list + has: + kind: keyword_argument + has: + kind: identifier + regex: ^(password|passwd)$ + precedes: + stopBy: end + kind: string + all: + - has: + kind: string_start + nthChild: 1 + - has: + kind: string_content + nthChild: 2 + - has: + kind: string_end + nthChild: 3 + inside: + stopBy: end + follows: + stopBy: end + kind: import_statement + has: + kind: dotted_name + nthChild: 1 + regex: ^mariadb$ + - kind: call + has: + nthChild: 1 + kind: attribute + all: + - has: + nthChild: 1 + pattern: $ALAIS + - has: + nthChild: 2 + regex: ^connect$ + precedes: + kind: argument_list + has: + stopBy: end + kind: keyword_argument + all: + - has: + kind: identifier + regex: ^(password|passwd)$ + nthChild: 1 + - has: + kind: string + all: + - has: + kind: string_start + nthChild: 1 + - has: + kind: string_content + nthChild: 2 + - has: + kind: string_end + nthChild: 3 + inside: + stopBy: end + follows: + stopBy: end + kind: import_statement + has: + kind: aliased_import + all: + - has: + kind: dotted_name + regex: ^mariadb$ + - has: + kind: identifier + pattern: $ALAIS diff --git a/tests/python/python-mariadb-hardcoded-secret-python-test.yml b/tests/python/python-mariadb-hardcoded-secret-python-test.yml new file mode 100644 index 00000000..9cc540ba --- /dev/null +++ b/tests/python/python-mariadb-hardcoded-secret-python-test.yml @@ -0,0 +1,13 @@ +id: python-mariadb-hardcoded-secret-python +valid: + - | + import mariadb as mrdbl123 + { + mrdbl123.connect(host="this.is.my.host",user="root",passwd="",database="aaa") + } +invalid: + - | + import mariadb as mrdbl123 + { + mrdbl123.connect(host="this.is.my.host",user="root",passwd="password",database="aaa") + }