Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Security Rules for SSL Configuration and Hard-Coded Secrets in Ruby #106

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+616 −0
Open

Add Security Rules for SSL Configuration and Hard-Coded Secrets in Ruby #106

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
761a16f
ruby-redis-hardcoded-secret-ruby
Dec 11, 2024
65b807d
ruby-faraday-hardcoded-secret-ruby
Dec 11, 2024
91fec18
force-ssl-false-ruby
Dec 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions rules/ruby/security/force-ssl-false-ruby.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
id: force-ssl-false-ruby
language: ruby
severity: warning
ESS-ENN marked this conversation as resolved.
Show resolved Hide resolved
message: >-
Checks for configuration setting of force_ssl to false. Force_ssl
forces usage of HTTPS, which could lead to network interception of
unencrypted application traffic. To fix, set config.force_ssl = true.
note: >-
[CWE-311] Missing Encryption of Sensitive Data.
[REFERENCES]
- https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb
rule:
pattern: config.force_ssl = false
148 changes: 148 additions & 0 deletions rules/ruby/security/ruby-faraday-hardcoded-secret-ruby.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
id: ruby-faraday-hardcoded-secret-ruby
language: ruby
severity: warning
message: >-
A secret is hard-coded in the application. Secrets stored in source
code, such as credentials, identifiers, and other types of sensitive data,
can be leaked and used by internal or external malicious actors. Use
environment variables to securely provide credentials and other secrets or
retrieve them from a secure vault or Hardware Security Module (HSM).
note: >-
[CWE-798] Use of Hard-coded Credentials.
[REFERENCES]
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
utils:
$X.request :authorization, :basic, $USER, "...":
# $X.request :authorization, :basic, $USER, "..."
kind: call
pattern: $X.request :authorization, :basic, $USER, "$STRING"
all:
- not:
pattern: $X.request :authorization, :basic, $USER, "$STRING", $$$
- inside:
stopBy: end
kind: program
has:
stopBy: end
kind: call
pattern: require "faraday"
$X.request :authorization, :basic, $USER, $PSD:
# $X.request :authorization, :basic, $USER, $PSD
kind: call
pattern: $X.request :authorization, :basic, $USER, $PSD
all:
- not:
pattern: $X.request :authorization, :basic, $USER, $PSD, $$$
- follows:
stopBy: end
kind: assignment
pattern: $PSD = '$PASS'
- inside:
stopBy: end
kind: program
has:
stopBy: end
kind: call
pattern: require "faraday"
$X.request :basic_auth, $USER, "...":
# $X.request :basic_auth, $USER, "..."
kind: call
pattern: $X.request :basic_auth, $USER, "$STRING"
all:
- not:
pattern: $X.request :basic_auth, $USER, "$STRING", $$$
- inside:
stopBy: end
kind: program
has:
stopBy: end
kind: call
pattern: require "faraday"
$X.request :basic_auth, $USER, $PSD:
# $X.request :basic_auth, $USER, $PSD
kind: call
pattern: $X.request :basic_auth, $USER, $PSD
all:
- not:
pattern: $X.request :basic_auth, $USER, $PSD, $$$
- follows:
stopBy: end
kind: assignment
pattern: $PSD = '$STRING'
- inside:
stopBy: end
kind: program
has:
stopBy: end
kind: call
pattern: require "faraday"
$X.request :token_auth, "...":
# $X.request :token_auth, "...", ...
kind: call
pattern: $X.request :token_auth, "$STRING"
inside:
stopBy: end
kind: program
has:
stopBy: end
kind: call
pattern: require "faraday"
$X.request :token_auth, $PSD:
# $X.request :token_auth, $PSD
kind: call
pattern: $X.request :token_auth, $PSD
all:
- follows:
stopBy: end
kind: assignment
pattern: $PSD = '$STRING'
- inside:
stopBy: end
kind: program
has:
stopBy: end
kind: call
pattern: require "faraday"
$X.request :authorization, $BEARER, "...":
# $X.request :authorization, $BEARER, "..."
kind: call
pattern: $X.request :authorization, $BEARER, "$STRING"
all:
- not:
pattern: $X.request :authorization, $BEARER, "$STRING", $$$
- inside:
stopBy: end
kind: program
has:
stopBy: end
kind: call
pattern: require "faraday"
$X.request :authorization, $BEARER, PSD:
# $X.request :authorization, $BEARER, "..."
kind: call
pattern: $X.request :authorization, $BEARER, $PSD
all:
- not:
pattern: $X.request :authorization, $BEARER, $PSD, $$$
- follows:
stopBy: end
kind: assignment
pattern: $PSD = '$PASS'
- inside:
stopBy: end
kind: program
has:
stopBy: end
kind: call
pattern: require "faraday"
rule:
kind: call
any:
- matches: $X.request :authorization, :basic, $USER, "..."
- matches: $X.request :authorization, :basic, $USER, $PSD
- matches: $X.request :basic_auth, $USER, "..."
- matches: $X.request :basic_auth, $USER, $PSD
- matches: $X.request :token_auth, "..."
- matches: $X.request :token_auth, $PSD
- matches: $X.request :authorization, $BEARER, "..."
- matches: $X.request :authorization, $BEARER, PSD
ESS-ENN marked this conversation as resolved.
Show resolved Hide resolved
102 changes: 102 additions & 0 deletions rules/ruby/security/ruby-redis-hardcoded-secret-ruby.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
id: ruby-redis-hardcoded-secret-ruby
language: ruby
severity: warning
message: >-
A secret is hard-coded in the application. Secrets stored in source
code, such as credentials, identifiers, and other types of sensitive data,
can be leaked and used by internal or external malicious actors. Use
environment variables to securely provide credentials and other secrets or
retrieve them from a secure vault or Hardware Security Module (HSM).
note: >-
[CWE-798] Use of Hard-coded Credentials.
[REFERENCES]
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
utils:
Redis.new(..., password:"...", ...):
# Redis.new(..., password: "", ...)
kind: call
all:
- has:
stopBy: neighbor
kind: constant
regex: ^Redis$
- has:
stopBy: neighbor
regex: ^.$
- has:
stopBy: neighbor
kind: identifier
regex: ^new$
- has:
stopBy: neighbor
kind: argument_list
has:
stopBy: end
kind: pair
all:
- has:
stopBy: neighbor
kind: hash_key_symbol
regex: ^password$
- has:
stopBy: neighbor
kind: string
has:
stopBy: neighbor
kind: string_content
- inside:
stopBy: end
kind: program
has:
stopBy: end
kind: call
pattern: require "redis"
ESS-ENN marked this conversation as resolved.
Show resolved Hide resolved
Redis.new(..., password:"...", ...)_with_instance:
# Redis.new(..., password: $PASS, ...)
kind: call
all:
- has:
stopBy: neighbor
kind: constant
regex: ^Redis$
- has:
stopBy: neighbor
regex: ^.$
- has:
stopBy: neighbor
kind: identifier
regex: ^new$
- has:
stopBy: neighbor
kind: argument_list
has:
stopBy: end
kind: pair
all:
- has:
stopBy: neighbor
kind: hash_key_symbol
regex: ^password$
- has:
stopBy: neighbor
kind: identifier
pattern: $PASS
- inside:
stopBy: end
kind: assignment
follows:
stopBy: end
kind: assignment
pattern: $PASS = "$PSWD"
- inside:
stopBy: end
kind: program
has:
stopBy: end
kind: call
pattern: require "redis"
rule:
kind: call
any:
- matches: Redis.new(..., password:"...", ...)
- matches: Redis.new(..., password:"...", ...)_with_instance
ESS-ENN marked this conversation as resolved.
Show resolved Hide resolved
11 changes: 11 additions & 0 deletions tests/__snapshots__/force-ssl-false-ruby-snapshot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
id: force-ssl-false-ruby
snapshots:
? |
def bad_ssl
config.force_ssl = false
end
: labels:
- source: config.force_ssl = false
style: primary
start: 12
end: 36
Loading