Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security rules for tormysql and webrepl libraries in Python applications #112

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add security rules for tormysql and webrepl libraries in Python applications #112

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
6090ccf
python-tormysql-empty-password-python
Dec 12, 2024
4371f5c
python-tormysql-hardcoded-secret-python
Dec 12, 2024
228f507
python-webrepl-empty-password-python
Dec 12, 2024
89d4332
modified code of python-tormysql-empty-password-python
Dec 12, 2024
df27814
modified code of python-tormysql-hardcoded-secret-python
Dec 12, 2024
bb3a320
modified code of python-webrepl-empty-password-python
Dec 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
196 changes: 196 additions & 0 deletions rules/python/security/python-tormysql-empty-password-python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,196 @@
id: python-tormysql-empty-password-python
language: python
severity: warning
message: >-
The application creates a database connection with an empty password.
This can lead to unauthorized access by either an internal or external
malicious actor. To prevent this vulnerability, enforce authentication
when connecting to a database by using environment variables to securely
provide credentials or retrieving them from a secure vault or HSM
(Hardware Security Module).
note: >-
[CWE-287]: Improper Authentication
[OWASP A07:2021]: Identification and Authentication Failures
[REFERENCES]
https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
utils:
match_expression_statement:
kind: expression_statement
has:
stopBy: end
kind: call
all:
- has:
stopBy: end
kind: attribute
field: function
all:
- has:
stopBy: end
kind: identifier
field: object
regex: "^tormysql$"
- has:
stopBy: end
kind: identifier
field: attribute
regex: "^ConnectionPool$"
- has:
stopBy: end
kind: argument_list
field: arguments
has:
stopBy: end
kind: keyword_argument
all:
- has:
stopBy: end
kind: identifier
field: name
regex: "^password$"
- has:
kind: string
field: value
match_expression_statement_with_identifier:
kind: expression_statement
has:
stopBy: end
kind: call
all:
- has:
stopBy: end
kind: attribute
field: function
all:
- has:
stopBy: end
kind: identifier
field: object
regex: "^tormysql$"
- has:
stopBy: end
kind: identifier
field: attribute
regex: "^ConnectionPool$"
- has:
stopBy: end
kind: argument_list
field: arguments
has:
stopBy: end
kind: keyword_argument
all:
- has:
kind: identifier
field: name
regex: "^password$"
- has:
kind: identifier
field: value
pattern: $PASS
follows:
stopBy: end
kind: expression_statement
has:
stopBy: end
kind: assignment
all:
- has:
stopBy: end
kind: identifier
pattern: $PASS
- has:
stopBy: end
kind: string
match_direct_expression_with_passwd:
kind: call
all:
- has:
kind: attribute
field: function
all:
- has:
kind: identifier
field: object
regex: "^tormysql$"
- has:
kind: identifier
field: attribute
regex: "^ConnectionPool$"
- has:
kind: argument_list
field: arguments
has:
kind: keyword_argument
all:
- has:
kind: identifier
field: name
regex: ^(passwd|password)$
- has:
kind: string
field: value
all:
- has:
kind: string_start
- has:
kind: string_end
inside:
ESS-ENN marked this conversation as resolved.
Show resolved Hide resolved
stopBy: end
kind: return_statement
inside:
stopBy: end
kind: function_definition
has:
kind: identifier
field: name
match_direct_expression_with_passwd_without_return:
kind: call
all:
- has:
stopBy: end
kind: attribute
field: function
all:
- has:
stopBy: end
kind: identifier
field: object
regex: "^tormysql$"
- has:
stopBy: end
kind: identifier
field: attribute
regex: "^ConnectionPool$"
- has:
stopBy: end
kind: argument_list
field: arguments
has:
stopBy: end
kind: keyword_argument
all:
- has:
kind: identifier
field: name
regex: ^(passwd)$
- has:
kind: string
all:
- has:
kind: string_start
- has:
kind: string_end
inside:
stopBy: end
kind: assignment
inside:
stopBy: end
kind: expression_statement

rule:
any:
- matches: match_expression_statement
- matches: match_expression_statement_with_identifier
- matches: match_direct_expression_with_passwd
- matches: match_direct_expression_with_passwd_without_return
ESS-ENN marked this conversation as resolved.
Show resolved Hide resolved
152 changes: 152 additions & 0 deletions rules/python/security/python-tormysql-hardcoded-secret-python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
id: python-tormysql-hardcoded-secret-python
language: python
severity: warning
message: >-
A secret is hard-coded in the application. Secrets stored in source
code, such as credentials, identifiers, and other types of sensitive data,
can be leaked and used by internal or external malicious actors. Use
environment variables to securely provide crede ntials and other secrets or
retrieve them from a secure vault or Hardware Security Module (HSM).
note: >-
[CWE-798]: Use of Hard-coded Credentials
[OWASP A07:2021]: Identification and Authentication Failures
[REFERENCES]
https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
utils:
match_expression_statement:
kind: expression_statement
has:
stopBy: end
kind: call
all:
- has:
stopBy: end
kind: attribute
field: function
all:
- has:
stopBy: end
kind: identifier
field: object
regex: "^tormysql$"
- has:
stopBy: end
kind: identifier
field: attribute
regex: "^ConnectionPool$"
- has:
stopBy: end
kind: argument_list
field: arguments
has:
stopBy: end
kind: keyword_argument
all:
- has:
stopBy: end
kind: identifier
field: name
regex: ^(password|passwd)$
- has:
kind: string
all:
- has:
kind: string_start
- has:
kind: string_content
- has:
kind: string_end
ESS-ENN marked this conversation as resolved.
Show resolved Hide resolved
match_expression_statement_with_identifier:
kind: expression_statement
has:
stopBy: end
kind: call
all:
- has:
stopBy: end
kind: attribute
field: function
all:
- has:
stopBy: end
kind: identifier
field: object
regex: "^tormysql$"
- has:
stopBy: end
kind: identifier
field: attribute
regex: "^ConnectionPool$"
- has:
stopBy: end
kind: argument_list
field: arguments
has:
stopBy: end
kind: keyword_argument
all:
- has:
stopBy: end
kind: identifier
field: name
regex: "^password$"
- has:
stopBy: end
kind: identifier
field: value
pattern: $PASS
follows:
stopBy: end
kind: expression_statement
has:
stopBy: end
kind: assignment
all:
- has:
kind: identifier
pattern: $PASS
- has:
kind: string
match_call_with_return:
kind: call
all:
- has:
kind: attribute
field: function
all:
- has:
kind: identifier
field: object
regex: "^tormysql$"
- has:
kind: identifier
field: attribute
regex: "^ConnectionPool$"
- has:
kind: argument_list
field: arguments
has:
kind: keyword_argument
all:
- has:
kind: identifier
field: name
regex: "^password$"
- has:
kind: string
field: value
all:
- has:
kind: string_start
- has:
kind: string_content
- has:
kind: string_end
inside:
stopBy: end
kind: return_statement
rule:
any:
- matches: match_expression_statement
- matches: match_expression_statement_with_identifier
- matches: match_call_with_return
Loading