Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security rules for pymongo and pymssql to detect empty passwords and secrets #97

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+1,239 −0
Open

Add security rules for pymongo and pymssql to detect empty passwords and secrets #97

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
680e2c5
python-pymongo-empty-password-python
Dec 7, 2024
bc5a34c
python-pymongo-hardcoded-secret-python
Dec 7, 2024
4d5f3ca
python-pymssql-empty-password-python
Dec 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
136 changes: 136 additions & 0 deletions rules/python/security/python-pymongo-empty-password-python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,136 @@
id: python-pymongo-empty-password-python
language: python
severity: warning
message: >-
The application creates a database connection with an empty password.
This can lead to unauthorized access by either an internal or external
malicious actor. To prevent this vulnerability, enforce authentication
when connecting to a database by using environment variables to securely
provide credentials or retrieving them from a secure vault or HSM
(Hardware Security Module).
note: >-
[CWE-287]: Improper Authentication
[OWASP A07:2021]: Identification and Authentication Failures
[REFERENCES]
https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
utils:
match_call:
kind: expression_statement
all:
- has:
kind: call
all:
- has:
kind: identifier
field: function
regex: "^MongoClient$"
- has:
kind: argument_list
all:
- has:
kind: keyword_argument
has:
kind: identifier
all:
- not:
precedes:
stopBy: end
kind: subscript
- not:
precedes:
stopBy: end
kind: call
- has:
stopBy: end
kind: string
follows:
stopBy: end
kind: import_from_statement
all:
- has:
stopBy: end
kind: dotted_name
field: module_name
has:
stopBy: end
kind: identifier
regex: "^pymongo$"
- has:
stopBy: end
kind: dotted_name
field: name
has:
stopBy: end
kind: identifier
regex: "^MongoClient$"
match_call_with_string:
kind: expression_statement
all:
- has:
kind: call
all:
- has:
kind: identifier
field: function
regex: "^MongoClient$"
- has:
kind: argument_list
has:
stopBy: end
kind: keyword_argument
all:
- has:
stopBy: end
kind: identifier
field: name
regex: "^password$"
- has:
stopBy: end
kind: identifier
field: value
pattern: $T
- follows:
stopBy: end
kind: expression_statement
all:
- has:
stopBy: end
kind: assignment
has:
stopBy: end
kind: identifier
pattern: $T
- has:
stopBy: end
kind: string
all:
- has:
stopBy: end
kind: string_start
- has:
stopBy: end
kind: string_end
follows:
stopBy: end
kind: import_from_statement
all:
- has:
stopBy: end
kind: dotted_name
field: module_name
has:
stopBy: end
kind: identifier
regex: "^pymongo$"
- has:
stopBy: end
kind: dotted_name
field: name
has:
stopBy: end
kind: identifier
regex: "^MongoClient$"
rule:
any:
- matches: match_call
- matches: match_call_with_string
232 changes: 232 additions & 0 deletions rules/python/security/python-pymongo-hardcoded-secret-python.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,232 @@
id: python-pymongo-hardcoded-secret-python
language: python
severity: warning
message: >-
A secret is hard-coded in the application. Secrets stored in source
code, such as credentials, identifiers, and other types of sensitive data,
can be leaked and used by internal or external malicious actors. Use
environment variables to securely provide credentials and other secrets or
retrieve them from a secure vault or Hardware Security Module (HSM).
note: >-
[CWE-798]: Use of Hard-coded Credentials
[OWASP A07:2021]: Identification and Authentication Failures
[REFERENCES]
https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
utils:
match_call:
kind: expression_statement
all:
- has:
kind: call
all:
- has:
kind: identifier
field: function
regex: "^MongoClient$"
- has:
kind: argument_list
all:
- has:
kind: keyword_argument
has:
kind: identifier
all:
- not:
precedes:
stopBy: end
kind: subscript
- not:
precedes:
stopBy: end
kind: call
- has:
stopBy: end
kind: string
follows:
stopBy: end
kind: import_from_statement
all:
- has:
stopBy: end
kind: dotted_name
field: module_name
has:
stopBy: end
kind: identifier
regex: "^pymongo$"
- has:
stopBy: end
kind: dotted_name
field: name
has:
stopBy: end
kind: identifier
regex: "^MongoClient$"
match_call_with_string:
kind: expression_statement
all:
- has:
kind: call
all:
- has:
kind: identifier
field: function
regex: "^MongoClient$"
- has:
kind: argument_list
has:
stopBy: end
kind: keyword_argument
all:
- has:
stopBy: end
kind: identifier
field: name
regex: "^password$"
- has:
stopBy: end
kind: identifier
field: value
pattern: $T
- follows:
stopBy: end
kind: expression_statement
all:
- has:
stopBy: end
kind: assignment
has:
stopBy: end
kind: identifier
pattern: $T
- has:
stopBy: end
kind: string
all:
- has:
stopBy: end
kind: string_start
- has:
stopBy: end
kind: string_end
follows:
stopBy: end
kind: import_from_statement
all:
- has:
stopBy: end
kind: dotted_name
field: module_name
has:
stopBy: end
kind: identifier
regex: "^pymongo$"
- has:
stopBy: end
kind: dotted_name
field: name
has:
stopBy: end
kind: identifier
regex: "^MongoClient$"
match_call_with_pymongo:
kind: expression_statement
all:
- has:
kind: call
all:
- has:
kind: attribute
field: function
all:
- has:
stopBy: end
kind: identifier
field: object
regex: "^pymongo$"
- has:
stopBy: end
kind: identifier
field: attribute
regex: "^MongoClient$"
- has:
kind: argument_list
all:
- has:
kind: keyword_argument
has:
kind: identifier
all:
- not:
precedes:
stopBy: end
kind: subscript
- not:
precedes:
stopBy: end
kind: call
- has:
stopBy: end
kind: string
match_call_pymongo_string:
kind: expression_statement
all:
- has:
kind: call
all:
- has:
kind: attribute
field: function
all:
- has:
kind: identifier
field: object
regex: "^pymongo$"
- has:
kind: identifier
field: attribute
regex: "^MongoClient$"
- has:
kind: argument_list
has:
stopBy: end
kind: keyword_argument
all:
- has:
stopBy: end
kind: identifier
field: name
regex: "^password$"
- has:
stopBy: end
kind: identifier
field: value
pattern: $T
- follows:
stopBy: end
kind: expression_statement
all:
- has:
stopBy: end
kind: assignment
has:
stopBy: end
kind: identifier
pattern: $T
- has:
stopBy: end
kind: string
all:
- has:
stopBy: end
kind: string_start
- has:
stopBy: end
kind: string_end

ESS-ENN marked this conversation as resolved.
Show resolved Hide resolved
rule:
any:
- matches: match_call
- matches: match_call_with_string
- matches: match_call_with_pymongo
- matches: match_call_pymongo_string
Loading