diff --git a/rules/python/security/python-peewee-pg-empty-password-python.yml b/rules/python/security/python-peewee-pg-empty-password-python.yml new file mode 100644 index 00000000..c71ae1c6 --- /dev/null +++ b/rules/python/security/python-peewee-pg-empty-password-python.yml @@ -0,0 +1,56 @@ +id: python-peewee-pg-empty-password-python +severity: warning +language: python +message: >- + The application creates a database connection with an empty password. + This can lead to unauthorized access by either an internal or external + malicious actor. To prevent this vulnerability, enforce authentication + when connecting to a database by using environment variables to securely + provide credentials or retrieving them from a secure vault or HSM + (Hardware Security Module). +note: >- + [CWE-287] Improper Authentication. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + +ast-grep-essentials: true + +utils: + $DB(..., password="...",...): + # $DB(..., password="...",...) + kind: call + all: + - has: + stopBy: neighbor + pattern: $DB + regex: ^PostgresqlDatabase$|6peewee.PostgresqlDatabase$|^PostgresqlExtDatabase|playhouse.postgres_ext.PostgresqlExtDatabase$|^PooledPostgresqlDatabase$|^playhouse.pool.PooledPostgresqlDatabase$|^CockroachDatabase$|^playhouse.cockroachdb.CockroachDatabase$|^PooledCockroachDatabase$|^playhouse.cockroachdb.PooledCockroachDatabase$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + kind: keyword_argument + all: + - has: + stopBy: neighbor + kind: identifier + regex: ^password$|^passwd$ + - has: + stopBy: neighbor + kind: string + not: + has: + stopBy: neighbor + kind: string_content +rule: + kind: call + matches: $DB(..., password="...",...) + all: + - not: + has: + stopBy: end + kind: ERROR + - not: + inside: + stopBy: end + kind: ERROR \ No newline at end of file diff --git a/rules/python/security/python-peewee-pg-hardcoded-secret-python.yml b/rules/python/security/python-peewee-pg-hardcoded-secret-python.yml new file mode 100644 index 00000000..7d0d77e1 --- /dev/null +++ b/rules/python/security/python-peewee-pg-hardcoded-secret-python.yml @@ -0,0 +1,55 @@ +id: python-peewee-pg-hardcoded-secret-python +severity: warning +language: python +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + +ast-grep-essentials: true + +utils: + $DB(..., password="...",...): + # $DB(..., password="...",...) + kind: call + all: + - has: + stopBy: neighbor + pattern: $DB + regex: ^PostgresqlDatabase$|6peewee.PostgresqlDatabase$|^PostgresqlExtDatabase|playhouse.postgres_ext.PostgresqlExtDatabase$|^PooledPostgresqlDatabase$|^playhouse.pool.PooledPostgresqlDatabase$|^CockroachDatabase$|^playhouse.cockroachdb.CockroachDatabase$|^PooledCockroachDatabase$|^playhouse.cockroachdb.PooledCockroachDatabase$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: neighbor + kind: keyword_argument + all: + - has: + stopBy: neighbor + kind: identifier + regex: ^password$|^passwd$ + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_content +rule: + kind: call + matches: $DB(..., password="...",...) + all: + - not: + has: + stopBy: end + kind: ERROR + - not: + inside: + stopBy: end + kind: ERROR + diff --git a/tests/__snapshots__/python-peewee-pg-empty-password-python-snapshot.yml b/tests/__snapshots__/python-peewee-pg-empty-password-python-snapshot.yml new file mode 100644 index 00000000..7d674f39 --- /dev/null +++ b/tests/__snapshots__/python-peewee-pg-empty-password-python-snapshot.yml @@ -0,0 +1,29 @@ +id: python-peewee-pg-empty-password-python +snapshots: + ? | + pg_db1 = PostgresqlDatabase('my_app', user='postgres', password='', host='10.1.0.9', port=5432) + : labels: + - source: PostgresqlDatabase('my_app', user='postgres', password='', host='10.1.0.9', port=5432) + style: primary + start: 9 + end: 95 + - source: PostgresqlDatabase + style: secondary + start: 9 + end: 27 + - source: password + style: secondary + start: 55 + end: 63 + - source: '''''' + style: secondary + start: 64 + end: 66 + - source: password='' + style: secondary + start: 55 + end: 66 + - source: ('my_app', user='postgres', password='', host='10.1.0.9', port=5432) + style: secondary + start: 27 + end: 95 diff --git a/tests/__snapshots__/python-peewee-pg-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-peewee-pg-hardcoded-secret-python-snapshot.yml new file mode 100644 index 00000000..e1fe3430 --- /dev/null +++ b/tests/__snapshots__/python-peewee-pg-hardcoded-secret-python-snapshot.yml @@ -0,0 +1,33 @@ +id: python-peewee-pg-hardcoded-secret-python +snapshots: + ? | + pg_db1 = PostgresqlDatabase('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) + : labels: + - source: PostgresqlDatabase('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) + style: primary + start: 9 + end: 103 + - source: PostgresqlDatabase + style: secondary + start: 9 + end: 27 + - source: password + style: secondary + start: 55 + end: 63 + - source: password + style: secondary + start: 65 + end: 73 + - source: '''password''' + style: secondary + start: 64 + end: 74 + - source: password='password' + style: secondary + start: 55 + end: 74 + - source: ('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) + style: secondary + start: 27 + end: 103 diff --git a/tests/python/python-peewee-pg-empty-password-python-test.yml b/tests/python/python-peewee-pg-empty-password-python-test.yml new file mode 100644 index 00000000..0720a3a7 --- /dev/null +++ b/tests/python/python-peewee-pg-empty-password-python-test.yml @@ -0,0 +1,8 @@ +id: python-peewee-pg-empty-password-python +valid: + - | + mysql_db1 = MySQLDatabe('my_app', user='app', password=os.env['db_password'], host='10.1.0.8', port=3306) +invalid: + - | + pg_db1 = PostgresqlDatabase('my_app', user='postgres', password='', host='10.1.0.9', port=5432) + \ No newline at end of file diff --git a/tests/python/python-peewee-pg-hardcoded-secret-python-test.yml b/tests/python/python-peewee-pg-hardcoded-secret-python-test.yml new file mode 100644 index 00000000..51e051be --- /dev/null +++ b/tests/python/python-peewee-pg-hardcoded-secret-python-test.yml @@ -0,0 +1,8 @@ +id: python-peewee-pg-hardcoded-secret-python +valid: + - | + mysql_db1 = MySQLDatabe('my_app', user='app', password=os.env['db_password'], host='10.1.0.8', port=3306) +invalid: + - | + pg_db1 = PostgresqlDatabase('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) + \ No newline at end of file