From e3d6baee3f5bfef858f9f201222196998d48b190 Mon Sep 17 00:00:00 2001 From: Sakshis Date: Tue, 11 Mar 2025 12:12:39 +0000 Subject: [PATCH 1/2] system-setproperty-hardcoded-secret-java --- ...stem-setproperty-hardcoded-secret-java.yml | 321 ++++++++++++++++++ ...roperty-hardcoded-secret-java-snapshot.yml | 71 ++++ ...setproperty-hardcoded-secret-java-test.yml | 9 + 3 files changed, 401 insertions(+) create mode 100644 rules/java/security/system-setproperty-hardcoded-secret-java.yml create mode 100644 tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml create mode 100644 tests/java/system-setproperty-hardcoded-secret-java-test.yml diff --git a/rules/java/security/system-setproperty-hardcoded-secret-java.yml b/rules/java/security/system-setproperty-hardcoded-secret-java.yml new file mode 100644 index 00000000..cbf983fd --- /dev/null +++ b/rules/java/security/system-setproperty-hardcoded-secret-java.yml @@ -0,0 +1,321 @@ +id: system-setproperty-hardcoded-secret-java +severity: warning +language: java +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + +ast-grep-essentials: true +utils: + match_string_literal: + kind: string_fragment + inside: + kind: string_literal + all: + - nthChild: + position: 2 + ofRule: + not: + kind: line_comment + - inside: + kind: argument_list + all: + - not: + has: + nthChild: + position: 3 + ofRule: + not: + kind: line_comment + - has: + kind: string_literal + has: + kind: string_fragment + regex: ^javax.net.ssl.keyStorePassword|javax.net.ssl.trustStorePassword$ + nthChild: + position: 1 + ofRule: + not: + kind: line_comment + - inside: + kind: method_invocation + all: + - has: + kind: identifier + nthChild: 1 + regex: ^System$ + - has: + kind: identifier + nthChild: 2 + regex: ^setProperty$ + + match_string_literal_instance: + kind: identifier + pattern: $PASSWORD + all: + - nthChild: + position: 2 + ofRule: + not: + kind: line_comment + - inside: + kind: argument_list + all: + - not: + has: + nthChild: + position: 3 + ofRule: + not: + kind: line_comment + - has: + kind: string_literal + has: + kind: string_fragment + regex: ^javax.net.ssl.keyStorePassword|javax.net.ssl.trustStorePassword$ + nthChild: + position: 1 + ofRule: + not: + kind: line_comment + - inside: + kind: method_invocation + all: + - has: + kind: identifier + nthChild: 1 + regex: ^System$ + - has: + kind: identifier + nthChild: 2 + regex: ^setProperty$ + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_variable_declaration + has: + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $PASSWORD + nthChild: 1 + - has: + kind: string_literal + nthChild: 2 + has: + kind: string_fragment + - follows: + stopBy: end + kind: local_variable_declaration + has: + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $PASSWORD + nthChild: 1 + - has: + kind: string_literal + nthChild: 2 + has: + kind: string_fragment + + + match_string_literal_with_link_instance: + kind: string_fragment + inside: + kind: string_literal + all: + - nthChild: + position: 2 + ofRule: + not: + kind: line_comment + - inside: + kind: argument_list + all: + - not: + has: + nthChild: + position: 3 + ofRule: + not: + kind: line_comment + - has: + kind: identifier + pattern: $LINK + nthChild: + position: 1 + ofRule: + not: + kind: line_comment + - inside: + kind: method_invocation + all: + - has: + kind: identifier + nthChild: 1 + regex: ^System$ + - has: + kind: identifier + nthChild: 2 + regex: ^setProperty$ + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_variable_declaration + has: + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $LINK + nthChild: 1 + - has: + kind: string_literal + nthChild: 2 + has: + kind: string_fragment + regex: ^javax.net.ssl.keyStorePassword|javax.net.ssl.trustStorePassword$ + - follows: + stopBy: end + kind: local_variable_declaration + has: + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $LINK + nthChild: 1 + - has: + kind: string_literal + nthChild: 2 + has: + kind: string_fragment + regex: ^javax.net.ssl.keyStorePassword|javax.net.ssl.trustStorePassword$ + + match_pattern_with_both-links: + kind: identifier + pattern: $PASSWORD + all: + - nthChild: + position: 2 + ofRule: + not: + kind: line_comment + - inside: + kind: argument_list + all: + - not: + has: + nthChild: + position: 3 + ofRule: + not: + kind: line_comment + - has: + kind: identifier + pattern: $LINK + nthChild: + position: 1 + ofRule: + not: + kind: line_comment + - inside: + kind: method_invocation + all: + - has: + kind: identifier + nthChild: 1 + regex: ^System$ + - has: + kind: identifier + nthChild: 2 + regex: ^setProperty$ + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_variable_declaration + has: + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $LINK + nthChild: 1 + - has: + kind: string_literal + nthChild: 2 + has: + kind: string_fragment + regex: ^javax.net.ssl.keyStorePassword|javax.net.ssl.trustStorePassword$ + - follows: + stopBy: end + kind: local_variable_declaration + has: + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $LINK + nthChild: 1 + - has: + kind: string_literal + nthChild: 2 + has: + kind: string_fragment + regex: ^javax.net.ssl.keyStorePassword|javax.net.ssl.trustStorePassword$ + - any: + - inside: + stopBy: end + follows: + stopBy: end + kind: local_variable_declaration + has: + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $PASSWORD + nthChild: 1 + - has: + kind: string_literal + nthChild: 2 + has: + kind: string_fragment + - follows: + stopBy: end + kind: local_variable_declaration + has: + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $PASSWORD + nthChild: 1 + - has: + kind: string_literal + nthChild: 2 + has: + kind: string_fragment + +rule: + any: + - matches: match_string_literal + - matches: match_string_literal_instance + - matches: match_string_literal_with_link_instance + - matches: match_pattern_with_both-links diff --git a/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml b/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml new file mode 100644 index 00000000..676d8e10 --- /dev/null +++ b/tests/__snapshots__/system-setproperty-hardcoded-secret-java-snapshot.yml @@ -0,0 +1,71 @@ +id: system-setproperty-hardcoded-secret-java +snapshots: + ? | + System.setProperty("javax.net.ssl.keyStorePassword", "password"); + : labels: + - source: password + style: primary + start: 54 + end: 62 + - source: javax.net.ssl.keyStorePassword + style: secondary + start: 20 + end: 50 + - source: '"javax.net.ssl.keyStorePassword"' + style: secondary + start: 19 + end: 51 + - source: System + style: secondary + start: 0 + end: 6 + - source: setProperty + style: secondary + start: 7 + end: 18 + - source: System.setProperty("javax.net.ssl.keyStorePassword", "password") + style: secondary + start: 0 + end: 64 + - source: ("javax.net.ssl.keyStorePassword", "password") + style: secondary + start: 18 + end: 64 + - source: '"password"' + style: secondary + start: 53 + end: 63 + System.setProperty("javax.net.ssl.trustStorePassword", "password");: + labels: + - source: password + style: primary + start: 56 + end: 64 + - source: javax.net.ssl.trustStorePassword + style: secondary + start: 20 + end: 52 + - source: '"javax.net.ssl.trustStorePassword"' + style: secondary + start: 19 + end: 53 + - source: System + style: secondary + start: 0 + end: 6 + - source: setProperty + style: secondary + start: 7 + end: 18 + - source: System.setProperty("javax.net.ssl.trustStorePassword", "password") + style: secondary + start: 0 + end: 66 + - source: ("javax.net.ssl.trustStorePassword", "password") + style: secondary + start: 18 + end: 66 + - source: '"password"' + style: secondary + start: 55 + end: 65 diff --git a/tests/java/system-setproperty-hardcoded-secret-java-test.yml b/tests/java/system-setproperty-hardcoded-secret-java-test.yml new file mode 100644 index 00000000..6c0f416b --- /dev/null +++ b/tests/java/system-setproperty-hardcoded-secret-java-test.yml @@ -0,0 +1,9 @@ +id: system-setproperty-hardcoded-secret-java +valid: + - | + System.setProperty("javax.net.ssl.keyStorePassword", password); +invalid: + - | + System.setProperty("javax.net.ssl.keyStorePassword", "password"); + - | + System.setProperty("javax.net.ssl.trustStorePassword", "password"); \ No newline at end of file From 69026868cf81dbc7826e7832f27c73b914a0779c Mon Sep 17 00:00:00 2001 From: Sakshis Date: Tue, 11 Mar 2025 12:18:07 +0000 Subject: [PATCH 2/2] hardcoded-secret-in-credentials-java --- .../hardcoded-secret-in-credentials-java.yml | 292 ++++++++++++++++++ ...ed-secret-in-credentials-java-snapshot.yml | 90 ++++++ ...dcoded-secret-in-credentials-java-test.yml | 20 ++ 3 files changed, 402 insertions(+) create mode 100644 rules/java/security/hardcoded-secret-in-credentials-java.yml create mode 100644 tests/__snapshots__/hardcoded-secret-in-credentials-java-snapshot.yml create mode 100644 tests/java/hardcoded-secret-in-credentials-java-test.yml diff --git a/rules/java/security/hardcoded-secret-in-credentials-java.yml b/rules/java/security/hardcoded-secret-in-credentials-java.yml new file mode 100644 index 00000000..8c2701a4 --- /dev/null +++ b/rules/java/security/hardcoded-secret-in-credentials-java.yml @@ -0,0 +1,292 @@ +id: hardcoded-secret-in-credentials-java +severity: warning +language: java +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + +ast-grep-essentials: true +utils: + Credentials.basic($USERNAME, "..."): + kind: method_invocation + all: + - has: + kind: identifier + nthChild: 1 + regex: ^Credentials$ + - has: + kind: identifier + nthChild: 2 + regex: ^basic$ + - has: + kind: argument_list + all: + - not: + has: + nthChild: + position: 3 + ofRule: + not: + kind: line_comment + - has: + kind: string_literal + nthChild: + position: 2 + ofRule: + not: + kind: line_comment + has: + kind: string_fragment + - inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + any: + - pattern: import okhttp3.Credentials.*; + - pattern: import okhttp3.*; + + Credentials.basic($USERNAME, "...")_with_Instance: + kind: method_invocation + all: + - has: + kind: identifier + nthChild: 1 + regex: ^Credentials$ + - has: + kind: identifier + nthChild: 2 + regex: ^basic$ + - has: + kind: argument_list + all: + - not: + has: + nthChild: + position: 3 + ofRule: + not: + kind: line_comment + - has: + kind: identifier + pattern: $PASSWORD + nthChild: + position: 2 + ofRule: + not: + kind: line_comment + - inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + any: + - pattern: import okhttp3.Credentials.*; + - pattern: import okhttp3.*; + - inside: + stopBy: end + follows: + stopBy: end + any: + - kind: field_declaration + has: + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $PASSWORD + - has: + kind: string_literal + has: + kind: string_fragment + + basic($USERNAME, "..."): + kind: method_invocation + all: + - has: + kind: identifier + nthChild: 1 + regex: ^basic$ + - has: + kind: argument_list + all: + - not: + has: + nthChild: + position: 3 + ofRule: + not: + kind: line_comment + - has: + kind: string_literal + nthChild: + position: 2 + ofRule: + not: + kind: line_comment + has: + kind: string_fragment + - inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + any: + - pattern: import okhttp3.Credentials.*; + + basic($USERNAME, "...")_with_Instance: + kind: method_invocation + all: + - has: + kind: identifier + nthChild: 1 + regex: ^basic$ + - has: + kind: argument_list + all: + - not: + has: + nthChild: + position: 3 + ofRule: + not: + kind: line_comment + - has: + kind: identifier + pattern: $PASSWORD + nthChild: + position: 2 + ofRule: + not: + kind: line_comment + - inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + any: + - pattern: import okhttp3.Credentials.*; + + okhttp3.Credentials.basic($USERNAME, "..."): + kind: method_invocation + all: + - has: + kind: field_access + all: + - has: + kind: identifier + nthChild: 1 + regex: ^okhttp3$ + - has: + kind: identifier + nthChild: 2 + regex: ^Credentials$ + - has: + kind: identifier + nthChild: 2 + regex: ^basic$ + - has: + kind: argument_list + all: + - not: + has: + nthChild: + position: 3 + ofRule: + not: + kind: line_comment + - has: + kind: string_literal + nthChild: + position: 2 + ofRule: + not: + kind: line_comment + has: + kind: string_fragment + - inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + any: + - pattern: import okhttp3.Credentials.*; + - pattern: import okhttp3.Credentials; + + okhttp3.Credentials.basic($USERNAME, "...")_with_Instance: + kind: method_invocation + all: + - has: + kind: field_access + all: + - has: + kind: identifier + nthChild: 1 + regex: ^okhttp3$ + - has: + kind: identifier + nthChild: 2 + regex: ^Credentials$ + - has: + kind: identifier + nthChild: 2 + regex: ^basic$ + - has: + kind: argument_list + all: + - not: + has: + nthChild: + position: 3 + ofRule: + not: + kind: line_comment + - has: + kind: identifier + pattern: $PASSWORD + nthChild: + position: 2 + ofRule: + not: + kind: line_comment + - inside: + stopBy: end + follows: + stopBy: end + kind: import_declaration + any: + - pattern: import okhttp3.Credentials.*; + - pattern: import okhttp3.Credentials; + - inside: + stopBy: end + follows: + stopBy: end + any: + - kind: field_declaration + has: + kind: variable_declarator + all: + - has: + kind: identifier + pattern: $PASSWORD + - has: + kind: string_literal + has: + kind: string_fragment + +rule: + any: + - matches: Credentials.basic($USERNAME, "...") + - matches: Credentials.basic($USERNAME, "...")_with_Instance + - matches: basic($USERNAME, "...") + - matches: basic($USERNAME, "...")_with_Instance + - matches: okhttp3.Credentials.basic($USERNAME, "...") + - matches: okhttp3.Credentials.basic($USERNAME, "...")_with_Instance + diff --git a/tests/__snapshots__/hardcoded-secret-in-credentials-java-snapshot.yml b/tests/__snapshots__/hardcoded-secret-in-credentials-java-snapshot.yml new file mode 100644 index 00000000..780a2eb6 --- /dev/null +++ b/tests/__snapshots__/hardcoded-secret-in-credentials-java-snapshot.yml @@ -0,0 +1,90 @@ +id: hardcoded-secret-in-credentials-java +snapshots: + ? "import okhttp3.*;\npublic class OkhttpSecretBasicAuth {\nprivate String password = \"hi\";\npublic void run() { \nString credential = Credentials.basic(username, password);\n}\n}" + : labels: + - source: Credentials.basic(username, password) + style: primary + start: 128 + end: 165 + - source: Credentials + style: secondary + start: 128 + end: 139 + - source: basic + style: secondary + start: 140 + end: 145 + - source: password + style: secondary + start: 156 + end: 164 + - source: (username, password) + style: secondary + start: 145 + end: 165 + - source: import okhttp3.*; + style: secondary + start: 0 + end: 17 + - source: import okhttp3.*; + style: secondary + start: 0 + end: 17 + - source: password + style: secondary + start: 70 + end: 78 + - source: hi + style: secondary + start: 82 + end: 84 + - source: '"hi"' + style: secondary + start: 81 + end: 85 + - source: password = "hi" + style: secondary + start: 70 + end: 85 + - source: private String password = "hi"; + style: secondary + start: 55 + end: 86 + - source: private String password = "hi"; + style: secondary + start: 55 + end: 86 + ? "import okhttp3.*;\npublic class OkhttpSecretBasicAuth {\npublic void run() { \nString credential = Credentials.basic(username, \"asdf\");\n}\n}\n" + : labels: + - source: Credentials.basic(username, "asdf") + style: primary + start: 96 + end: 131 + - source: Credentials + style: secondary + start: 96 + end: 107 + - source: basic + style: secondary + start: 108 + end: 113 + - source: asdf + style: secondary + start: 125 + end: 129 + - source: '"asdf"' + style: secondary + start: 124 + end: 130 + - source: (username, "asdf") + style: secondary + start: 113 + end: 131 + - source: import okhttp3.*; + style: secondary + start: 0 + end: 17 + - source: import okhttp3.*; + style: secondary + start: 0 + end: 17 diff --git a/tests/java/hardcoded-secret-in-credentials-java-test.yml b/tests/java/hardcoded-secret-in-credentials-java-test.yml new file mode 100644 index 00000000..aa8e46b7 --- /dev/null +++ b/tests/java/hardcoded-secret-in-credentials-java-test.yml @@ -0,0 +1,20 @@ +id: hardcoded-secret-in-credentials-java +valid: + - | + System.setProperty("javax.net.ssl.keyStorePassword", password); +invalid: + - | + import okhttp3.*; + public class OkhttpSecretBasicAuth { + public void run() { + String credential = Credentials.basic(username, "asdf"); + } + } + - | + import okhttp3.*; + public class OkhttpSecretBasicAuth { + private String password = "hi"; + public void run() { + String credential = Credentials.basic(username, password); + } + } \ No newline at end of file