coderabbitai · ganeshpatro321 · Mar 24, 2025 · Mar 24, 2025 · Mar 24, 2025 · Mar 24, 2025
diff --git a/rules/python/security/python-ldap3-empty-password-python.yml b/rules/python/security/python-ldap3-empty-password-python.yml
@@ -0,0 +1,99 @@
+id: python-ldap3-empty-password-python
+severity: warning
+language: python
+message: >-
+      The application creates a database connection with an empty password.
+      This can lead to unauthorized access by either an internal or external
+      malicious actor. To prevent this vulnerability, enforce authentication
+      when connecting to a database by using environment variables to securely
+      provide credentials or retrieving them from a secure vault or HSM
+      (Hardware Security Module).
+note: >-
+  [CWE-287] Improper Authentication.
+  [REFERENCES]
+      - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+
+ast-grep-essentials: true
+
+utils:
+  ldap3.Connection(..., password="",...)_INSTANCE:
+   kind: call
+   all:
+     - has:
+         stopBy: neighbor
+         kind: attribute
+         regex: ^ldap3.Connection$
+     - has:
+         stopBy: neighbor
+         kind: argument_list
+         has:
+           stopBy: neighbor
+           kind: keyword_argument
+           all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: ^password$
+                nthChild: 1
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                pattern: $INST
+                nthChild: 2
+     - inside:
+         stopBy: end
+         follows:
+          stopBy: end
+          kind: expression_statement
+          has:
+            kind: assignment
+            all:
+              - has:
+                  kind: identifier
+                  pattern: $INST
+                  nthChild: 1
+              - has:
+                  kind: string
+                  not:
+                    has:
+                      kind: string_content
+
+  ldap3.Connection(..., password="",...):
+   kind: call
+   all:
+     - has:
+         stopBy: neighbor
+         kind: attribute
+         regex: ^ldap3.Connection$
+     - has:
+         stopBy: neighbor
+         kind: argument_list
+         has:
+           stopBy: neighbor
+           kind: keyword_argument
+           all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: ^password$
+            - has:
+                stopBy: neighbor
+                kind: string
+                not:
+                  has:
+                   stopBy: end
+                   kind: string_content
+
+rule:
+  kind: call
+  any:
+    - matches: ldap3.Connection(..., password="",...)_INSTANCE
+    - matches: ldap3.Connection(..., password="",...)
+  not:
+    all:
+      - has:
+          stopBy: end
+          kind: ERROR
+      - inside:
+          stopBy: end
+          kind: ERROR
diff --git a/rules/python/security/python-ldap3-hardcoded-secret-python.yml b/rules/python/security/python-ldap3-hardcoded-secret-python.yml
@@ -0,0 +1,153 @@
+id: python-ldap3-hardcoded-secret-python
+language: python
+severity: warning
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source
+  code, such as credentials, identifiers, and other types of sensitive data,
+  can be leaked and used by internal or external malicious actors. Use
+  environment variables to securely provide credentials and other secrets or
+  retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798]: Use of Hard-coded Credentials
+  [OWASP A07:2021]: Identification and Authentication Failures
+  [REFERENCES]
+       https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+
+ast-grep-essentials: true
+
+utils:
+  define_string:
+    kind: string
+    all:
+      - has:
+          kind: string_start
+          nthChild: 1
+      - has:
+          kind: string_content
+          nthChild: 2
+      - has:
+          kind: string_end
+          nthChild: 3
+
+  define_password:
+    any:
+      - matches: define_string
+      - kind: identifier
+        pattern: $PWD_IDENTIFIER
+        inside:
+          stopBy: end
+          follows:
+            stopBy: end
+            kind: expression_statement
+            has:
+              stopBy: end
+              kind: assignment
+              nthChild: 1
+              all:
+                - has:
+                    nthChild: 1
+                    kind: identifier
+                    field: left
+                    pattern: $PWD_IDENTIFIER
+                - has:
+                    nthChild: 2
+                    matches: define_string
+
+rule:
+  any:
+    - kind: call
+      any:
+        - kind: call
+          has:
+            kind: identifier
+            regex: ^Connection$
+            precedes:
+              kind: argument_list
+              has:
+                stopBy: end
+                kind: keyword_argument
+                all:
+                  - has:
+                      nthChild: 1
+                      kind: identifier
+                      regex: ^password$
+                  - has:
+                      nthChild: 2
+                      matches: define_password
+      inside:
+        stopBy: end
+        follows:
+          stopBy: end
+          kind: import_from_statement
+          all:
+            - has:
+                nthChild: 1
+                kind: dotted_name
+                field: module_name
+                regex: ^ldap3$
+                precedes:
+                  stopBy: end
+                  kind: dotted_name
+                  regex: ^Connection$
+    - kind: call
+      any:
+        - kind: call
+          has:
+            kind: identifier
+            pattern: $SASL_ALIAS
+            precedes:
+              kind: argument_list
+              has:
+                stopBy: end
+                kind: keyword_argument
+                all:
+                  - has:
+                      nthChild: 1
+                      kind: identifier
+                      regex: ^password$
+                  - has:
+                      nthChild: 2
+                      matches: define_password
+      inside:
+        stopBy: end
+        follows:
+          stopBy: end
+          kind: import_from_statement
+          all:
+            - has:
+                nthChild: 1
+                kind: dotted_name
+                field: module_name
+                regex: ^ldap3$
+                precedes:
+                  stopBy: end
+                  kind: aliased_import
+                  all:
+                    - has:
+                        kind: dotted_name
+                        nthChild: 1
+                        regex: ^Connection$
+                    - has:
+                        kind: identifier
+                        field: alias
+                        nthChild: 2
+                        pattern: $SASL_ALIAS
+    - kind: call
+      any:
+        - kind: call
+          has:
+            kind: attribute
+            regex: ^ldap3.Connection$
+            precedes:
+              kind: argument_list
+              has:
+                stopBy: end
+                kind: keyword_argument
+                all:
+                  - has:
+                      nthChild: 1
+                      kind: identifier
+                      regex: ^password$
+                  - has:
+                      nthChild: 2
+                      matches: define_password