-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Security Rules for Flask, psycopg2, and urllib3 in Python Applications #103
base: main
Are you sure you want to change the base?
Conversation
WalkthroughThis pull request introduces three new security rules for Python applications: one for detecting the insecure use of Flask's secret key as salt in HashIDs, another for preventing database connections with empty passwords in psycopg2, and a third for identifying hard-coded secrets in urllib3. Each rule is accompanied by test snapshots and configurations to validate their implementations. The rules are categorized under relevant Common Weakness Enumeration (CWE) identifiers, emphasizing the importance of secure coding practices. Changes
Possibly related PRs
Suggested reviewers
Poem
🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
CodeRabbit Configuration File (
|
Sakshis seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 3
🧹 Outside diff range and nitpick comments (8)
tests/python/python-urllib3-hardcoded-secret-python-test.yml (1)
3-4
: Consider clarifying the valid example syntaxThe valid example
urllib3.util.make_headers(basic_auth=user:123)
might be confusing as it appears to use a literal without quotes. Consider adding more valid examples that demonstrate proper variable usage:# Add these valid examples username = os.getenv('USERNAME') password = os.getenv('PASSWORD') urllib3.util.make_headers(basic_auth=f"{username}:{password}") # Or using a configuration object auth_config = get_auth_config() # from secure storage urllib3.util.make_headers(basic_auth=f"{auth_config.user}:{auth_config.password}")rules/python/security/python-urllib3-hardcoded-secret-python.yml (1)
14-101
: Fix YAML indentation and consider adding referencesWhile the rule patterns are comprehensive, there are some improvements needed:
- Fix the inconsistent YAML indentation throughout the file
- Consider adding more security references:
note: >- [CWE-798] Use of Hard-coded Credentials. [REFERENCES] - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html + - https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password + - https://cwe.mitre.org/data/definitions/798.html + - https://docs.python.org/3/library/os.html#os.getenv🧰 Tools
🪛 yamllint (1.35.1)
[error] 14-14: trailing spaces
(trailing-spaces)
[warning] 19-19: wrong indentation: expected 3 but found 4
(indentation)
[warning] 20-20: wrong indentation: expected 7 but found 8
(indentation)
[warning] 24-24: wrong indentation: expected 7 but found 8
(indentation)
[warning] 27-27: wrong indentation: expected 9 but found 10
(indentation)
[warning] 30-30: wrong indentation: expected 11 but found 12
(indentation)
[warning] 31-31: wrong indentation: expected 15 but found 16
(indentation)
[warning] 35-35: wrong indentation: expected 15 but found 16
(indentation)
[warning] 38-38: wrong indentation: expected 17 but found 18
(indentation)
[warning] 44-44: wrong indentation: expected 3 but found 4
(indentation)
[warning] 45-45: wrong indentation: expected 7 but found 8
(indentation)
[warning] 49-49: wrong indentation: expected 7 but found 8
(indentation)
[warning] 52-52: wrong indentation: expected 9 but found 10
(indentation)
[warning] 55-55: wrong indentation: expected 11 but found 12
(indentation)
[warning] 56-56: wrong indentation: expected 15 but found 16
(indentation)
[warning] 60-60: wrong indentation: expected 15 but found 16
(indentation)
[warning] 65-65: wrong indentation: expected 7 but found 8
(indentation)
[warning] 68-68: wrong indentation: expected 9 but found 10
(indentation)
[warning] 71-71: wrong indentation: expected 11 but found 12
(indentation)
[warning] 74-74: wrong indentation: expected 13 but found 14
(indentation)
[warning] 75-75: wrong indentation: expected 17 but found 18
(indentation)
[warning] 79-79: wrong indentation: expected 17 but found 18
(indentation)
[warning] 82-82: wrong indentation: expected 19 but found 20
(indentation)
[warning] 85-85: wrong indentation: expected 7 but found 8
(indentation)
[warning] 92-92: wrong indentation: expected 11 but found 12
(indentation)
[warning] 95-95: wrong indentation: expected 13 but found 14
(indentation)
[warning] 96-96: wrong indentation: expected 17 but found 18
(indentation)
[warning] 100-100: wrong indentation: expected 17 but found 18
(indentation)
rules/python/security/hashids-with-flask-secret-python.yml (2)
4-8
: Fix typo in the warning messageThere's an extra parenthesis in the message that affects readability.
Apply this diff:
The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by - attackers, through the HashIDs). + attackers through the HashIDs.
14-192
: Consider adding pattern for direct secret key accessThe patterns cover various ways of accessing Flask's secret key through config, but might miss direct access to
secret_key
attribute.Consider adding patterns for:
# Pattern: Direct secret_key access app.secret_key current_app.secret_keytests/python/hashids-with-flask-secret-python-test.yml (1)
1-25
: Consider adding edge case test scenariosWhile the current test coverage is good, consider adding these edge cases:
- Using a variable assigned from
app.config['SECRET_KEY']
- Using string concatenation or formatting with the secret key
- Using dictionary unpacking with config values
Example test cases:
# Variable assignment secret = app.config['SECRET_KEY'] hashids = Hashids(salt=secret) # String formatting hashids = Hashids(salt=f"{app.config['SECRET_KEY']}_suffix") # Dict unpacking config = {'salt': app.config['SECRET_KEY']} hashids = Hashids(**config)tests/__snapshots__/hashids-with-flask-secret-python-snapshot.yml (1)
1-230
: Consider using relative positions for source mappingsThe current absolute source positions (start/end) might be fragile to code changes. Consider using relative positions or pattern-based matching where possible.
Example approach:
# Instead of absolute positions: start: 74 end: 126 # Consider relative positions from anchor points: anchor: "Hashids(" offset_start: 0 offset_end: 52tests/python/python-psycopg2-empty-password-python-test.yml (1)
5-10
: Consider adding more test cases for comprehensive coverage.While the current invalid cases cover empty string scenarios well, consider adding these additional cases for better coverage:
invalid: - | psycopg2.connect(password="") - | PASSWORD = "" psycopg2.connect(password=PASSWORD) + - | + psycopg2.connect(password=None) + - | + psycopg2.connect(password=" ") + - | + PASSWORD = None + psycopg2.connect(password=PASSWORD)rules/python/security/python-psycopg2-empty-password-python.yml (1)
1-14
: Enhance security message with specific mitigation steps.The message and documentation are good, but could be more actionable by including specific code examples.
message: >- The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM - (Hardware Security Module). + (Hardware Security Module). + + Example of secure implementation: + ```python + import os + password = os.environ.get('DB_PASSWORD') + if not password: + raise ValueError("Database password must be configured") + psycopg2.connect(password=password) + ```
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
📒 Files selected for processing (9)
rules/python/security/hashids-with-flask-secret-python.yml
(1 hunks)rules/python/security/python-psycopg2-empty-password-python.yml
(1 hunks)rules/python/security/python-urllib3-hardcoded-secret-python.yml
(1 hunks)tests/__snapshots__/hashids-with-flask-secret-python-snapshot.yml
(1 hunks)tests/__snapshots__/python-psycopg2-empty-password-python-snapshot.yml
(1 hunks)tests/__snapshots__/python-urllib3-hardcoded-secret-python-snapshot.yml
(1 hunks)tests/python/hashids-with-flask-secret-python-test.yml
(1 hunks)tests/python/python-psycopg2-empty-password-python-test.yml
(1 hunks)tests/python/python-urllib3-hardcoded-secret-python-test.yml
(1 hunks)
✅ Files skipped from review due to trivial changes (1)
- tests/snapshots/python-psycopg2-empty-password-python-snapshot.yml
🧰 Additional context used
🪛 yamllint (1.35.1)
rules/python/security/python-urllib3-hardcoded-secret-python.yml
[error] 14-14: trailing spaces
(trailing-spaces)
[warning] 19-19: wrong indentation: expected 3 but found 4
(indentation)
[warning] 20-20: wrong indentation: expected 7 but found 8
(indentation)
[warning] 24-24: wrong indentation: expected 7 but found 8
(indentation)
[warning] 27-27: wrong indentation: expected 9 but found 10
(indentation)
[warning] 30-30: wrong indentation: expected 11 but found 12
(indentation)
[warning] 31-31: wrong indentation: expected 15 but found 16
(indentation)
[warning] 35-35: wrong indentation: expected 15 but found 16
(indentation)
[warning] 38-38: wrong indentation: expected 17 but found 18
(indentation)
[warning] 44-44: wrong indentation: expected 3 but found 4
(indentation)
[warning] 45-45: wrong indentation: expected 7 but found 8
(indentation)
[warning] 49-49: wrong indentation: expected 7 but found 8
(indentation)
[warning] 52-52: wrong indentation: expected 9 but found 10
(indentation)
[warning] 55-55: wrong indentation: expected 11 but found 12
(indentation)
[warning] 56-56: wrong indentation: expected 15 but found 16
(indentation)
[warning] 60-60: wrong indentation: expected 15 but found 16
(indentation)
[warning] 65-65: wrong indentation: expected 7 but found 8
(indentation)
[warning] 68-68: wrong indentation: expected 9 but found 10
(indentation)
[warning] 71-71: wrong indentation: expected 11 but found 12
(indentation)
[warning] 74-74: wrong indentation: expected 13 but found 14
(indentation)
[warning] 75-75: wrong indentation: expected 17 but found 18
(indentation)
[warning] 79-79: wrong indentation: expected 17 but found 18
(indentation)
[warning] 82-82: wrong indentation: expected 19 but found 20
(indentation)
[warning] 85-85: wrong indentation: expected 7 but found 8
(indentation)
[warning] 92-92: wrong indentation: expected 11 but found 12
(indentation)
[warning] 95-95: wrong indentation: expected 13 but found 14
(indentation)
[warning] 96-96: wrong indentation: expected 17 but found 18
(indentation)
[warning] 100-100: wrong indentation: expected 17 but found 18
(indentation)
[warning] 103-103: wrong indentation: expected 1 but found 2
(indentation)
[warning] 105-105: wrong indentation: expected 3 but found 4
(indentation)
tests/python/python-urllib3-hardcoded-secret-python-test.yml
[error] 14-14: trailing spaces
(trailing-spaces)
[error] 17-17: trailing spaces
(trailing-spaces)
🔇 Additional comments (5)
tests/python/python-urllib3-hardcoded-secret-python-test.yml (1)
6-19
: LGTM! Comprehensive coverage of invalid patterns
The invalid test cases effectively cover various problematic patterns:
- Direct string literals in basic_auth
- Direct string literals in proxy_basic_auth
- String concatenation with hard-coded values
- Variable assignments with hard-coded values
- Different package import paths
🧰 Tools
🪛 yamllint (1.35.1)
[error] 14-14: trailing spaces
(trailing-spaces)
[error] 17-17: trailing spaces
(trailing-spaces)
rules/python/security/python-urllib3-hardcoded-secret-python.yml (1)
4-13
: LGTM! Clear and informative security message
The message effectively:
- Explains the security risk
- Provides mitigation strategies
- References relevant security standards
tests/__snapshots__/python-urllib3-hardcoded-secret-python-snapshot.yml (1)
1-238
: LGTM! Comprehensive and accurate test snapshots
The snapshots effectively:
- Map all test cases with precise source locations
- Include both full expressions and their components
- Maintain consistent style categorization
rules/python/security/hashids-with-flask-secret-python.yml (1)
193-201
: LGTM! Comprehensive pattern matching
The rule effectively combines all utility patterns to catch various ways of using Flask's secret key as salt in HashIDs.
tests/python/python-psycopg2-empty-password-python-test.yml (1)
1-4
: LGTM! Valid test case looks good.
The valid test case correctly demonstrates proper password usage.
Summary by CodeRabbit
New Features
hashids-with-flask-secret-python
: Flags use of Flask secret key as salt in HashIDs.python-psycopg2-empty-password-python
: Warns against using empty passwords in database connections.python-urllib3-hardcoded-secret-python
: Identifies hard-coded secrets in HTTP headers.Tests