coderabbitai · ESS-ENN · Dec 11, 2024 · Dec 11, 2024 · Dec 11, 2024
diff --git a/rules/python/security/hashids-with-flask-secret-python.yml b/rules/python/security/hashids-with-flask-secret-python.yml
@@ -0,0 +1,201 @@
+id: hashids-with-flask-secret-python
+severity: warning
+language: python
+message: >-
+      The Flask secret key is used as salt in HashIDs. The HashID mechanism
+      is not secure. By observing sufficient HashIDs, the salt used to construct
+      them can be recovered. This means the Flask secret key can be obtained by
+      attackers, through the HashIDs).
+note: >-
+  [CWE-327] Use of a Broken or Risky Cryptographic Algorithm.
+  [REFERENCES]
+      - https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY
+      - http://carnage.github.io/2015/08/cryptanalysis-of-hashids
+utils:
+  hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...):
+    # hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...)
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: attribute
+          regex: ^hashids.Hashids$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+            stopBy: end
+            kind: keyword_argument
+            all:
+             - has:
+                 stopBy: neighbor
+                 kind: identifier
+                 regex: ^salt$
+             - has:
+                 stopBy: neighbor
+                 kind: subscript
+                 pattern: flask.current_app.config['SECRET_KEY']
+  hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...):
+    # hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...)
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: attribute
+          regex: ^hashids.Hashids$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+            stopBy: neighbor
+            kind: subscript
+            pattern: flask.current_app.config['SECRET_KEY']
+  hashids.Hashids($APP.config['SECRET_KEY'], ...):
+    # hashids.Hashids($APP.config['SECRET_KEY'], ...)
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: attribute
+          regex: ^hashids.Hashids$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+            stopBy: neighbor
+            kind: subscript
+            pattern: $APP.config['SECRET_KEY']
+      - inside:
+          stopBy: end
+          kind: module
+          has:
+            stopBy: end
+            kind: expression_statement
+            has:
+              stopBy: neighbor
+              kind: assignment
+              pattern: $APP = flask.Flask($$$)
+  hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...):
+    # hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...)
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: attribute
+          regex: ^hashids.Hashids$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+            stopBy: end
+            kind: keyword_argument
+            all:
+             - has:
+                 stopBy: neighbor
+                 kind: identifier
+                 regex: ^salt$
+             - has:
+                 stopBy: neighbor
+                 kind: subscript
+                 pattern: $APP.config['SECRET_KEY']
+      - inside:
+          stopBy: end
+          kind: module
+          has:
+            stopBy: end
+            kind: expression_statement
+            has:
+              stopBy: neighbor
+              kind: assignment
+              pattern: $APP = flask.Flask($$$)
+  Hashids(salt=app.config['SECRET_KEY']):
+#    from hashids import Hashids
+#    from flask import current_app as app
+#    hash_id = Hashids(salt=app.config['SECRET_KEY'])
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: identifier
+          regex: ^Hashids$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+            stopBy: end
+            kind: keyword_argument
+            all:
+             - has:
+                 stopBy: neighbor
+                 kind: identifier
+                 regex: ^salt$
+             - has:
+                 stopBy: neighbor
+                 kind: subscript
+                 pattern: $APP.config['SECRET_KEY']
+      - inside:
+          stopBy: end
+          kind: module
+          all:
+            - has:
+                stopBy: end
+                kind: import_from_statement
+                pattern: from hashids import Hashids
+            - any:
+              - has:
+                 stopBy: end
+                 kind: import_from_statement
+                 pattern: from flask import current_app as $APP
+              - has:
+                  stopBy: end
+                  kind: expression_statement
+                  has:
+                    stopBy: end
+                    kind: assignment
+                    pattern: $APP = Flask($$$)
+  Hashids(salt=current_app.config['SECRET_KEY']):
+    # from hashids import Hashids
+    # from flask import current_app
+    # hashids = Hashids(min_length=5, salt=current_app.config['SECRET_KEY'])
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: identifier
+          regex: ^Hashids$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+            stopBy: end
+            kind: keyword_argument
+            all:
+             - has:
+                 stopBy: neighbor
+                 kind: identifier
+                 regex: ^salt$
+             - has:
+                 stopBy: neighbor
+                 kind: subscript
+                 pattern: current_app.config['SECRET_KEY']
+      - inside:
+          stopBy: end
+          kind: module
+          all:
+            - has:
+                stopBy: end
+                kind: import_from_statement
+                pattern: from hashids import Hashids
+            - has:
+                stopBy: end
+                kind: import_from_statement
+                pattern: from flask import current_app
+rule:
+ kind: call
+ any:
+   - matches: hashids.Hashids(..., salt=flask.current_app.config['SECRET_KEY'], ...)
+   - matches: hashids.Hashids(flask.current_app.config['SECRET_KEY'], ...)
+   - matches: hashids.Hashids($APP.config['SECRET_KEY'], ...)
+   - matches: hashids.Hashids(..., salt=$APP.config['SECRET_KEY'], ...)
+   - matches: Hashids(salt=app.config['SECRET_KEY'])
+   - matches: Hashids(salt=current_app.config['SECRET_KEY'])
diff --git a/rules/python/security/python-psycopg2-empty-password-python.yml b/rules/python/security/python-psycopg2-empty-password-python.yml
@@ -0,0 +1,89 @@
+id: python-psycopg2-empty-password-python
+severity: warning
+language: python
+message: >-
+      The application creates a database connection with an empty password.
+      This can lead to unauthorized access by either an internal or external
+      malicious actor. To prevent this vulnerability, enforce authentication
+      when connecting to a database by using environment variables to securely
+      provide credentials or retrieving them from a secure vault or HSM
+      (Hardware Security Module).
+note: >-
+  [CWE-287] Improper Authentication.
+  [REFERENCES]
+      - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+utils:
+  psycopg2.connect(..., password="",...):
+   kind: call
+   all:
+     - has:
+         stopBy: neighbor
+         kind: attribute
+         regex: ^psycopg2.connect$
+     - has:
+         stopBy: neighbor
+         kind: argument_list
+         has:
+           stopBy: end
+           kind: keyword_argument
+           all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: ^password$
+            - has:
+                stopBy: neighbor
+                kind: string
+                not:
+                 has:
+                  stopBy: neighbor
+                  kind: string_content
+  psycopg2.connect(..., password=$VAR,...)_with_instance:
+   kind: call
+   all:
+     - has:
+         stopBy: neighbor
+         kind: attribute
+         regex: ^psycopg2.connect$
+     - has:
+         stopBy: neighbor
+         kind: argument_list
+         has:
+           stopBy: end
+           kind: keyword_argument
+           all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: ^password$
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                pattern: $PSWD
+                nthChild: 2
+     - inside:
+         stopBy: end
+         kind: expression_statement
+         follows:
+          stopBy: end
+          kind: expression_statement
+          has:
+            stopBy: neighbor
+            kind: assignment
+            all:
+              - has:
+                  stopBy: neighbor
+                  kind: identifier
+                  pattern: $PSWD
+              - has:
+                  stopBy: neighbor
+                  kind: string
+                  not:
+                    has:
+                      stopBy: neighbor
+                      kind: string_content
+rule:
+  kind: call
+  any:
+    - matches: psycopg2.connect(..., password="",...)
+    - matches: psycopg2.connect(..., password=$VAR,...)_with_instance
diff --git a/rules/python/security/python-urllib3-hardcoded-secret-python.yml b/rules/python/security/python-urllib3-hardcoded-secret-python.yml
@@ -0,0 +1,106 @@
+id: python-urllib3-hardcoded-secret-python
+severity: warning
+language: python
+message: >-
+      A secret is hard-coded in the application. Secrets stored in source
+      code, such as credentials, identifiers, and other types of sensitive data,
+      can be leaked and used by internal or external malicious actors. Use
+      environment variables to securely provide credentials and other secrets or
+      retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798] Use of Hard-coded Credentials.
+  [REFERENCES]
+      - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+utils: 
+ urllib3.util.make_headers(...,basic_auth="...",...):
+  # urllib3.util.make_headers(...,basic_auth="...",...)
+  kind: call
+  all:
+    - has:
+        stopBy: neighbor
+        kind: attribute
+        regex: 'urllib3.util.make_headers|urllib3.make_headers|requests.packages.urllib3.make_headers|requests.packages.urllib3.util.make_headers'
+    - has:
+        stopBy: neighbor
+        kind: argument_list
+        has:
+          stopBy: end
+          kind: keyword_argument
+          all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: '^basic_auth|proxy_basic_auth$'
+            - has:
+                stopBy: neighbor
+                kind: string
+                has:
+                  stopBy: neighbor
+                  kind: string_content
+ urllib3.util.make_headers(...,basic_auth="...",...)_with_instance:
+  # urllib3.util.make_headers(...,basic_auth="...",...)_with_instance
+  kind: call
+  all:
+    - has:
+        stopBy: neighbor
+        kind: attribute
+        regex: 'urllib3.util.make_headers|urllib3.make_headers|requests.packages.urllib3.make_headers|requests.packages.urllib3.util.make_headers'
+    - has:
+        stopBy: neighbor
+        kind: argument_list
+        has:
+          stopBy: end
+          kind: keyword_argument
+          all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: '^basic_auth|proxy_basic_auth$'
+            - has:
+                stopBy: end
+                kind: identifier
+                pattern: $PASS
+                nthChild: 2
+    - inside:
+        stopBy: end
+        kind: expression_statement
+        follows:
+          stopBy: end
+          kind: expression_statement
+          has:
+            stopBy: neighbor
+            kind: assignment
+            all:
+              - has:
+                  stopBy: neighbor
+                  kind: identifier
+                  pattern: $PASS
+              - has:
+                  stopBy: neighbor
+                  kind: string
+                  has:
+                    stopBy: neighbor
+                    kind: string_content
+    - inside:
+        stopBy: end
+        kind: expression_statement
+        not:
+         follows:
+          stopBy: end
+          kind: expression_statement
+          has:
+            stopBy: neighbor
+            kind: assignment
+            all:
+              - has:
+                  stopBy: neighbor
+                  kind: identifier
+                  pattern: $PASS
+              - has:
+                  stopBy: neighbor
+                  kind: subscript
+rule:
+  kind: call
+  any:
+    - matches: urllib3.util.make_headers(...,basic_auth="...",...)
+    - matches: urllib3.util.make_headers(...,basic_auth="...",...)_with_instance