diff --git a/rules/csharp/security/npgsqlconnectionstringbuilder-hardcoded-secret-csharp.yml b/rules/csharp/security/npgsqlconnectionstringbuilder-hardcoded-secret-csharp.yml new file mode 100644 index 00000000..870304d6 --- /dev/null +++ b/rules/csharp/security/npgsqlconnectionstringbuilder-hardcoded-secret-csharp.yml @@ -0,0 +1,246 @@ +id: npgsqlconnectionstringbuilder-hardcoded-secret-csharp +language: csharp +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798]: Use of Hard-coded Credentials + [OWASP A07:2021]: Identification and Authentication Failures + [REFERENCES] + https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + match_assignment_expression: + kind: assignment_expression + all: + - has: + stopBy: end + kind: member_access_expression + all: + - has: + stopBy: end + kind: identifier + field: expression + pattern: $R + - has: + stopBy: end + kind: identifier + field: name + regex: "^Password$" + - has: + stopBy: end + kind: string_literal + has: + stopBy: end + kind: string_literal_content + inside: + stopBy: end + kind: expression_statement + follows: + stopBy: end + kind: local_declaration_statement + all: + - has: + stopBy: end + kind: variable_declaration + has: + stopBy: end + kind: identifier + field: type + regex: "^NpgsqlConnectionStringBuilder$" + - has: + stopBy: end + kind: variable_declarator + has: + stopBy: end + field: name + kind: identifier + pattern: $R + - has: + stopBy: end + kind: object_creation_expression + all: + - has: + stopBy: end + kind: identifier + field: type + - has: + stopBy: end + field: arguments + kind: argument_list + match_assignment_with_bracket: + kind: assignment_expression + all: + - has: + stopBy: end + kind: element_access_expression + all: + - has: + stopBy: end + kind: identifier + field: expression + pattern: $R + - has: + stopBy: end + kind: bracketed_argument_list + field: subscript + - has: + stopBy: end + kind: argument + - has: + stopBy: end + kind: string_literal + has: + stopBy: end + kind: string_literal_content + regex: "^Password$" + all: + - not: + precedes: + stopBy: end + kind: element_access_expression + - not: + precedes: + stopBy: end + kind: identifier + - has: + stopBy: end + kind: string_literal + has: + stopBy: end + kind: string_literal_content + inside: + stopBy: end + kind: expression_statement + follows: + stopBy: end + kind: local_declaration_statement + all: + - has: + stopBy: end + kind: variable_declaration + has: + stopBy: end + kind: identifier + field: type + regex: "^NpgsqlConnectionStringBuilder$" + - has: + stopBy: end + kind: variable_declarator + has: + stopBy: end + kind: identifier + field: name + pattern: $R + - has: + stopBy: end + kind: object_creation_expression + all: + - has: + stopBy: end + kind: identifier + field: type + - has: + stopBy: end + field: arguments + kind: argument_list + match_assignment_expression_with_instance: + kind: assignment_expression + all: + - has: + stopBy: end + kind: element_access_expression + all: + - has: + stopBy: end + kind: identifier + field: expression + pattern: $R + - has: + stopBy: end + kind: bracketed_argument_list + field: subscript + - has: + stopBy: end + kind: argument + - has: + stopBy: end + kind: string_literal + has: + stopBy: end + kind: string_literal_content + regex: "^Password$" + not: + precedes: + stopBy: end + kind: element_access_expression + - has: + kind: identifier + pattern: $F + inside: + stopBy: end + kind: expression_statement + follows: + stopBy: end + kind: local_declaration_statement + all: + - has: + stopBy: end + kind: variable_declaration + has: + kind: predefined_type + - has: + stopBy: end + kind: variable_declarator + has: + stopBy: end + kind: identifier + field: name + pattern: $F + - has: + stopBy: end + kind: string_literal + has: + stopBy: end + kind: string_literal_content + follows: + stopBy: end + kind: local_declaration_statement + all: + - has: + stopBy: end + kind: variable_declaration + has: + stopBy: end + kind: identifier + field: type + regex: "^NpgsqlConnectionStringBuilder$" + - has: + stopBy: end + kind: variable_declarator + has: + stopBy: end + kind: identifier + field: name + pattern: $R + - has: + stopBy: end + kind: object_creation_expression + all: + - has: + stopBy: end + kind: identifier + field: type + - has: + stopBy: end + field: arguments + kind: argument_list + +rule: + any: + - matches: match_assignment_expression + - matches: match_assignment_with_bracket + - matches: match_assignment_expression_with_instance diff --git a/rules/python/security/python-peewee-pg-hardcoded-secret-python.yml b/rules/python/security/python-peewee-pg-hardcoded-secret-python.yml new file mode 100644 index 00000000..dcb5017a --- /dev/null +++ b/rules/python/security/python-peewee-pg-hardcoded-secret-python.yml @@ -0,0 +1,209 @@ +id: python-peewee-pg-hardcoded-secret-python +severity: warning +language: python +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + $DB(..., password="...",...): + # $DB(..., password="...",...) + kind: call + all: + - has: + stopBy: neighbor + pattern: $DB + regex: ^PostgresqlDatabase|peewee.PostgresqlDatabase|PostgresqlExtDatabase|playhouse.postgres_ext.PostgresqlExtDatabase|PooledPostgresqlDatabase|playhouse.pool.PooledPostgresqlDatabase|CockroachDatabase|playhouse.cockroachdb.CockroachDatabase|PooledCockroachDatabase|playhouse.cockroachdb.PooledCockroachDatabase$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: end + kind: keyword_argument + all: + - has: + stopBy: neighbor + kind: identifier + regex: ^password|passwd$ + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_content + $DB(..., password=$VAR,...): + # $DB(..., password=$VAR,...)_with_instance + kind: call + all: + - has: + stopBy: neighbor + pattern: $DB + regex: ^PostgresqlDatabase|peewee.PostgresqlDatabase|PostgresqlExtDatabase|playhouse.postgres_ext.PostgresqlExtDatabase|PooledPostgresqlDatabase|playhouse.pool.PooledPostgresqlDatabase|CockroachDatabase|playhouse.cockroachdb.CockroachDatabase|PooledCockroachDatabase|playhouse.cockroachdb.PooledCockroachDatabase$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: end + kind: keyword_argument + all: + - has: + stopBy: neighbor + kind: identifier + regex: ^password|passwd$ + - has: + stopBy: neighbor + kind: identifier + pattern: $R + nthChild: 2 + - inside: + stopBy: end + kind: expression_statement + follows: + stopBy: end + kind: expression_statement + has: + stopBy: neighbor + kind: assignment + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $R + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_content + $X.init(..., password="...", ...): + # $X.init(..., password="...", ...) + kind: call + all: + - has: + stopBy: neighbor + kind: attribute + all: + - has: + stopBy: neighbor + pattern: $D + nthChild: 1 + - has: + stopBy: neighbor + kind: identifier + regex: ^init$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: end + kind: keyword_argument + all: + - has: + stopBy: neighbor + kind: identifier + regex: ^password|passwd$ + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_content + - inside: + stopBy: end + kind: expression_statement + follows: + stopBy: end + kind: expression_statement + has: + stopBy: neighbor + kind: assignment + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $D + - has: + stopBy: neighbor + regex: ^PostgresqlDatabase|peewee.PostgresqlDatabase|PostgresqlExtDatabase|playhouse.postgres_ext.PostgresqlExtDatabase|PooledPostgresqlDatabase|playhouse.pool.PooledPostgresqlDatabase|CockroachDatabase|playhouse.cockroachdb.CockroachDatabase|PooledCockroachDatabase|playhouse.cockroachdb.PooledCockroachDatabase$ + $X.init(..., password=$VAR, ...): + # $X.init(..., password=$VAR, ...) + kind: call + all: + - has: + stopBy: neighbor + kind: attribute + all: + - has: + stopBy: neighbor + pattern: $D + nthChild: 1 + - has: + stopBy: neighbor + kind: identifier + regex: ^init$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: end + kind: keyword_argument + all: + - has: + stopBy: neighbor + kind: identifier + regex: ^password|passwd$ + - has: + stopBy: neighbor + kind: identifier + pattern: $PASS + nthChild: 2 + - inside: + stopBy: end + kind: expression_statement + follows: + stopBy: end + kind: expression_statement + has: + stopBy: neighbor + kind: assignment + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $D + - has: + stopBy: neighbor + regex: ^PostgresqlDatabase|peewee.PostgresqlDatabase|PostgresqlExtDatabase|playhouse.postgres_ext.PostgresqlExtDatabase|PooledPostgresqlDatabase|playhouse.pool.PooledPostgresqlDatabase|CockroachDatabase|playhouse.cockroachdb.CockroachDatabase|PooledCockroachDatabase|playhouse.cockroachdb.PooledCockroachDatabase$ + - inside: + stopBy: end + kind: expression_statement + follows: + stopBy: end + kind: expression_statement + has: + stopBy: neighbor + kind: assignment + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $PASS + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_content +rule: + kind: call + any: + - matches: $DB(..., password="...",...) + - matches: $DB(..., password=$VAR,...) + - matches: $X.init(..., password="...", ...) + - matches: $X.init(..., password=$VAR, ...) diff --git a/rules/python/security/python-pg8000-hardcoded-secret-python.yml b/rules/python/security/python-pg8000-hardcoded-secret-python.yml new file mode 100644 index 00000000..fc3d948d --- /dev/null +++ b/rules/python/security/python-pg8000-hardcoded-secret-python.yml @@ -0,0 +1,251 @@ +id: python-pg8000-hardcoded-secret-python +severity: warning +language: python +message: >- + The application creates a database connection with an empty password. + This can lead to unauthorized access by either an internal or external + malicious actor. To prevent this vulnerability, enforce authentication + when connecting to a database by using environment variables to securely + provide credentials or retrieving them from a secure vault or HSM + (Hardware Security Module). +note: >- + [CWE-287] Improper Authentication. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + pg8000.dbapi.connect(..., password="...",...): + # pg8000.dbapi.connect(..., password="...",...) + kind: call + all: + - has: + stopBy: neighbor + pattern: $DB + regex: ^pg8000.dbapi.connect|pg8000.native.Connection$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: end + kind: keyword_argument + all: + - has: + stopBy: neighbor + kind: identifier + regex: ^password$ + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_content + pg8000.dbapi.connect(..., password=$VAR,...): + # pg8000.dbapi.connect(..., password=$VAR,...)_with_instance + kind: call + all: + - has: + stopBy: neighbor + pattern: $DB + regex: ^pg8000.dbapi.connect|pg8000.native.Connection$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: end + kind: keyword_argument + all: + - has: + stopBy: neighbor + kind: identifier + regex: ^password|passwd$ + - has: + stopBy: neighbor + kind: identifier + pattern: $R + nthChild: 2 + - inside: + stopBy: end + kind: expression_statement + follows: + stopBy: end + kind: expression_statement + has: + stopBy: neighbor + kind: assignment + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $R + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_content + connect(..., password="...",...): + # connect(..., password="...",...) + kind: call + all: + - has: + stopBy: neighbor + pattern: $DB + regex: ^connect$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: end + kind: keyword_argument + all: + - has: + stopBy: neighbor + kind: identifier + regex: ^password$ + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_content + - inside: + stopBy: end + kind: module + any: + - has: + stopBy: end + kind: import_from_statement + any: + - pattern: from pg8000.dbapi import connect + - pattern: from pg8000.native import connect + connect(..., password=$VAR,...): + # connect(..., password=$VAR,...) + kind: call + all: + - has: + stopBy: neighbor + pattern: $DB + regex: ^connect$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: end + kind: keyword_argument + all: + - has: + stopBy: neighbor + kind: identifier + regex: ^password$ + - has: + stopBy: neighbor + kind: identifier + pattern: $Z + nthChild: 2 + - inside: + stopBy: end + kind: module + has: + stopBy: end + kind: import_from_statement + any: + - pattern: from pg8000.dbapi import connect + - pattern: from pg8000.native import connect + - inside: + stopBy: end + kind: expression_statement + follows: + stopBy: end + kind: expression_statement + has: + stopBy: neighbor + kind: assignment + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $Z + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_content + $$$.connect(..., password=$VAR,...): + # $$$.connect(..., password=$VAR,...) + kind: call + all: + - has: + stopBy: neighbor + kind: attribute + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $PG + nthChild: 1 + - has: + stopBy: neighbor + kind: identifier + regex: ^Connection$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: end + kind: keyword_argument + all: + - has: + stopBy: neighbor + kind: identifier + regex: ^password$ + - has: + stopBy: neighbor + kind: identifier + pattern: $A + nthChild: 2 + - inside: + stopBy: end + kind: module + has: + stopBy: end + kind: import_statement + has: + stopBy: neighbor + kind: aliased_import + all: + - has: + stopBy: neighbor + kind: dotted_name + regex: ^pg8000.native$ + - has: + stopBy: neighbor + kind: identifier + pattern: $PG + - inside: + stopBy: end + kind: expression_statement + follows: + stopBy: end + kind: expression_statement + has: + stopBy: neighbor + kind: assignment + all: + - has: + stopBy: neighbor + kind: identifier + pattern: $A + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_content +rule: + kind: call + any: + - matches: pg8000.dbapi.connect(..., password="...",...) + - matches: pg8000.dbapi.connect(..., password=$VAR,...) + - matches: connect(..., password="...",...) + - matches: connect(..., password=$VAR,...) + - matches: $$$.connect(..., password=$VAR,...) diff --git a/tests/__snapshots__/npgsqlconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml b/tests/__snapshots__/npgsqlconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml new file mode 100644 index 00000000..834ee99a --- /dev/null +++ b/tests/__snapshots__/npgsqlconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml @@ -0,0 +1,264 @@ +id: npgsqlconnectionstringbuilder-hardcoded-secret-csharp +snapshots: + ? | + using System; + using Npgsql; + namespace a + { + class Program + { + static void Main(string[] args) + { + NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder(); + string password = "aaa"; + urlBuilder.Password = "aaaa"; + } + } + } + : labels: + - source: urlBuilder.Password = "aaaa" + style: primary + start: 197 + end: 225 + - source: urlBuilder + style: secondary + start: 197 + end: 207 + - source: Password + style: secondary + start: 208 + end: 216 + - source: urlBuilder.Password + style: secondary + start: 197 + end: 216 + - source: aaaa + style: secondary + start: 220 + end: 224 + - source: '"aaaa"' + style: secondary + start: 219 + end: 225 + - source: NpgsqlConnectionStringBuilder + style: secondary + start: 92 + end: 121 + - source: NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder() + style: secondary + start: 92 + end: 170 + - source: urlBuilder + style: secondary + start: 122 + end: 132 + - source: urlBuilder = new NpgsqlConnectionStringBuilder() + style: secondary + start: 122 + end: 170 + - source: NpgsqlConnectionStringBuilder + style: secondary + start: 139 + end: 168 + - source: () + style: secondary + start: 168 + end: 170 + - source: new NpgsqlConnectionStringBuilder() + style: secondary + start: 135 + end: 170 + - source: NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder(); + style: secondary + start: 92 + end: 171 + - source: urlBuilder.Password = "aaaa"; + style: secondary + start: 197 + end: 226 + ? | + using System; + using Npgsql; + namespace a + { + class Program + { + static void Main(string[] args) + { + NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder(); + string password = "aaa"; + urlBuilder["Password"] = "aaaa"; + } + } + } + : labels: + - source: urlBuilder["Password"] = "aaaa" + style: primary + start: 197 + end: 228 + - source: urlBuilder + style: secondary + start: 197 + end: 207 + - source: '["Password"]' + style: secondary + start: 207 + end: 219 + - source: '"Password"' + style: secondary + start: 208 + end: 218 + - source: Password + style: secondary + start: 209 + end: 217 + - source: '"Password"' + style: secondary + start: 208 + end: 218 + - source: urlBuilder["Password"] + style: secondary + start: 197 + end: 219 + - source: Password + style: secondary + start: 209 + end: 217 + - source: '"Password"' + style: secondary + start: 208 + end: 218 + - source: NpgsqlConnectionStringBuilder + style: secondary + start: 92 + end: 121 + - source: NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder() + style: secondary + start: 92 + end: 170 + - source: urlBuilder + style: secondary + start: 122 + end: 132 + - source: urlBuilder = new NpgsqlConnectionStringBuilder() + style: secondary + start: 122 + end: 170 + - source: NpgsqlConnectionStringBuilder + style: secondary + start: 139 + end: 168 + - source: () + style: secondary + start: 168 + end: 170 + - source: new NpgsqlConnectionStringBuilder() + style: secondary + start: 135 + end: 170 + - source: NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder(); + style: secondary + start: 92 + end: 171 + - source: urlBuilder["Password"] = "aaaa"; + style: secondary + start: 197 + end: 229 + ? "using System;\nusing Npgsql;\nnamespace a\n{\nclass Program\n{\nstatic void Main(string[] args)\n{\nNpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder();\nstring password = \"aaa\"; \nurlBuilder[\"Password\"] = password;\n}\n}\n}\n" + : labels: + - source: urlBuilder["Password"] = password + style: primary + start: 199 + end: 232 + - source: urlBuilder + style: secondary + start: 199 + end: 209 + - source: '["Password"]' + style: secondary + start: 209 + end: 221 + - source: '"Password"' + style: secondary + start: 210 + end: 220 + - source: Password + style: secondary + start: 211 + end: 219 + - source: '"Password"' + style: secondary + start: 210 + end: 220 + - source: urlBuilder["Password"] + style: secondary + start: 199 + end: 221 + - source: password + style: secondary + start: 224 + end: 232 + - source: string + style: secondary + start: 172 + end: 178 + - source: string password = "aaa" + style: secondary + start: 172 + end: 195 + - source: password + style: secondary + start: 179 + end: 187 + - source: password = "aaa" + style: secondary + start: 179 + end: 195 + - source: aaa + style: secondary + start: 191 + end: 194 + - source: '"aaa"' + style: secondary + start: 190 + end: 195 + - source: NpgsqlConnectionStringBuilder + style: secondary + start: 92 + end: 121 + - source: NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder() + style: secondary + start: 92 + end: 170 + - source: urlBuilder + style: secondary + start: 122 + end: 132 + - source: urlBuilder = new NpgsqlConnectionStringBuilder() + style: secondary + start: 122 + end: 170 + - source: NpgsqlConnectionStringBuilder + style: secondary + start: 139 + end: 168 + - source: () + style: secondary + start: 168 + end: 170 + - source: new NpgsqlConnectionStringBuilder() + style: secondary + start: 135 + end: 170 + - source: NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder(); + style: secondary + start: 92 + end: 171 + - source: string password = "aaa"; + style: secondary + start: 172 + end: 196 + - source: urlBuilder["Password"] = password; + style: secondary + start: 199 + end: 233 diff --git a/tests/__snapshots__/python-peewee-pg-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-peewee-pg-hardcoded-secret-python-snapshot.yml new file mode 100644 index 00000000..6becfce1 --- /dev/null +++ b/tests/__snapshots__/python-peewee-pg-hardcoded-secret-python-snapshot.yml @@ -0,0 +1,340 @@ +id: python-peewee-pg-hardcoded-secret-python +snapshots: + ? | + database = PostgresqlDatabase(None) + database.init('database_name', host='localhost', user='postgres', password='password') + : labels: + - source: database.init('database_name', host='localhost', user='postgres', password='password') + style: primary + start: 36 + end: 122 + - source: database + style: secondary + start: 36 + end: 44 + - source: init + style: secondary + start: 45 + end: 49 + - source: database.init + style: secondary + start: 36 + end: 49 + - source: password + style: secondary + start: 102 + end: 110 + - source: password + style: secondary + start: 112 + end: 120 + - source: '''password''' + style: secondary + start: 111 + end: 121 + - source: password='password' + style: secondary + start: 102 + end: 121 + - source: ('database_name', host='localhost', user='postgres', password='password') + style: secondary + start: 49 + end: 122 + - source: database + style: secondary + start: 0 + end: 8 + - source: PostgresqlDatabase(None) + style: secondary + start: 11 + end: 35 + - source: database = PostgresqlDatabase(None) + style: secondary + start: 0 + end: 35 + - source: database = PostgresqlDatabase(None) + style: secondary + start: 0 + end: 35 + - source: database.init('database_name', host='localhost', user='postgres', password='password') + style: secondary + start: 36 + end: 122 + ? | + database = PostgresqlDatabase(None) + pswd = "password" + database.init('database_name', host='localhost', user='postgres', password=pswd) + : labels: + - source: database.init('database_name', host='localhost', user='postgres', password=pswd) + style: primary + start: 54 + end: 134 + - source: database + style: secondary + start: 54 + end: 62 + - source: init + style: secondary + start: 63 + end: 67 + - source: database.init + style: secondary + start: 54 + end: 67 + - source: password + style: secondary + start: 120 + end: 128 + - source: pswd + style: secondary + start: 129 + end: 133 + - source: password=pswd + style: secondary + start: 120 + end: 133 + - source: ('database_name', host='localhost', user='postgres', password=pswd) + style: secondary + start: 67 + end: 134 + - source: database + style: secondary + start: 0 + end: 8 + - source: PostgresqlDatabase(None) + style: secondary + start: 11 + end: 35 + - source: database = PostgresqlDatabase(None) + style: secondary + start: 0 + end: 35 + - source: database = PostgresqlDatabase(None) + style: secondary + start: 0 + end: 35 + - source: database.init('database_name', host='localhost', user='postgres', password=pswd) + style: secondary + start: 54 + end: 134 + - source: pswd + style: secondary + start: 36 + end: 40 + - source: password + style: secondary + start: 44 + end: 52 + - source: '"password"' + style: secondary + start: 43 + end: 53 + - source: pswd = "password" + style: secondary + start: 36 + end: 53 + - source: pswd = "password" + style: secondary + start: 36 + end: 53 + - source: database.init('database_name', host='localhost', user='postgres', password=pswd) + style: secondary + start: 54 + end: 134 + ? | + db_rch_p = PooledCockroachDatabase('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) + : labels: + - source: PooledCockroachDatabase('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) + style: primary + start: 11 + end: 110 + - source: PooledCockroachDatabase + style: secondary + start: 11 + end: 34 + - source: password + style: secondary + start: 62 + end: 70 + - source: password + style: secondary + start: 72 + end: 80 + - source: '''password''' + style: secondary + start: 71 + end: 81 + - source: password='password' + style: secondary + start: 62 + end: 81 + - source: ('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) + style: secondary + start: 34 + end: 110 + ? | + pg_db1 = PostgresqlDatabase('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) + : labels: + - source: PostgresqlDatabase('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) + style: primary + start: 9 + end: 103 + - source: PostgresqlDatabase + style: secondary + start: 9 + end: 27 + - source: password + style: secondary + start: 55 + end: 63 + - source: password + style: secondary + start: 65 + end: 73 + - source: '''password''' + style: secondary + start: 64 + end: 74 + - source: password='password' + style: secondary + start: 55 + end: 74 + - source: ('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) + style: secondary + start: 27 + end: 103 + ? | + pool = PooledPostgresqlDatabase('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) + : labels: + - source: PooledPostgresqlDatabase('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) + style: primary + start: 7 + end: 107 + - source: PooledPostgresqlDatabase + style: secondary + start: 7 + end: 31 + - source: password + style: secondary + start: 59 + end: 67 + - source: password + style: secondary + start: 69 + end: 77 + - source: '''password''' + style: secondary + start: 68 + end: 78 + - source: password='password' + style: secondary + start: 59 + end: 78 + - source: ('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) + style: secondary + start: 31 + end: 107 + ? | + pswd = "password" + pg_db2 = PostgresqlDatabase('my_app', user='postgres', password=pswd, host='10.1.0.9', port=5432) + : labels: + - source: PostgresqlDatabase('my_app', user='postgres', password=pswd, host='10.1.0.9', port=5432) + style: primary + start: 27 + end: 115 + - source: PostgresqlDatabase + style: secondary + start: 27 + end: 45 + - source: password + style: secondary + start: 73 + end: 81 + - source: pswd + style: secondary + start: 82 + end: 86 + - source: password=pswd + style: secondary + start: 73 + end: 86 + - source: ('my_app', user='postgres', password=pswd, host='10.1.0.9', port=5432) + style: secondary + start: 45 + end: 115 + - source: pswd + style: secondary + start: 0 + end: 4 + - source: password + style: secondary + start: 8 + end: 16 + - source: '"password"' + style: secondary + start: 7 + end: 17 + - source: pswd = "password" + style: secondary + start: 0 + end: 17 + - source: pswd = "password" + style: secondary + start: 0 + end: 17 + - source: pg_db2 = PostgresqlDatabase('my_app', user='postgres', password=pswd, host='10.1.0.9', port=5432) + style: secondary + start: 18 + end: 115 + ? | + pswd = "password" + pg_db2 = PostgresqlExtDatabase('my_app', user='postgres', password=pswd, host='10.1.0.9', port=5432) + : labels: + - source: PostgresqlExtDatabase('my_app', user='postgres', password=pswd, host='10.1.0.9', port=5432) + style: primary + start: 27 + end: 118 + - source: PostgresqlExtDatabase + style: secondary + start: 27 + end: 48 + - source: password + style: secondary + start: 76 + end: 84 + - source: pswd + style: secondary + start: 85 + end: 89 + - source: password=pswd + style: secondary + start: 76 + end: 89 + - source: ('my_app', user='postgres', password=pswd, host='10.1.0.9', port=5432) + style: secondary + start: 48 + end: 118 + - source: pswd + style: secondary + start: 0 + end: 4 + - source: password + style: secondary + start: 8 + end: 16 + - source: '"password"' + style: secondary + start: 7 + end: 17 + - source: pswd = "password" + style: secondary + start: 0 + end: 17 + - source: pswd = "password" + style: secondary + start: 0 + end: 17 + - source: pg_db2 = PostgresqlExtDatabase('my_app', user='postgres', password=pswd, host='10.1.0.9', port=5432) + style: secondary + start: 18 + end: 118 diff --git a/tests/__snapshots__/python-pg8000-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-pg8000-hardcoded-secret-python-snapshot.yml new file mode 100644 index 00000000..9985a268 --- /dev/null +++ b/tests/__snapshots__/python-pg8000-hardcoded-secret-python-snapshot.yml @@ -0,0 +1,214 @@ +id: python-pg8000-hardcoded-secret-python +snapshots: + ? | + from pg8000.dbapi import connect + pswd1 = "password" + conn = connect(user="postgres", password=pswd1) + : labels: + - source: connect(user="postgres", password=pswd1) + style: primary + start: 59 + end: 99 + - source: connect + style: secondary + start: 59 + end: 66 + - source: password + style: secondary + start: 84 + end: 92 + - source: pswd1 + style: secondary + start: 93 + end: 98 + - source: password=pswd1 + style: secondary + start: 84 + end: 98 + - source: (user="postgres", password=pswd1) + style: secondary + start: 66 + end: 99 + - source: from pg8000.dbapi import connect + style: secondary + start: 0 + end: 32 + - source: | + from pg8000.dbapi import connect + pswd1 = "password" + conn = connect(user="postgres", password=pswd1) + style: secondary + start: 0 + end: 100 + - source: pswd1 + style: secondary + start: 33 + end: 38 + - source: password + style: secondary + start: 42 + end: 50 + - source: '"password"' + style: secondary + start: 41 + end: 51 + - source: pswd1 = "password" + style: secondary + start: 33 + end: 51 + - source: pswd1 = "password" + style: secondary + start: 33 + end: 51 + - source: conn = connect(user="postgres", password=pswd1) + style: secondary + start: 52 + end: 99 + ? | + import pg8000.dbapi + conn = pg8000.dbapi.connect(user="postgres", password="password") + : labels: + - source: pg8000.dbapi.connect(user="postgres", password="password") + style: primary + start: 27 + end: 85 + - source: pg8000.dbapi.connect + style: secondary + start: 27 + end: 47 + - source: password + style: secondary + start: 65 + end: 73 + - source: password + style: secondary + start: 75 + end: 83 + - source: '"password"' + style: secondary + start: 74 + end: 84 + - source: password="password" + style: secondary + start: 65 + end: 84 + - source: (user="postgres", password="password") + style: secondary + start: 47 + end: 85 + ? | + import pg8000.native + c = pg8000.native.Connection(user, database=dbname, password="password", **params) + : labels: + - source: pg8000.native.Connection(user, database=dbname, password="password", **params) + style: primary + start: 25 + end: 103 + - source: pg8000.native.Connection + style: secondary + start: 25 + end: 49 + - source: password + style: secondary + start: 73 + end: 81 + - source: password + style: secondary + start: 83 + end: 91 + - source: '"password"' + style: secondary + start: 82 + end: 92 + - source: password="password" + style: secondary + start: 73 + end: 92 + - source: (user, database=dbname, password="password", **params) + style: secondary + start: 49 + end: 103 + ? | + import pg8000.native as pg_connect + pswd2 = "password" + c = pg_connect.Connection(user, database=dbname, password=pswd2, **params) + : labels: + - source: pg_connect.Connection(user, database=dbname, password=pswd2, **params) + style: primary + start: 58 + end: 128 + - source: pg_connect + style: secondary + start: 58 + end: 68 + - source: Connection + style: secondary + start: 69 + end: 79 + - source: pg_connect.Connection + style: secondary + start: 58 + end: 79 + - source: password + style: secondary + start: 103 + end: 111 + - source: pswd2 + style: secondary + start: 112 + end: 117 + - source: password=pswd2 + style: secondary + start: 103 + end: 117 + - source: (user, database=dbname, password=pswd2, **params) + style: secondary + start: 79 + end: 128 + - source: pg8000.native + style: secondary + start: 7 + end: 20 + - source: pg_connect + style: secondary + start: 24 + end: 34 + - source: pg8000.native as pg_connect + style: secondary + start: 7 + end: 34 + - source: import pg8000.native as pg_connect + style: secondary + start: 0 + end: 34 + - source: | + import pg8000.native as pg_connect + pswd2 = "password" + c = pg_connect.Connection(user, database=dbname, password=pswd2, **params) + style: secondary + start: 0 + end: 129 + - source: pswd2 + style: secondary + start: 35 + end: 40 + - source: password + style: secondary + start: 44 + end: 52 + - source: '"password"' + style: secondary + start: 43 + end: 53 + - source: pswd2 = "password" + style: secondary + start: 35 + end: 53 + - source: pswd2 = "password" + style: secondary + start: 35 + end: 53 + - source: c = pg_connect.Connection(user, database=dbname, password=pswd2, **params) + style: secondary + start: 54 + end: 128 diff --git a/tests/csharp/npgsqlconnectionstringbuilder-hardcoded-secret-csharp-test.yml b/tests/csharp/npgsqlconnectionstringbuilder-hardcoded-secret-csharp-test.yml new file mode 100644 index 00000000..c94d3767 --- /dev/null +++ b/tests/csharp/npgsqlconnectionstringbuilder-hardcoded-secret-csharp-test.yml @@ -0,0 +1,52 @@ +id: npgsqlconnectionstringbuilder-hardcoded-secret-csharp +valid: + - | + urlBuilder.Password = args[1]; + - | + urlBuilder["Password"] = args[1]; +invalid: + - | + using System; + using Npgsql; + namespace a + { + class Program + { + static void Main(string[] args) + { + NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder(); + string password = "aaa"; + urlBuilder.Password = "aaaa"; + } + } + } + - | + using System; + using Npgsql; + namespace a + { + class Program + { + static void Main(string[] args) + { + NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder(); + string password = "aaa"; + urlBuilder["Password"] = "aaaa"; + } + } + } + - | + using System; + using Npgsql; + namespace a + { + class Program + { + static void Main(string[] args) + { + NpgsqlConnectionStringBuilder urlBuilder = new NpgsqlConnectionStringBuilder(); + string password = "aaa"; + urlBuilder["Password"] = password; + } + } + } diff --git a/tests/python/python-peewee-pg-hardcoded-secret-python-test.yml b/tests/python/python-peewee-pg-hardcoded-secret-python-test.yml new file mode 100644 index 00000000..9485f0aa --- /dev/null +++ b/tests/python/python-peewee-pg-hardcoded-secret-python-test.yml @@ -0,0 +1,24 @@ +id: python-peewee-pg-hardcoded-secret-python +valid: + - | + mysql_db1 = MySQLDatabe('my_app', user='app', password='db_password', host='10.1.0.8', port=3306) +invalid: + - | + pg_db1 = PostgresqlDatabase('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) + - | + pswd = "password" + pg_db2 = PostgresqlDatabase('my_app', user='postgres', password=pswd, host='10.1.0.9', port=5432) + - | + database = PostgresqlDatabase(None) + database.init('database_name', host='localhost', user='postgres', password='password') + - | + database = PostgresqlDatabase(None) + pswd = "password" + database.init('database_name', host='localhost', user='postgres', password=pswd) + - | + pswd = "password" + pg_db2 = PostgresqlExtDatabase('my_app', user='postgres', password=pswd, host='10.1.0.9', port=5432) + - | + pool = PooledPostgresqlDatabase('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) + - | + db_rch_p = PooledCockroachDatabase('my_app', user='postgres', password='password', host='10.1.0.9', port=5432) diff --git a/tests/python/python-pg8000-hardcoded-secret-python-test.yml b/tests/python/python-pg8000-hardcoded-secret-python-test.yml new file mode 100644 index 00000000..da898029 --- /dev/null +++ b/tests/python/python-pg8000-hardcoded-secret-python-test.yml @@ -0,0 +1,20 @@ +id: python-pg8000-hardcoded-secret-python +valid: + - | + import pg8000.dbapi + conn = pg8000.dbapi.connect(user="postgres", password=get_password()) +invalid: + - | + import pg8000.native as pg_connect + pswd2 = "password" + c = pg_connect.Connection(user, database=dbname, password=pswd2, **params) + - | + import pg8000.native + c = pg8000.native.Connection(user, database=dbname, password="password", **params) + - | + from pg8000.dbapi import connect + pswd1 = "password" + conn = connect(user="postgres", password=pswd1) + - | + import pg8000.dbapi + conn = pg8000.dbapi.connect(user="postgres", password="password")