Skip to content

Add security rules for hard-coded secrets and error handling in C#, Java, and Kotlin #104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

Add security rules for hard-coded secrets and error handling in C#, Java, and Kotlin #104

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3f9dec7
stacktrace-disclosure-csharp
Dec 11, 2024
9e70ab5
jwt-hardcode-kotlin
Dec 11, 2024
fe79543
hardcoded-secret-in-credentials-java
Dec 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions rules/csharp/security/stacktrace-disclosure-csharp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
id: stacktrace-disclosure-csharp
severity: warning
language: csharp
message: >-
Stacktrace information is displayed in a non-Development environment.
Accidentally disclosing sensitive stack trace information in a production
environment aids an attacker in reconnaissance and information gathering.
note: >-
[CWE-209] Generation of Error Message Containing Sensitive Information.
[REFERENCES]
- https://cwe.mitre.org/data/definitions/209.html
- https://owasp.org/Top10/A04_2021-Insecure_Design/
utils:
$APP.UseDeveloperExceptionPage(...):
kind: expression_statement
pattern: $APP.UseDeveloperExceptionPage($$$);
inside:
stopBy: neighbor
kind: block
not:
follows:
stopBy: end
kind: invocation_expression
pattern: $ENV.IsDevelopment()
rule:
kind: expression_statement
matches: $APP.UseDeveloperExceptionPage(...)
197 changes: 197 additions & 0 deletions rules/java/security/hardcoded-secret-in-credentials-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,197 @@
id: hardcoded-secret-in-credentials-java
language: java
severity: warning
message: >-
A secret is hard-coded in the application. Secrets stored in source
code, such as credentials, identifiers, and other types of sensitive data,
can be leaked and used by internal or external malicious actors. Use
environment variables to securely provide credentials and other secrets or
retrieve them from a secure vault or Hardware Security Module (HSM).
note: >-
[CWE-798]: Use of Hard-coded Credentials
[OWASP A07:2021]: Identification and Authentication Failures
[REFERENCES]
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
utils:
match_local_variable_declaration_with_username:
kind: local_variable_declaration
all:
- has:
stopBy: end
kind: type_identifier
field: type
- has:
stopBy: end
kind: variable_declarator
field: declarator
has:
stopBy: end
kind: identifier
field: name
- has:
stopBy: end
kind: method_invocation
all:
- has:
stopBy: end
kind: identifier
field: object
regex: "^Credentials$"
- has:
stopBy: end
kind: identifier
field: name
regex: "^basic$"
- has:
stopBy: end
kind: argument_list
field: arguments
all:
- has:
stopBy: end
kind: identifier
pattern: $USERNAME
- has:
kind: string_literal
pattern: $STRING
inside:
stopBy: end
kind: method_declaration
follows:
stopBy: end
kind: field_declaration
all:
- has:
stopBy: end
kind: modifiers
- has:
stopBy: end
kind: type_identifier
field: type
- has:
stopBy: end
kind: variable_declarator
field: declarator
all:
- has:
stopBy: end
kind: identifier
field: name
pattern: $USERNAME
- has:
stopBy: end
kind: string_literal
field: value
match_local_variable_declaration_with_instance:
kind: local_variable_declaration
all:
- has:
stopBy: end
kind: type_identifier
field: type
- has:
stopBy: end
kind: variable_declarator
field: declarator
all:
- has:
stopBy: end
kind: identifier
field: name
- has:
stopBy: end
kind: method_invocation
all:
- has:
stopBy: end
kind: identifier
field: object
regex: "^Credentials$"
- has:
stopBy: end
kind: identifier
field: name
regex: "^basic$"
- has:
stopBy: end
kind: argument_list
all:
- has:
stopBy: end
kind: identifier
pattern: $USERNAME
nthChild: 1
- has:
stopBy: end
kind: identifier
pattern: $PASS
nthChild: 2
- not:
has:
stopBy: end
kind: identifier
nthChild: 3
- all:
- inside:
stopBy: end
kind: method_declaration
follows:
stopBy: end
kind: field_declaration
all:
- has:
stopBy: end
kind: modifiers
- has:
stopBy: end
kind: type_identifier
- has:
stopBy: end
kind: variable_declarator
field: declarator
all:
- has:
stopBy: end
kind: identifier
field: name
pattern: $PASS
- has:
stopBy: end
kind: string_literal
field: value
pattern: $STRING
- inside:
stopBy: end
kind: method_declaration
follows:
stopBy: end
kind: field_declaration
all:
- has:
stopBy: end
kind: modifiers
- has:
stopBy: end
kind: type_identifier
- has:
stopBy: end
kind: variable_declarator
field: declarator
all:
- has:
stopBy: end
kind: identifier
field: name
pattern: $USERNAME
- has:
stopBy: end
kind: string_literal
field: value
rule:
any:
- matches: match_local_variable_declaration_with_username
- matches: match_local_variable_declaration_with_instance
constraints:
STRING:
not:
regex: ^""$
Loading