From 761a16ff4608e96344caf64745ee50df613c2fb3 Mon Sep 17 00:00:00 2001 From: Sakshis Date: Wed, 11 Dec 2024 11:02:59 +0000 Subject: [PATCH 1/3] ruby-redis-hardcoded-secret-ruby --- .../ruby-redis-hardcoded-secret-ruby.yml | 102 +++++++++++ ...y-redis-hardcoded-secret-ruby-snapshot.yml | 158 ++++++++++++++++++ .../ruby-redis-hardcoded-secret-ruby-test.yml | 15 ++ 3 files changed, 275 insertions(+) create mode 100644 rules/ruby/security/ruby-redis-hardcoded-secret-ruby.yml create mode 100644 tests/__snapshots__/ruby-redis-hardcoded-secret-ruby-snapshot.yml create mode 100644 tests/ruby/ruby-redis-hardcoded-secret-ruby-test.yml diff --git a/rules/ruby/security/ruby-redis-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-redis-hardcoded-secret-ruby.yml new file mode 100644 index 00000000..c303d737 --- /dev/null +++ b/rules/ruby/security/ruby-redis-hardcoded-secret-ruby.yml @@ -0,0 +1,102 @@ +id: ruby-redis-hardcoded-secret-ruby +language: ruby +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + Redis.new(..., password:"...", ...): + # Redis.new(..., password: "", ...) + kind: call + all: + - has: + stopBy: neighbor + kind: constant + regex: ^Redis$ + - has: + stopBy: neighbor + regex: ^.$ + - has: + stopBy: neighbor + kind: identifier + regex: ^new$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: end + kind: pair + all: + - has: + stopBy: neighbor + kind: hash_key_symbol + regex: ^password$ + - has: + stopBy: neighbor + kind: string + has: + stopBy: neighbor + kind: string_content + - inside: + stopBy: end + kind: program + has: + stopBy: end + kind: call + pattern: require "redis" + Redis.new(..., password:"...", ...)_with_instance: + # Redis.new(..., password: $PASS, ...) + kind: call + all: + - has: + stopBy: neighbor + kind: constant + regex: ^Redis$ + - has: + stopBy: neighbor + regex: ^.$ + - has: + stopBy: neighbor + kind: identifier + regex: ^new$ + - has: + stopBy: neighbor + kind: argument_list + has: + stopBy: end + kind: pair + all: + - has: + stopBy: neighbor + kind: hash_key_symbol + regex: ^password$ + - has: + stopBy: neighbor + kind: identifier + pattern: $PASS + - inside: + stopBy: end + kind: assignment + follows: + stopBy: end + kind: assignment + pattern: $PASS = "$PSWD" + - inside: + stopBy: end + kind: program + has: + stopBy: end + kind: call + pattern: require "redis" +rule: + kind: call + any: + - matches: Redis.new(..., password:"...", ...) + - matches: Redis.new(..., password:"...", ...)_with_instance diff --git a/tests/__snapshots__/ruby-redis-hardcoded-secret-ruby-snapshot.yml b/tests/__snapshots__/ruby-redis-hardcoded-secret-ruby-snapshot.yml new file mode 100644 index 00000000..d1c34caf --- /dev/null +++ b/tests/__snapshots__/ruby-redis-hardcoded-secret-ruby-snapshot.yml @@ -0,0 +1,158 @@ +id: ruby-redis-hardcoded-secret-ruby +snapshots: + ? | + require "redis" + pass = 'password' + redis1 = Redis.new(username: 'myname', password: pass) + : labels: + - source: 'Redis.new(username: ''myname'', password: pass)' + style: primary + start: 43 + end: 88 + - source: Redis + style: secondary + start: 43 + end: 48 + - source: . + style: secondary + start: 48 + end: 49 + - source: new + style: secondary + start: 49 + end: 52 + - source: password + style: secondary + start: 73 + end: 81 + - source: pass + style: secondary + start: 83 + end: 87 + - source: 'password: pass' + style: secondary + start: 73 + end: 87 + - source: '(username: ''myname'', password: pass)' + style: secondary + start: 52 + end: 88 + - source: pass = 'password' + style: secondary + start: 16 + end: 33 + - source: 'redis1 = Redis.new(username: ''myname'', password: pass)' + style: secondary + start: 34 + end: 88 + - source: require "redis" + style: secondary + start: 0 + end: 15 + - source: | + require "redis" + pass = 'password' + redis1 = Redis.new(username: 'myname', password: pass) + style: secondary + start: 0 + end: 89 + ? | + require "redis" + redis = Redis.new(password: "mysecret") + : labels: + - source: 'Redis.new(password: "mysecret")' + style: primary + start: 24 + end: 55 + - source: Redis + style: secondary + start: 24 + end: 29 + - source: . + style: secondary + start: 29 + end: 30 + - source: new + style: secondary + start: 30 + end: 33 + - source: password + style: secondary + start: 34 + end: 42 + - source: mysecret + style: secondary + start: 45 + end: 53 + - source: '"mysecret"' + style: secondary + start: 44 + end: 54 + - source: 'password: "mysecret"' + style: secondary + start: 34 + end: 54 + - source: '(password: "mysecret")' + style: secondary + start: 33 + end: 55 + - source: require "redis" + style: secondary + start: 0 + end: 15 + - source: | + require "redis" + redis = Redis.new(password: "mysecret") + style: secondary + start: 0 + end: 56 + ? | + require "redis" + redis1 = Redis.new(username: 'myname', password: 'mysecret') + : labels: + - source: 'Redis.new(username: ''myname'', password: ''mysecret'')' + style: primary + start: 25 + end: 76 + - source: Redis + style: secondary + start: 25 + end: 30 + - source: . + style: secondary + start: 30 + end: 31 + - source: new + style: secondary + start: 31 + end: 34 + - source: password + style: secondary + start: 55 + end: 63 + - source: mysecret + style: secondary + start: 66 + end: 74 + - source: '''mysecret''' + style: secondary + start: 65 + end: 75 + - source: 'password: ''mysecret''' + style: secondary + start: 55 + end: 75 + - source: '(username: ''myname'', password: ''mysecret'')' + style: secondary + start: 34 + end: 76 + - source: require "redis" + style: secondary + start: 0 + end: 15 + - source: | + require "redis" + redis1 = Redis.new(username: 'myname', password: 'mysecret') + style: secondary + start: 0 + end: 77 diff --git a/tests/ruby/ruby-redis-hardcoded-secret-ruby-test.yml b/tests/ruby/ruby-redis-hardcoded-secret-ruby-test.yml new file mode 100644 index 00000000..c9bc2ee6 --- /dev/null +++ b/tests/ruby/ruby-redis-hardcoded-secret-ruby-test.yml @@ -0,0 +1,15 @@ +id: ruby-redis-hardcoded-secret-ruby +valid: + - | + redis_ok1 = Redis.new(username: 'myname', password: ENV["PASS"]) +invalid: + - | + require "redis" + redis = Redis.new(password: "mysecret") + - | + require "redis" + redis1 = Redis.new(username: 'myname', password: 'mysecret') + - | + require "redis" + pass = 'password' + redis1 = Redis.new(username: 'myname', password: pass) From 65b807d5b449cd90ece3920a9536a67669d28d43 Mon Sep 17 00:00:00 2001 From: Sakshis Date: Wed, 11 Dec 2024 11:05:17 +0000 Subject: [PATCH 2/3] ruby-faraday-hardcoded-secret-ruby --- .../ruby-faraday-hardcoded-secret-ruby.yml | 148 ++++++++++++++++++ ...faraday-hardcoded-secret-ruby-snapshot.yml | 128 +++++++++++++++ ...uby-faraday-hardcoded-secret-ruby-test.yml | 30 ++++ 3 files changed, 306 insertions(+) create mode 100644 rules/ruby/security/ruby-faraday-hardcoded-secret-ruby.yml create mode 100644 tests/__snapshots__/ruby-faraday-hardcoded-secret-ruby-snapshot.yml create mode 100644 tests/ruby/ruby-faraday-hardcoded-secret-ruby-test.yml diff --git a/rules/ruby/security/ruby-faraday-hardcoded-secret-ruby.yml b/rules/ruby/security/ruby-faraday-hardcoded-secret-ruby.yml new file mode 100644 index 00000000..eb9d4cab --- /dev/null +++ b/rules/ruby/security/ruby-faraday-hardcoded-secret-ruby.yml @@ -0,0 +1,148 @@ +id: ruby-faraday-hardcoded-secret-ruby +language: ruby +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798] Use of Hard-coded Credentials. + [REFERENCES] + - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + $X.request :authorization, :basic, $USER, "...": + # $X.request :authorization, :basic, $USER, "..." + kind: call + pattern: $X.request :authorization, :basic, $USER, "$STRING" + all: + - not: + pattern: $X.request :authorization, :basic, $USER, "$STRING", $$$ + - inside: + stopBy: end + kind: program + has: + stopBy: end + kind: call + pattern: require "faraday" + $X.request :authorization, :basic, $USER, $PSD: + # $X.request :authorization, :basic, $USER, $PSD + kind: call + pattern: $X.request :authorization, :basic, $USER, $PSD + all: + - not: + pattern: $X.request :authorization, :basic, $USER, $PSD, $$$ + - follows: + stopBy: end + kind: assignment + pattern: $PSD = '$PASS' + - inside: + stopBy: end + kind: program + has: + stopBy: end + kind: call + pattern: require "faraday" + $X.request :basic_auth, $USER, "...": + # $X.request :basic_auth, $USER, "..." + kind: call + pattern: $X.request :basic_auth, $USER, "$STRING" + all: + - not: + pattern: $X.request :basic_auth, $USER, "$STRING", $$$ + - inside: + stopBy: end + kind: program + has: + stopBy: end + kind: call + pattern: require "faraday" + $X.request :basic_auth, $USER, $PSD: + # $X.request :basic_auth, $USER, $PSD + kind: call + pattern: $X.request :basic_auth, $USER, $PSD + all: + - not: + pattern: $X.request :basic_auth, $USER, $PSD, $$$ + - follows: + stopBy: end + kind: assignment + pattern: $PSD = '$STRING' + - inside: + stopBy: end + kind: program + has: + stopBy: end + kind: call + pattern: require "faraday" + $X.request :token_auth, "...": + # $X.request :token_auth, "...", ... + kind: call + pattern: $X.request :token_auth, "$STRING" + inside: + stopBy: end + kind: program + has: + stopBy: end + kind: call + pattern: require "faraday" + $X.request :token_auth, $PSD: + # $X.request :token_auth, $PSD + kind: call + pattern: $X.request :token_auth, $PSD + all: + - follows: + stopBy: end + kind: assignment + pattern: $PSD = '$STRING' + - inside: + stopBy: end + kind: program + has: + stopBy: end + kind: call + pattern: require "faraday" + $X.request :authorization, $BEARER, "...": + # $X.request :authorization, $BEARER, "..." + kind: call + pattern: $X.request :authorization, $BEARER, "$STRING" + all: + - not: + pattern: $X.request :authorization, $BEARER, "$STRING", $$$ + - inside: + stopBy: end + kind: program + has: + stopBy: end + kind: call + pattern: require "faraday" + $X.request :authorization, $BEARER, PSD: + # $X.request :authorization, $BEARER, "..." + kind: call + pattern: $X.request :authorization, $BEARER, $PSD + all: + - not: + pattern: $X.request :authorization, $BEARER, $PSD, $$$ + - follows: + stopBy: end + kind: assignment + pattern: $PSD = '$PASS' + - inside: + stopBy: end + kind: program + has: + stopBy: end + kind: call + pattern: require "faraday" +rule: + kind: call + any: + - matches: $X.request :authorization, :basic, $USER, "..." + - matches: $X.request :authorization, :basic, $USER, $PSD + - matches: $X.request :basic_auth, $USER, "..." + - matches: $X.request :basic_auth, $USER, $PSD + - matches: $X.request :token_auth, "..." + - matches: $X.request :token_auth, $PSD + - matches: $X.request :authorization, $BEARER, "..." + - matches: $X.request :authorization, $BEARER, PSD diff --git a/tests/__snapshots__/ruby-faraday-hardcoded-secret-ruby-snapshot.yml b/tests/__snapshots__/ruby-faraday-hardcoded-secret-ruby-snapshot.yml new file mode 100644 index 00000000..3e834ab4 --- /dev/null +++ b/tests/__snapshots__/ruby-faraday-hardcoded-secret-ruby-snapshot.yml @@ -0,0 +1,128 @@ +id: ruby-faraday-hardcoded-secret-ruby +snapshots: + ? | + require "faraday" + conn.request :basic_auth, 'username', 'password' + : labels: + - source: conn.request :basic_auth, 'username', 'password' + style: primary + start: 18 + end: 66 + - source: require "faraday" + style: secondary + start: 0 + end: 17 + - source: | + require "faraday" + conn.request :basic_auth, 'username', 'password' + style: secondary + start: 0 + end: 67 + ? | + require "faraday" + conn.request :token_auth, 'authentication-token', **options + : labels: + - source: conn.request :token_auth, 'authentication-token', **options + style: primary + start: 18 + end: 77 + - source: require "faraday" + style: secondary + start: 0 + end: 17 + - source: | + require "faraday" + conn.request :token_auth, 'authentication-token', **options + style: secondary + start: 0 + end: 78 + ? | + require "faraday" + f.request :authorization, 'Bearer', 'authentication-token' + : labels: + - source: f.request :authorization, 'Bearer', 'authentication-token' + style: primary + start: 18 + end: 76 + - source: require "faraday" + style: secondary + start: 0 + end: 17 + - source: | + require "faraday" + f.request :authorization, 'Bearer', 'authentication-token' + style: secondary + start: 0 + end: 77 + ? | + require "faraday" + pass = 'authentication-token' + conn.request :token_auth, pass, **options + : labels: + - source: conn.request :token_auth, pass, **options + style: primary + start: 48 + end: 89 + - source: pass = 'authentication-token' + style: secondary + start: 18 + end: 47 + - source: require "faraday" + style: secondary + start: 0 + end: 17 + - source: | + require "faraday" + pass = 'authentication-token' + conn.request :token_auth, pass, **options + style: secondary + start: 0 + end: 90 + ? | + require "faraday" + pass = 'authentication-token' + f.request :authorization, 'Bearer', pass + : labels: + - source: f.request :authorization, 'Bearer', pass + style: primary + start: 48 + end: 88 + - source: pass = 'authentication-token' + style: secondary + start: 18 + end: 47 + - source: require "faraday" + style: secondary + start: 0 + end: 17 + - source: | + require "faraday" + pass = 'authentication-token' + f.request :authorization, 'Bearer', pass + style: secondary + start: 0 + end: 89 + ? | + require "faraday" + pw = 'password' + conn.request :authorization, :basic, 'username', pw + : labels: + - source: conn.request :authorization, :basic, 'username', pw + style: primary + start: 34 + end: 85 + - source: pw = 'password' + style: secondary + start: 18 + end: 33 + - source: require "faraday" + style: secondary + start: 0 + end: 17 + - source: | + require "faraday" + pw = 'password' + conn.request :authorization, :basic, 'username', pw + style: secondary + start: 0 + end: 86 diff --git a/tests/ruby/ruby-faraday-hardcoded-secret-ruby-test.yml b/tests/ruby/ruby-faraday-hardcoded-secret-ruby-test.yml new file mode 100644 index 00000000..681cc020 --- /dev/null +++ b/tests/ruby/ruby-faraday-hardcoded-secret-ruby-test.yml @@ -0,0 +1,30 @@ +id: ruby-faraday-hardcoded-secret-ruby +valid: + - | + require "faraday" + f.request :authorization, 'Bearer', 'authentication-token', test + - | + require "faraday" + conn.request :basic_auth, 'username', 'password', test +invalid: + - | + require "faraday" + f.request :authorization, 'Bearer', 'authentication-token' + - | + require "faraday" + pw = 'password' + conn.request :authorization, :basic, 'username', pw + - | + require "faraday" + conn.request :token_auth, 'authentication-token', **options + - | + require "faraday" + conn.request :basic_auth, 'username', 'password' + - | + require "faraday" + pass = 'authentication-token' + f.request :authorization, 'Bearer', pass + - | + require "faraday" + pass = 'authentication-token' + conn.request :token_auth, pass, **options From 91fec185cebd529b1ee4608f3f9492dd880fbca8 Mon Sep 17 00:00:00 2001 From: Sakshis Date: Wed, 11 Dec 2024 11:14:04 +0000 Subject: [PATCH 3/3] force-ssl-false-ruby --- rules/ruby/security/force-ssl-false-ruby.yml | 13 +++++++++++++ .../__snapshots__/force-ssl-false-ruby-snapshot.yml | 11 +++++++++++ tests/ruby/force-ssl-false-ruby-test.yml | 11 +++++++++++ 3 files changed, 35 insertions(+) create mode 100644 rules/ruby/security/force-ssl-false-ruby.yml create mode 100644 tests/__snapshots__/force-ssl-false-ruby-snapshot.yml create mode 100644 tests/ruby/force-ssl-false-ruby-test.yml diff --git a/rules/ruby/security/force-ssl-false-ruby.yml b/rules/ruby/security/force-ssl-false-ruby.yml new file mode 100644 index 00000000..45c5cf06 --- /dev/null +++ b/rules/ruby/security/force-ssl-false-ruby.yml @@ -0,0 +1,13 @@ +id: force-ssl-false-ruby +language: ruby +severity: warning +message: >- + Checks for configuration setting of force_ssl to false. Force_ssl + forces usage of HTTPS, which could lead to network interception of + unencrypted application traffic. To fix, set config.force_ssl = true. +note: >- + [CWE-311] Missing Encryption of Sensitive Data. + [REFERENCES] + - https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb +rule: + pattern: config.force_ssl = false diff --git a/tests/__snapshots__/force-ssl-false-ruby-snapshot.yml b/tests/__snapshots__/force-ssl-false-ruby-snapshot.yml new file mode 100644 index 00000000..55fd2a3e --- /dev/null +++ b/tests/__snapshots__/force-ssl-false-ruby-snapshot.yml @@ -0,0 +1,11 @@ +id: force-ssl-false-ruby +snapshots: + ? | + def bad_ssl + config.force_ssl = false + end + : labels: + - source: config.force_ssl = false + style: primary + start: 12 + end: 36 diff --git a/tests/ruby/force-ssl-false-ruby-test.yml b/tests/ruby/force-ssl-false-ruby-test.yml new file mode 100644 index 00000000..d86bee1c --- /dev/null +++ b/tests/ruby/force-ssl-false-ruby-test.yml @@ -0,0 +1,11 @@ +id: force-ssl-false-ruby +valid: + - | + def bad_ssl + config.force_ssl = true + end +invalid: + - | + def bad_ssl + config.force_ssl = false + end