diff --git a/rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml b/rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml new file mode 100644 index 00000000..cc3c2798 --- /dev/null +++ b/rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml @@ -0,0 +1,247 @@ +id: oracleconnectionstringbuilder-hardcoded-secret-csharp +language: csharp +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798]: Use of Hard-coded Credentials + [OWASP A07:2021]: Identification and Authentication Failures + [REFERENCES] + https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + match_assignment_without_brackets: + kind: assignment_expression + all: + - has: + stopBy: end + kind: member_access_expression + all: + - has: + stopBy: end + kind: identifier + field: expression + pattern: $B + - has: + stopBy: end + kind: identifier + field: name + regex: "^Password$" + - has: + stopBy: end + kind: string_literal + has: + stopBy: end + kind: string_literal_content + inside: + stopBy: end + kind: expression_statement + follows: + stopBy: end + kind: local_declaration_statement + all: + - has: + stopBy: end + kind: variable_declaration + has: + stopBy: end + kind: identifier + field: type + regex: "^OracleConnectionStringBuilder$" + - has: + stopBy: end + kind: variable_declarator + has: + stopBy: end + kind: identifier + pattern: $B + - has: + stopBy: end + kind: object_creation_expression + match_assignment_with_brackets: + kind: assignment_expression + all: + - has: + stopBy: end + kind: element_access_expression + all: + - has: + stopBy: end + kind: identifier + pattern: $B + - has: + stopBy: end + kind: bracketed_argument_list + field: subscript + - has: + stopBy: end + kind: argument + - has: + stopBy: end + kind: string_literal + has: + stopBy: end + kind: string_literal_content + regex: "^Password$" + all: + - not: + precedes: + stopBy: end + kind: element_access_expression + - not: + precedes: + stopBy: end + kind: invocation_expression + + - has: + stopBy: end + kind: string_literal + has: + stopBy: end + kind: string_literal_content + inside: + stopBy: end + kind: expression_statement + follows: + stopBy: end + kind: local_declaration_statement + all: + - has: + stopBy: end + kind: variable_declaration + has: + stopBy: end + kind: identifier + field: type + regex: "^OracleConnectionStringBuilder$" + - has: + stopBy: end + kind: variable_declarator + has: + stopBy: end + kind: identifier + field: name + pattern: $B + - has: + stopBy: end + kind: object_creation_expression + match_assignment_with_instance_above_with_bracket: + kind: assignment_expression + all: + - has: + stopBy: end + kind: element_access_expression + all: + - has: + stopBy: end + kind: identifier + field: expression + pattern: $N + - has: + stopBy: end + kind: bracketed_argument_list + field: subscript + - has: + stopBy: end + kind: argument + - has: + stopBy: end + kind: string_literal + has: + stopBy: end + kind: string_literal_content + regex: "^Password$" + all: + - not: + precedes: + stopBy: end + kind: element_access_expression + - not: + precedes: + stopBy: end + kind: invocation_expression + - has: + stopBy: end + kind: string_literal + has: + stopBy: end + kind: string_literal_content + + inside: + stopBy: end + kind: expression_statement + follows: + stopBy: end + kind: local_declaration_statement + all: + - has: + stopBy: end + kind: variable_declaration + has: + stopBy: end + kind: implicit_type + - has: + stopBy: end + kind: variable_declarator + has: + stopBy: end + kind: identifier + pattern: $N + - has: + stopBy: end + kind: object_creation_expression + match_assignment_with_instance_above_without_bracket: + kind: assignment_expression + all: + - has: + stopBy: end + kind: member_access_expression + all: + - has: + stopBy: end + kind: identifier + field: expression + pattern: $N + - has: + stopBy: end + kind: identifier + field: name + regex: "^Password$" + - has: + stopBy: end + kind: string_literal + has: + stopBy: end + kind: string_literal_content + inside: + stopBy: end + kind: expression_statement + follows: + stopBy: end + kind: local_declaration_statement + all: + - has: + stopBy: end + kind: variable_declaration + has: + stopBy: end + kind: implicit_type + - has: + stopBy: end + kind: variable_declarator + has: + stopBy: end + kind: identifier + pattern: $N + - has: + stopBy: end + kind: object_creation_expression +rule: + any: + - matches: match_assignment_without_brackets + - matches: match_assignment_with_brackets + - matches: match_assignment_with_instance_above_with_bracket + - matches: match_assignment_with_instance_above_without_bracket diff --git a/rules/python/security/python-pymssql-hardcoded-secret-python.yml b/rules/python/security/python-pymssql-hardcoded-secret-python.yml new file mode 100644 index 00000000..3223c1f3 --- /dev/null +++ b/rules/python/security/python-pymssql-hardcoded-secret-python.yml @@ -0,0 +1,241 @@ +id: python-pymssql-hardcoded-secret-python +language: python +severity: warning +message: >- + A secret is hard-coded in the application. Secrets stored in source + code, such as credentials, identifiers, and other types of sensitive data, + can be leaked and used by internal or external malicious actors. Use + environment variables to securely provide credentials and other secrets or + retrieve them from a secure vault or Hardware Security Module (HSM). +note: >- + [CWE-798]: Use of Hard-coded Credentials + [OWASP A07:2021]: Identification and Authentication Failures + [REFERENCES] + https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + match_pymssql_call: + kind: call + all: + - has: + stopBy: end + kind: attribute + field: function + all: + - has: + stopBy: end + kind: identifier + field: object + regex: ^(pymssql)$ + - has: + stopBy: end + kind: identifier + field: attribute + regex: "^connect$" + - has: + stopBy: end + kind: argument_list + field: arguments + all: + - has: + stopBy: end + kind: keyword_argument + - has: + stopBy: end + kind: keyword_argument + - has: + stopBy: end + kind: keyword_argument + all: + - has: + stopBy: end + kind: identifier + field: name + regex: "^password$" + - has: + stopBy: end + kind: string + field: value + all: + - has: + stopBy: end + kind: string_start + - has: + stopBy: end + kind: string_content + - has: + stopBy: end + kind: string_end + + - has: + stopBy: end + kind: keyword_argument + inside: + stopBy: end + kind: expression_statement + match_mssql_call: + kind: call + all: + - has: + stopBy: end + kind: attribute + field: function + all: + - has: + stopBy: end + kind: identifier + field: object + regex: ^(_mssql)$ + - has: + stopBy: end + kind: identifier + field: attribute + regex: "^connect$" + - has: + stopBy: end + kind: argument_list + field: arguments + all: + - has: + stopBy: end + kind: keyword_argument + - has: + stopBy: end + kind: keyword_argument + - has: + stopBy: end + kind: keyword_argument + all: + - has: + stopBy: end + kind: identifier + field: name + regex: "^password$" + all: + - not: + precedes: + stopBy: end + kind: subscript + - not: + precedes: + stopBy: end + kind: call + - has: + stopBy: end + kind: string + field: value + all: + - has: + stopBy: end + kind: string_start + - has: + stopBy: end + kind: string_content + - has: + stopBy: end + kind: string_end + + - has: + stopBy: end + kind: keyword_argument + inside: + stopBy: end + kind: expression_statement + follows: + stopBy: end + kind: import_from_statement + all: + - has: + stopBy: end + kind: dotted_name + field: module_name + has: + stopBy: end + kind: identifier + regex: "^pymssql$" + - has: + stopBy: end + kind: dotted_name + field: name + has: + stopBy: end + kind: identifier + regex: "^_mssql$" + match__pymssql_call_instance: + kind: call + all: + - has: + stopBy: end + kind: attribute + field: function + all: + - has: + stopBy: end + kind: identifier + field: object + regex: ^(pymssql)$ + - has: + stopBy: end + kind: identifier + field: attribute + regex: "^connect$" + - has: + stopBy: end + kind: argument_list + field: arguments + all: + - has: + stopBy: end + kind: keyword_argument + - has: + stopBy: end + kind: keyword_argument + - has: + stopBy: end + kind: keyword_argument + all: + - has: + stopBy: end + kind: identifier + field: name + regex: "^password$" + - has: + stopBy: end + kind: identifier + field: value + pattern: $R + - has: + stopBy: end + kind: keyword_argument + inside: + stopBy: end + kind: expression_statement + follows: + stopBy: end + kind: expression_statement + all: + - has: + stopBy: end + kind: assignment + has: + stopBy: end + kind: identifier + pattern: $R + - has: + stopBy: end + kind: string + all: + - has: + stopBy: end + kind: string_start + - has: + stopBy: end + kind: string_content + - has: + stopBy: end + kind: string_end + +rule: + any: + - matches: match_pymssql_call + - matches: match_mssql_call + - matches: match__pymssql_call_instance diff --git a/rules/python/security/python-pymysql-empty-password-python.yml b/rules/python/security/python-pymysql-empty-password-python.yml new file mode 100644 index 00000000..8a8a6e01 --- /dev/null +++ b/rules/python/security/python-pymysql-empty-password-python.yml @@ -0,0 +1,136 @@ +id: python-pymysql-empty-password-python +language: python +severity: warning +message: >- + The application creates a database connection with an empty password. + This can lead to unauthorized access by either an internal or external + malicious actor. To prevent this vulnerability, enforce authentication + when connecting to a database by using environment variables to securely + provide credentials or retrieving them from a secure vault or HSM + (Hardware Security Module). +note: >- + [CWE-287]: Improper Authentication + [OWASP A07:2021]: Identification and Authentication Failures + [REFERENCES] + https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html +utils: + match_call: + kind: call + all: + - has: + stopBy: end + kind: attribute + field: function + all: + - has: + stopBy: end + kind: identifier + field: object + regex: "^pymysql$" + - has: + stopBy: end + kind: identifier + field: attribute + regex: "^connect$" + - has: + stopBy: end + kind: argument_list + field: arguments + all: + - has: + stopBy: end + kind: keyword_argument + all: + - has: + stopBy: end + kind: identifier + field: name + regex: "^password$" + - has: + stopBy: end + kind: string + field: value + all: + - has: + stopBy: end + kind: string_start + not: + precedes: + stopBy: end + kind: string_content + - has: + stopBy: end + kind: string_end + inside: + stopBy: end + kind: expression_statement + match_call_string: + kind: call + all: + - has: + stopBy: end + kind: attribute + field: function + all: + - has: + stopBy: end + kind: identifier + field: object + regex: "^pymysql$" + - has: + stopBy: end + kind: identifier + field: attribute + regex: "^connect$" + - has: + stopBy: end + kind: argument_list + field: arguments + all: + - has: + stopBy: end + kind: keyword_argument + all: + - has: + stopBy: end + kind: identifier + field: name + regex: "^password$" + - has: + stopBy: end + kind: identifier + field: value + pattern: $R + inside: + stopBy: end + kind: expression_statement + follows: + stopBy: end + kind: expression_statement + has: + stopBy: end + kind: assignment + all: + - has: + stopBy: end + kind: identifier + pattern: $R + - has: + stopBy: end + kind: string + all: + - has: + stopBy: end + kind: string_start + not: + precedes: + stopBy: end + kind: string_content + - has: + stopBy: end + kind: string_end + +rule: + any: + - matches: match_call + - matches: match_call_string diff --git a/tests/__snapshots__/oracleconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml b/tests/__snapshots__/oracleconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml new file mode 100644 index 00000000..98dfb488 --- /dev/null +++ b/tests/__snapshots__/oracleconnectionstringbuilder-hardcoded-secret-csharp-snapshot.yml @@ -0,0 +1,262 @@ +id: oracleconnectionstringbuilder-hardcoded-secret-csharp +snapshots: + ? | + private OracleConnectionStringBuilder GetConnection(args) + { + OracleConnectionStringBuilder builder = new OracleConnectionStringBuilder(); + builder.Password = "reee!"; + } + : labels: + - source: builder.Password = "reee!" + style: primary + start: 137 + end: 163 + - source: builder + style: secondary + start: 137 + end: 144 + - source: Password + style: secondary + start: 145 + end: 153 + - source: builder.Password + style: secondary + start: 137 + end: 153 + - source: reee! + style: secondary + start: 157 + end: 162 + - source: '"reee!"' + style: secondary + start: 156 + end: 163 + - source: OracleConnectionStringBuilder + style: secondary + start: 60 + end: 89 + - source: OracleConnectionStringBuilder builder = new OracleConnectionStringBuilder() + style: secondary + start: 60 + end: 135 + - source: builder + style: secondary + start: 90 + end: 97 + - source: builder = new OracleConnectionStringBuilder() + style: secondary + start: 90 + end: 135 + - source: new OracleConnectionStringBuilder() + style: secondary + start: 100 + end: 135 + - source: OracleConnectionStringBuilder builder = new OracleConnectionStringBuilder(); + style: secondary + start: 60 + end: 136 + - source: builder.Password = "reee!"; + style: secondary + start: 137 + end: 164 + ? | + private OracleConnectionStringBuilder GetConnection(args) + { + OracleConnectionStringBuilder builder = new OracleConnectionStringBuilder(); + builder["Password"] = "reee!"; + } + : labels: + - source: builder["Password"] = "reee!" + style: primary + start: 137 + end: 166 + - source: builder + style: secondary + start: 137 + end: 144 + - source: '["Password"]' + style: secondary + start: 144 + end: 156 + - source: '"Password"' + style: secondary + start: 145 + end: 155 + - source: Password + style: secondary + start: 146 + end: 154 + - source: '"Password"' + style: secondary + start: 145 + end: 155 + - source: builder["Password"] + style: secondary + start: 137 + end: 156 + - source: Password + style: secondary + start: 146 + end: 154 + - source: '"Password"' + style: secondary + start: 145 + end: 155 + - source: OracleConnectionStringBuilder + style: secondary + start: 60 + end: 89 + - source: OracleConnectionStringBuilder builder = new OracleConnectionStringBuilder() + style: secondary + start: 60 + end: 135 + - source: builder + style: secondary + start: 90 + end: 97 + - source: builder = new OracleConnectionStringBuilder() + style: secondary + start: 90 + end: 135 + - source: new OracleConnectionStringBuilder() + style: secondary + start: 100 + end: 135 + - source: OracleConnectionStringBuilder builder = new OracleConnectionStringBuilder(); + style: secondary + start: 60 + end: 136 + - source: builder["Password"] = "reee!"; + style: secondary + start: 137 + end: 167 + ? | + private OracleConnectionStringBuilder GetConnection(args) + { + var cb = new OracleConnectionStringBuilder(); + cb.Password = "reee!"; + } + : labels: + - source: cb.Password = "reee!" + style: primary + start: 106 + end: 127 + - source: cb + style: secondary + start: 106 + end: 108 + - source: Password + style: secondary + start: 109 + end: 117 + - source: cb.Password + style: secondary + start: 106 + end: 117 + - source: reee! + style: secondary + start: 121 + end: 126 + - source: '"reee!"' + style: secondary + start: 120 + end: 127 + - source: var + style: secondary + start: 60 + end: 63 + - source: var cb = new OracleConnectionStringBuilder() + style: secondary + start: 60 + end: 104 + - source: cb + style: secondary + start: 64 + end: 66 + - source: cb = new OracleConnectionStringBuilder() + style: secondary + start: 64 + end: 104 + - source: new OracleConnectionStringBuilder() + style: secondary + start: 69 + end: 104 + - source: var cb = new OracleConnectionStringBuilder(); + style: secondary + start: 60 + end: 105 + - source: cb.Password = "reee!"; + style: secondary + start: 106 + end: 128 + ? | + private OracleConnectionStringBuilder GetConnection(args) + { + var cb = new OracleConnectionStringBuilder(); + cb["Password"] = "reee!"; + } + : labels: + - source: cb["Password"] = "reee!" + style: primary + start: 106 + end: 130 + - source: cb + style: secondary + start: 106 + end: 108 + - source: '["Password"]' + style: secondary + start: 108 + end: 120 + - source: '"Password"' + style: secondary + start: 109 + end: 119 + - source: Password + style: secondary + start: 110 + end: 118 + - source: '"Password"' + style: secondary + start: 109 + end: 119 + - source: cb["Password"] + style: secondary + start: 106 + end: 120 + - source: Password + style: secondary + start: 110 + end: 118 + - source: '"Password"' + style: secondary + start: 109 + end: 119 + - source: var + style: secondary + start: 60 + end: 63 + - source: var cb = new OracleConnectionStringBuilder() + style: secondary + start: 60 + end: 104 + - source: cb + style: secondary + start: 64 + end: 66 + - source: cb = new OracleConnectionStringBuilder() + style: secondary + start: 64 + end: 104 + - source: new OracleConnectionStringBuilder() + style: secondary + start: 69 + end: 104 + - source: var cb = new OracleConnectionStringBuilder(); + style: secondary + start: 60 + end: 105 + - source: cb["Password"] = "reee!"; + style: secondary + start: 106 + end: 131 diff --git a/tests/__snapshots__/python-pymssql-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-pymssql-hardcoded-secret-python-snapshot.yml new file mode 100644 index 00000000..3a990c3a --- /dev/null +++ b/tests/__snapshots__/python-pymssql-hardcoded-secret-python-snapshot.yml @@ -0,0 +1,293 @@ +id: python-pymssql-hardcoded-secret-python +snapshots: + ? | + conn1 = pymssql.connect( + server='SQL01', + user='user', + password='password', + database='mydatabase', + ) + : labels: + - source: |- + pymssql.connect( + server='SQL01', + user='user', + password='password', + database='mydatabase', + ) + style: primary + start: 8 + end: 99 + - source: pymssql + style: secondary + start: 8 + end: 15 + - source: connect + style: secondary + start: 16 + end: 23 + - source: pymssql.connect + style: secondary + start: 8 + end: 23 + - source: server='SQL01' + style: secondary + start: 25 + end: 39 + - source: server='SQL01' + style: secondary + start: 25 + end: 39 + - source: password + style: secondary + start: 54 + end: 62 + - source: '''' + style: secondary + start: 63 + end: 64 + - source: password + style: secondary + start: 64 + end: 72 + - source: '''' + style: secondary + start: 72 + end: 73 + - source: '''password''' + style: secondary + start: 63 + end: 73 + - source: password='password' + style: secondary + start: 54 + end: 73 + - source: server='SQL01' + style: secondary + start: 25 + end: 39 + - source: |- + ( + server='SQL01', + user='user', + password='password', + database='mydatabase', + ) + style: secondary + start: 23 + end: 99 + - source: |- + conn1 = pymssql.connect( + server='SQL01', + user='user', + password='password', + database='mydatabase', + ) + style: secondary + start: 0 + end: 99 + ? | + import os + import pymssql + from pymssql import _mssql + conn2 = _mssql.connect( + server='SQL01', + user='user', + password='password', + database='mydatabase' + ) + : labels: + - source: |- + _mssql.connect( + server='SQL01', + user='user', + password='password', + database='mydatabase' + ) + style: primary + start: 60 + end: 149 + - source: _mssql + style: secondary + start: 60 + end: 66 + - source: connect + style: secondary + start: 67 + end: 74 + - source: _mssql.connect + style: secondary + start: 60 + end: 74 + - source: server='SQL01' + style: secondary + start: 76 + end: 90 + - source: server='SQL01' + style: secondary + start: 76 + end: 90 + - source: password + style: secondary + start: 105 + end: 113 + - source: '''' + style: secondary + start: 114 + end: 115 + - source: password + style: secondary + start: 115 + end: 123 + - source: '''' + style: secondary + start: 123 + end: 124 + - source: '''password''' + style: secondary + start: 114 + end: 124 + - source: password='password' + style: secondary + start: 105 + end: 124 + - source: server='SQL01' + style: secondary + start: 76 + end: 90 + - source: |- + ( + server='SQL01', + user='user', + password='password', + database='mydatabase' + ) + style: secondary + start: 74 + end: 149 + - source: pymssql + style: secondary + start: 30 + end: 37 + - source: pymssql + style: secondary + start: 30 + end: 37 + - source: _mssql + style: secondary + start: 45 + end: 51 + - source: _mssql + style: secondary + start: 45 + end: 51 + - source: from pymssql import _mssql + style: secondary + start: 25 + end: 51 + - source: |- + conn2 = _mssql.connect( + server='SQL01', + user='user', + password='password', + database='mydatabase' + ) + style: secondary + start: 52 + end: 149 + ? "import os\nimport pymssql\nfrom pymssql import _mssql\npswd = \"hardcoded\"\npswd2 = get_from_config() \nconn3 = pymssql.connect(\nserver='SQL01',\nuser='user',\npassword=pswd,\ndatabase='mydatabase',\n)\n" + : labels: + - source: |- + pymssql.connect( + server='SQL01', + user='user', + password=pswd, + database='mydatabase', + ) + style: primary + start: 107 + end: 192 + - source: pymssql + style: secondary + start: 107 + end: 114 + - source: connect + style: secondary + start: 115 + end: 122 + - source: pymssql.connect + style: secondary + start: 107 + end: 122 + - source: server='SQL01' + style: secondary + start: 124 + end: 138 + - source: server='SQL01' + style: secondary + start: 124 + end: 138 + - source: password + style: secondary + start: 153 + end: 161 + - source: pswd + style: secondary + start: 162 + end: 166 + - source: password=pswd + style: secondary + start: 153 + end: 166 + - source: server='SQL01' + style: secondary + start: 124 + end: 138 + - source: |- + ( + server='SQL01', + user='user', + password=pswd, + database='mydatabase', + ) + style: secondary + start: 122 + end: 192 + - source: pswd + style: secondary + start: 52 + end: 56 + - source: pswd = "hardcoded" + style: secondary + start: 52 + end: 70 + - source: '"' + style: secondary + start: 59 + end: 60 + - source: hardcoded + style: secondary + start: 60 + end: 69 + - source: '"' + style: secondary + start: 69 + end: 70 + - source: '"hardcoded"' + style: secondary + start: 59 + end: 70 + - source: pswd = "hardcoded" + style: secondary + start: 52 + end: 70 + - source: |- + conn3 = pymssql.connect( + server='SQL01', + user='user', + password=pswd, + database='mydatabase', + ) + style: secondary + start: 99 + end: 192 diff --git a/tests/__snapshots__/python-pymysql-empty-password-python-snapshot.yml b/tests/__snapshots__/python-pymysql-empty-password-python-snapshot.yml new file mode 100644 index 00000000..430c9e8c --- /dev/null +++ b/tests/__snapshots__/python-pymysql-empty-password-python-snapshot.yml @@ -0,0 +1,114 @@ +id: python-pymysql-empty-password-python +snapshots: + ? | + ishan = "" + PASSWORD1 = CONFIG + pymysql.connect(password=ishan) + : labels: + - source: pymysql.connect(password=ishan) + style: primary + start: 30 + end: 61 + - source: pymysql + style: secondary + start: 30 + end: 37 + - source: connect + style: secondary + start: 38 + end: 45 + - source: pymysql.connect + style: secondary + start: 30 + end: 45 + - source: password + style: secondary + start: 46 + end: 54 + - source: ishan + style: secondary + start: 55 + end: 60 + - source: password=ishan + style: secondary + start: 46 + end: 60 + - source: (password=ishan) + style: secondary + start: 45 + end: 61 + - source: ishan + style: secondary + start: 0 + end: 5 + - source: '"' + style: secondary + start: 8 + end: 9 + - source: '"' + style: secondary + start: 9 + end: 10 + - source: '""' + style: secondary + start: 8 + end: 10 + - source: ishan = "" + style: secondary + start: 0 + end: 10 + - source: ishan = "" + style: secondary + start: 0 + end: 10 + - source: pymysql.connect(password=ishan) + style: secondary + start: 30 + end: 61 + ? | + pymysql.connect(password="") + : labels: + - source: pymysql.connect(password="") + style: primary + start: 0 + end: 28 + - source: pymysql + style: secondary + start: 0 + end: 7 + - source: connect + style: secondary + start: 8 + end: 15 + - source: pymysql.connect + style: secondary + start: 0 + end: 15 + - source: password + style: secondary + start: 16 + end: 24 + - source: '"' + style: secondary + start: 25 + end: 26 + - source: '"' + style: secondary + start: 26 + end: 27 + - source: '""' + style: secondary + start: 25 + end: 27 + - source: password="" + style: secondary + start: 16 + end: 27 + - source: (password="") + style: secondary + start: 15 + end: 28 + - source: pymysql.connect(password="") + style: secondary + start: 0 + end: 28 diff --git a/tests/csharp/oracleconnectionstringbuilder-hardcoded-secret-csharp-test.yml b/tests/csharp/oracleconnectionstringbuilder-hardcoded-secret-csharp-test.yml new file mode 100644 index 00000000..303454fc --- /dev/null +++ b/tests/csharp/oracleconnectionstringbuilder-hardcoded-secret-csharp-test.yml @@ -0,0 +1,29 @@ +id: oracleconnectionstringbuilder-hardcoded-secret-csharp +valid: + - | + builder.Password = args[1]; +invalid: + - | + private OracleConnectionStringBuilder GetConnection(args) + { + OracleConnectionStringBuilder builder = new OracleConnectionStringBuilder(); + builder.Password = "reee!"; + } + - | + private OracleConnectionStringBuilder GetConnection(args) + { + OracleConnectionStringBuilder builder = new OracleConnectionStringBuilder(); + builder["Password"] = "reee!"; + } + - | + private OracleConnectionStringBuilder GetConnection(args) + { + var cb = new OracleConnectionStringBuilder(); + cb["Password"] = "reee!"; + } + - | + private OracleConnectionStringBuilder GetConnection(args) + { + var cb = new OracleConnectionStringBuilder(); + cb.Password = "reee!"; + } diff --git a/tests/python/python-pymssql-hardcoded-secret-python-test.yml b/tests/python/python-pymssql-hardcoded-secret-python-test.yml new file mode 100644 index 00000000..dcec7470 --- /dev/null +++ b/tests/python/python-pymssql-hardcoded-secret-python-test.yml @@ -0,0 +1,53 @@ +id: python-pymssql-hardcoded-secret-python +valid: + - | + conn5 = _mssql.connect( + server='SQL01', + user='user', + password=pswd2, + database='mydatabase' + ) + - | + conn6 = _mssql.connect( + server='SQL01', + user='user', + password=os.env['pswd2'], + database='mydatabase' + ) + - | + conn7 = _mssql.connect( + server='SQL01', + user='user', + password=os.getenv('secret'), + database='mydatabase' + ) +invalid: + - | + conn1 = pymssql.connect( + server='SQL01', + user='user', + password='password', + database='mydatabase', + ) + - | + import os + import pymssql + from pymssql import _mssql + conn2 = _mssql.connect( + server='SQL01', + user='user', + password='password', + database='mydatabase' + ) + - | + import os + import pymssql + from pymssql import _mssql + pswd = "hardcoded" + pswd2 = get_from_config() + conn3 = pymssql.connect( + server='SQL01', + user='user', + password=pswd, + database='mydatabase', + ) diff --git a/tests/python/python-pymysql-empty-password-python-test.yml b/tests/python/python-pymysql-empty-password-python-test.yml new file mode 100644 index 00000000..448167fe --- /dev/null +++ b/tests/python/python-pymysql-empty-password-python-test.yml @@ -0,0 +1,13 @@ +id: python-pymysql-empty-password-python +valid: + - | + pymysql.connect(password=CONFIG) + - | + pymysql.connect(password=os.env['secret']) +invalid: + - | + pymysql.connect(password="") + - | + ishan = "" + PASSWORD1 = CONFIG + pymysql.connect(password=ishan) diff --git a/tests/python/python-pymysql-hardcoded-secret-python b/tests/python/python-pymysql-hardcoded-secret-python new file mode 100644 index 00000000..e69de29b