coderabbitai
diff --git a/‎rules/python/security/python-pymongo-empty-password-python.yml
Lines changed: 88 additions & 0 deletions b/‎rules/python/security/python-pymongo-empty-password-python.yml
Lines changed: 88 additions & 0 deletions
diff --git a/‎rules/python/security/python-pymongo-hardcoded-secret-python.yml
Lines changed: 85 additions & 0 deletions b/‎rules/python/security/python-pymongo-hardcoded-secret-python.yml
Lines changed: 85 additions & 0 deletions
diff --git a/‎rules/python/security/python-webrepl-empty-password-python.yml
Lines changed: 56 additions & 0 deletions b/‎rules/python/security/python-webrepl-empty-password-python.yml
Lines changed: 56 additions & 0 deletions
diff --git a/‎rules/python/security/python-webrepl-hardcoded-secret-python.yml
Lines changed: 54 additions & 0 deletions b/‎rules/python/security/python-webrepl-hardcoded-secret-python.yml
Lines changed: 54 additions & 0 deletions
diff --git a/‎tests/__snapshots__/python-pymongo-empty-password-python-snapshot.yml
Lines changed: 29 additions & 0 deletions b/‎tests/__snapshots__/python-pymongo-empty-password-python-snapshot.yml
Lines changed: 29 additions & 0 deletions
diff --git a/‎tests/__snapshots__/python-pymongo-hardcoded-secret-python-snapshot.yml
Lines changed: 33 additions & 0 deletions b/‎tests/__snapshots__/python-pymongo-hardcoded-secret-python-snapshot.yml
Lines changed: 33 additions & 0 deletions
diff --git a/‎tests/__snapshots__/python-webrepl-empty-password-python-snapshot.yml
Lines changed: 29 additions & 0 deletions b/‎tests/__snapshots__/python-webrepl-empty-password-python-snapshot.yml
Lines changed: 29 additions & 0 deletions
@@ -0,0 +1,88 @@
+id: python-pymongo-empty-password-python
+language: python
+severity: warning
+message: >-
+  The application creates a database connection with an empty password.
+  This can lead to unauthorized access by either an internal or external
+  malicious actor. To prevent this vulnerability, enforce authentication
+  when connecting to a database by using environment variables to securely
+  provide credentials or retrieving them from a secure vault or HSM
+  (Hardware Security Module).
+note: >-
+  [CWE-287]: Improper Authentication
+  [OWASP A07:2021]: Identification and Authentication Failures
+  [REFERENCES]
+       https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+
+ast-grep-essentials: true
+
+utils:
+  pymongo.MongoClient(..., password="",...):
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: attribute
+          regex: ^pymongo.MongoClient$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+            stopBy: neighbor
+            kind: keyword_argument
+            all:
+              - has:
+                  stopBy: neighbor
+                  kind: identifier
+                  regex: ^password$
+              - has:
+                  stopBy: neighbor
+                  kind: string
+                  not:
+                    has:
+                      stopBy: end
+                      kind: string_content
+  # $pymongo.MongoClient(..., password="",...):
+  #  kind: call
+  #  all:
+  #    - has:
+  #        stopBy: neighbor
+  #        kind: identifier
+  #        regex: ^MongoClient$
+  #    - has:
+  #        stopBy: neighbor
+  #        kind: argument_list
+  #        has:
+  #          stopBy: neighbor
+  #          kind: keyword_argument
+  #          all:
+  #           - has:
+  #               stopBy: neighbor
+  #               kind: identifier
+  #               regex: ^password$
+  #           - has:
+  #               stopBy: neighbor
+  #               kind: string
+  #               not:
+  #                 has:
+  #                  stopBy: end
+  #                  kind: string_content
+  #    - inside:
+  #        stopBy: end
+  #        follows:
+  #          stopBy: end
+  #          kind: import_from_statement
+  #          pattern: from pymongo import MongoClient
+rule:
+  kind: call
+  any:
+    - matches: pymongo.MongoClient(..., password="",...)
+  # - matches: $pymongo.MongoClient(..., password="",...)
+  not:
+    all:
+      - has:
+          stopBy: end
+          kind: ERROR
+      - inside:
+          stopBy: end
+          kind: ERROR
@@ -0,0 +1,85 @@
+id: python-pymongo-hardcoded-secret-python
+language: python
+severity: warning
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source
+  code, such as credentials, identifiers, and other types of sensitive data,
+  can be leaked and used by internal or external malicious actors. Use
+  environment variables to securely provide credentials and other secrets or
+  retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798]: Use of Hard-coded Credentials
+  [OWASP A07:2021]: Identification and Authentication Failures
+  [REFERENCES]
+       https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+
+ast-grep-essentials: true
+
+utils:
+  pymongo.MongoClient(..., password="",...):
+    kind: call
+    all:
+      - has:
+          stopBy: neighbor
+          kind: attribute
+          regex: ^pymongo.MongoClient$
+      - has:
+          stopBy: neighbor
+          kind: argument_list
+          has:
+            stopBy: neighbor
+            kind: keyword_argument
+            all:
+              - has:
+                  stopBy: neighbor
+                  kind: identifier
+                  regex: ^password$
+              - has:
+                  stopBy: neighbor
+                  kind: string
+                  has:
+                    stopBy: end
+                    kind: string_content
+  # $pymongo.MongoClient(..., password="",...):
+  #  kind: call
+  #  all:
+  #    - has:
+  #        stopBy: neighbor
+  #        kind: identifier
+  #        regex: ^MongoClient$
+  #    - has:
+  #        stopBy: neighbor
+  #        kind: argument_list
+  #        has:
+  #          stopBy: neighbor
+  #          kind: keyword_argument
+  #          all:
+  #           - has:
+  #               stopBy: neighbor
+  #               kind: identifier
+  #               regex: ^password$
+  #           - has:
+  #               stopBy: neighbor
+  #               kind: string
+  #               has:
+  #                  stopBy: end
+  #                  kind: string_content
+  #    - inside:
+  #        stopBy: end
+  #        follows:
+  #          stopBy: end
+  #          kind: import_from_statement
+  #          pattern: from pymongo import MongoClient
+rule:
+  kind: call
+  any:
+    - matches: pymongo.MongoClient(..., password="",...)
+  # - matches: $pymongo.MongoClient(..., password="",...)
+  not:
+    all:
+      - has:
+          stopBy: end
+          kind: ERROR
+      - inside:
+          stopBy: end
+          kind: ERROR
@@ -0,0 +1,56 @@
+id: python-webrepl-empty-password-python
+language: python
+severity: warning
+message: >-
+  The application creates a database connection with an empty password.
+  This can lead to unauthorized access by either an internal or external
+  malicious actor. To prevent this vulnerability, enforce authentication
+  when connecting to a database by using environment variables to securely
+  provide credentials or retrieving them from a secure vault or HSM
+  (Hardware Security Module).
+note: >-
+  [CWE-287]: Improper Authentication
+  [OWASP A07:2021]: Identification and Authentication Failures
+  [REFERENCES]
+       https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+
+ast-grep-essentials: true
+
+utils:
+  webrepl.start(..., password="",...):
+   kind: call
+   all:
+     - has:
+         stopBy: neighbor
+         kind: attribute
+         regex: ^webrepl.start$
+     - has:
+         stopBy: neighbor
+         kind: argument_list
+         has:
+           stopBy: neighbor
+           kind: keyword_argument
+           all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: ^password$
+            - has:
+                stopBy: neighbor
+                kind: string
+                not:
+                 has:
+                  stopBy: end
+                  kind: string_content
+rule:
+  kind: call
+  matches: webrepl.start(..., password="",...)
+  not:
+    all:
+      - has:
+          stopBy: end
+          kind: ERROR
+      - inside:
+          stopBy: end
+          kind: ERROR
+
@@ -0,0 +1,54 @@
+id: python-webrepl-hardcoded-secret-python
+language: python
+severity: warning
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source
+  code, such as credentials, identifiers, and other types of sensitive data,
+  can be leaked and used by internal or external malicious actors. Use
+  environment variables to securely provide credentials and other secrets or
+  retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798]: Use of Hard-coded Credentials
+  [OWASP A07:2021]: Identification and Authentication Failures
+  [REFERENCES]
+       https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+
+ast-grep-essentials: true
+
+utils:
+  webrepl.start(..., password="",...):
+   kind: call
+   all:
+     - has:
+         stopBy: neighbor
+         kind: attribute
+         regex: ^webrepl.start$
+     - has:
+         stopBy: neighbor
+         kind: argument_list
+         has:
+           stopBy: neighbor
+           kind: keyword_argument
+           all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: ^password$
+            - has:
+                stopBy: neighbor
+                kind: string
+                has:
+                  stopBy: end
+                  kind: string_content
+rule:
+  kind: call
+  matches: webrepl.start(..., password="",...)
+  not:
+    all:
+      - has:
+          stopBy: end
+          kind: ERROR
+      - inside:
+          stopBy: end
+          kind: ERROR
+
@@ -0,0 +1,29 @@
+id: python-pymongo-empty-password-python
+snapshots:
+  ? |
+    pymongo.MongoClient(password="")
+  : labels:
+    - source: pymongo.MongoClient(password="")
+      style: primary
+      start: 0
+      end: 32
+    - source: pymongo.MongoClient
+      style: secondary
+      start: 0
+      end: 19
+    - source: password
+      style: secondary
+      start: 20
+      end: 28
+    - source: '""'
+      style: secondary
+      start: 29
+      end: 31
+    - source: password=""
+      style: secondary
+      start: 20
+      end: 31
+    - source: (password="")
+      style: secondary
+      start: 19
+      end: 32
@@ -0,0 +1,33 @@
+id: python-pymongo-hardcoded-secret-python
+snapshots:
+  ? |
+    pymongo.MongoClient(password="a")
+  : labels:
+    - source: pymongo.MongoClient(password="a")
+      style: primary
+      start: 0
+      end: 33
+    - source: pymongo.MongoClient
+      style: secondary
+      start: 0
+      end: 19
+    - source: password
+      style: secondary
+      start: 20
+      end: 28
+    - source: a
+      style: secondary
+      start: 30
+      end: 31
+    - source: '"a"'
+      style: secondary
+      start: 29
+      end: 32
+    - source: password="a"
+      style: secondary
+      start: 20
+      end: 32
+    - source: (password="a")
+      style: secondary
+      start: 19
+      end: 33
@@ -0,0 +1,29 @@
+id: python-webrepl-empty-password-python
+snapshots:
+  ? |
+    webrepl.start(password="")
+  : labels:
+    - source: webrepl.start(password="")
+      style: primary
+      start: 0
+      end: 26
+    - source: webrepl.start
+      style: secondary
+      start: 0
+      end: 13
+    - source: password
+      style: secondary
+      start: 14
+      end: 22
+    - source: '""'
+      style: secondary
+      start: 23
+      end: 25
+    - source: password=""
+      style: secondary
+      start: 14
+      end: 25
+    - source: (password="")
+      style: secondary
+      start: 13
+      end: 26