Add security rules for detecting hard-coded secrets in Java and Python (#141)

ESS-ENN · Sakshis · web-flow · commit 7f9f1afabb66 · 2025-01-29T14:57:20.000+05:30
* removed missing-secure-java

* httponly-false-csharp

* use-of-md5-digest-utils-java

* removing use-of-md5-digest-utils and httponly-false-csharp

* python-urllib3-hardcoded-secret-python

* drivermanager-hardcoded-secret-java

---------

Co-authored-by: Sakshis &lt;sakshil@abc.com&gt;
diff --git a/rules/java/security/drivermanager-hardcoded-secret-java.yml b/rules/java/security/drivermanager-hardcoded-secret-java.yml
@@ -0,0 +1,153 @@
+id: drivermanager-hardcoded-secret-java
+severity: warning
+language: java
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source
+  code, such as credentials, identifiers, and other types of sensitive data,
+  can be leaked and used by internal or external malicious actors. Use
+  environment variables to securely provide credentials and other secrets or
+  retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798] Use of Hard-coded Credentials.
+  [REFERENCES]
+      - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+
+ast-grep-essentials: true
+
+utils:
+  MATCH_PATTERN_DriverManager.getConnection:
+   kind: method_invocation
+   all:
+      - has:
+          stopBy: neighbor
+          kind: identifier
+          regex: '^DriverManager$'
+      - has:
+          stopBy: neighbor
+          kind: identifier
+          regex: '^getConnection$'
+      - has:
+          kind: argument_list
+          # nthChild: 3
+          all:
+            - any:
+              - has:
+                 stopBy: end
+                 kind: string_literal
+                 nthChild: 3
+                 pattern: $I
+                 has:
+                   stopBy: neighbor
+                   kind: string_fragment
+              - has:
+                  stopBy: end
+                  kind: parenthesized_expression
+                  has:
+                    stopBy: end
+                    kind: string_fragment
+                    pattern: $I
+              - has:
+                 nthChild: 3
+                 all:
+                   - has:
+                       stopBy: neighbor
+                       kind: string_fragment
+                       inside:
+                         stopBy: neighbor
+                         kind: string_literal
+                   - not:
+                      has:
+                       stopBy: end
+                       kind: string_literal
+                       not:
+                        has:
+                         stopBy: neighbor
+                         kind: string_fragment
+            - not:
+               has:
+                stopBy: end
+                regex: ^-$
+            - not:
+               has:
+                nthChild: 4
+      - not:
+          has:
+            stopBy: end
+            kind: ERROR
+      - not:
+          has:
+            stopBy: end
+            kind: binary_expression
+
+  MATCH_PATTERN_DriverManagerDataSource:
+    kind: object_creation_expression 
+    all:
+      - has:
+          stopBy: neighbor
+          kind: type_identifier
+          regex: '^DriverManagerDataSource$'
+      - has:
+          kind: argument_list
+          # nthChild: 3
+          all:
+            - any:
+              - has:
+                 stopBy: neighbor
+                 kind: string_literal
+                 nthChild: 3
+                 pattern: $I
+                 has:
+                   stopBy: neighbor
+                   kind: string_fragment
+              - has:
+                  stopBy: end
+                  kind: parenthesized_expression
+                  has:
+                    stopBy: end
+                    kind: string_fragment
+                    pattern: $I
+              - has:
+                 nthChild: 3
+                 all:
+                   - has:
+                       stopBy: neighbor
+                       kind: string_fragment
+                       inside:
+                         stopBy: neighbor
+                         kind: string_literal
+                   - not:
+                      has:
+                       stopBy: end
+                       kind: string_literal
+                       not:
+                        has:
+                         stopBy: neighbor
+                         kind: string_fragment
+            - not:
+               has:
+                stopBy: end
+                regex: ^-$
+            - not:
+               has:
+                nthChild: 4
+      - not:
+          has:
+            stopBy: end
+            kind: binary_expression     
+      - not:
+          has:
+            stopBy: end
+            kind: ERROR
+
+rule:
+  any:
+    - kind: method_invocation
+      matches: MATCH_PATTERN_DriverManager.getConnection
+    - kind: object_creation_expression
+      matches: MATCH_PATTERN_DriverManagerDataSource
+
+constraints:
+  I:
+    not:
+      regex: ^""$
+    
diff --git a/rules/python/security/python-urllib3-hardcoded-secret-python.yml b/rules/python/security/python-urllib3-hardcoded-secret-python.yml
@@ -0,0 +1,59 @@
+id: python-urllib3-hardcoded-secret-python
+severity: warning
+language: python
+message: >-
+      A secret is hard-coded in the application. Secrets stored in source
+      code, such as credentials, identifiers, and other types of sensitive data,
+      can be leaked and used by internal or external malicious actors. Use
+      environment variables to securely provide credentials and other secrets or
+      retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798] Use of Hard-coded Credentials.
+  [REFERENCES]
+      - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+
+ast-grep-essentials: true
+
+utils: 
+ urllib3.util.make_headers(...,basic_auth="...",...):
+  # urllib3.util.make_headers(...,basic_auth="...",...)
+  kind: call
+  all:
+    - has:
+        stopBy: neighbor
+        kind: attribute
+        regex: '^urllib3.util.make_headers$|^urllib3.make_headers$|^requests.packages.urllib3.make_headers$|^requests.packages.urllib3.util.make_headers$'
+    - has:
+        stopBy: neighbor
+        kind: argument_list
+        has:
+          stopBy: neighbor
+          kind: keyword_argument
+          all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: '^basic_auth$|^proxy_basic_auth$'
+            - has:
+                stopBy: neighbor
+                kind: string
+                any:
+                - has:
+                   stopBy: neighbor
+                   kind: string_content
+                - has:
+                    stopBy: neighbor
+                    regex: '.*'
+
+rule:
+  kind: call
+  matches: urllib3.util.make_headers(...,basic_auth="...",...)
+  not:
+    all:
+      - has:
+          stopBy: end
+          kind: ERROR
+      - inside:
+          stopBy: end
+          kind: ERROR
+
diff --git a/tests/__snapshots__/drivermanager-hardcoded-secret-java-snapshot.yml b/tests/__snapshots__/drivermanager-hardcoded-secret-java-snapshot.yml
@@ -0,0 +1,29 @@
+id: drivermanager-hardcoded-secret-java
+snapshots:
+  ? |
+    Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", "password");
+  : labels:
+    - source: DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", "password")
+      style: primary
+      start: 17
+      end: 101
+    - source: DriverManager
+      style: secondary
+      start: 17
+      end: 30
+    - source: getConnection
+      style: secondary
+      start: 31
+      end: 44
+    - source: password
+      style: secondary
+      start: 91
+      end: 99
+    - source: '"password"'
+      style: secondary
+      start: 90
+      end: 100
+    - source: ("jdbc:oracle:thin:@localhost:1521:o92", "a", "password")
+      style: secondary
+      start: 44
+      end: 101
diff --git a/tests/__snapshots__/python-urllib3-hardcoded-secret-python-snapshot.yml b/tests/__snapshots__/python-urllib3-hardcoded-secret-python-snapshot.yml
@@ -0,0 +1,32 @@
+id: python-urllib3-hardcoded-secret-python
+snapshots:
+  urllib3.util.make_headers(basic_auth="user:123"):
+    labels:
+    - source: urllib3.util.make_headers(basic_auth="user:123")
+      style: primary
+      start: 0
+      end: 48
+    - source: urllib3.util.make_headers
+      style: secondary
+      start: 0
+      end: 25
+    - source: basic_auth
+      style: secondary
+      start: 26
+      end: 36
+    - source: user:123
+      style: secondary
+      start: 38
+      end: 46
+    - source: '"user:123"'
+      style: secondary
+      start: 37
+      end: 47
+    - source: basic_auth="user:123"
+      style: secondary
+      start: 26
+      end: 47
+    - source: (basic_auth="user:123")
+      style: secondary
+      start: 25
+      end: 48
diff --git a/tests/java/drivermanager-hardcoded-secret-java-test.yml b/tests/java/drivermanager-hardcoded-secret-java-test.yml
@@ -0,0 +1,7 @@
+id: drivermanager-hardcoded-secret-java
+valid:
+  - |
+    Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92","a");
+invalid:
+  - |
+    Connection conn =DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:o92", "a", "password");
diff --git a/tests/python/python-urllib3-hardcoded-secret-python-test.yml b/tests/python/python-urllib3-hardcoded-secret-python-test.yml
@@ -0,0 +1,7 @@
+id: python-urllib3-hardcoded-secret-python
+valid:
+  - |
+    urllib3.util.make_headers(basic_auth=os.env['auth'])
+invalid:
+  - |
+    urllib3.util.make_headers(basic_auth="user:123")
