python-webrepl-empty-password-python

ESS-ENN · ESS-ENN · commit bf8028462981 · 2025-01-30T10:44:04.000+05:30
diff --git a/rules/python/security/python-webrepl-empty-password-python.yml b/rules/python/security/python-webrepl-empty-password-python.yml
@@ -0,0 +1,56 @@
+id: python-webrepl-empty-password-python
+language: python
+severity: warning
+message: >-
+  The application creates a database connection with an empty password.
+  This can lead to unauthorized access by either an internal or external
+  malicious actor. To prevent this vulnerability, enforce authentication
+  when connecting to a database by using environment variables to securely
+  provide credentials or retrieving them from a secure vault or HSM
+  (Hardware Security Module).
+note: >-
+  [CWE-287]: Improper Authentication
+  [OWASP A07:2021]: Identification and Authentication Failures
+  [REFERENCES]
+       https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+
+ast-grep-essentials: true
+
+utils:
+  webrepl.start(..., password="",...):
+   kind: call
+   all:
+     - has:
+         stopBy: neighbor
+         kind: attribute
+         regex: ^webrepl.start$
+     - has:
+         stopBy: neighbor
+         kind: argument_list
+         has:
+           stopBy: neighbor
+           kind: keyword_argument
+           all:
+            - has:
+                stopBy: neighbor
+                kind: identifier
+                regex: ^password$
+            - has:
+                stopBy: neighbor
+                kind: string
+                not:
+                 has:
+                  stopBy: end
+                  kind: string_content
+rule:
+  kind: call
+  matches: webrepl.start(..., password="",...)
+  not:
+    all:
+      - has:
+          stopBy: end
+          kind: ERROR
+      - inside:
+          stopBy: end
+          kind: ERROR
+
diff --git a/tests/__snapshots__/python-webrepl-empty-password-python-snapshot.yml b/tests/__snapshots__/python-webrepl-empty-password-python-snapshot.yml
@@ -0,0 +1,29 @@
+id: python-webrepl-empty-password-python
+snapshots:
+  ? |
+    webrepl.start(password="")
+  : labels:
+    - source: webrepl.start(password="")
+      style: primary
+      start: 0
+      end: 26
+    - source: webrepl.start
+      style: secondary
+      start: 0
+      end: 13
+    - source: password
+      style: secondary
+      start: 14
+      end: 22
+    - source: '""'
+      style: secondary
+      start: 23
+      end: 25
+    - source: password=""
+      style: secondary
+      start: 14
+      end: 25
+    - source: (password="")
+      style: secondary
+      start: 13
+      end: 26
diff --git a/tests/python/python-webrepl-empty-password-python-test.yml b/tests/python/python-webrepl-empty-password-python-test.yml
@@ -0,0 +1,7 @@
+id: python-webrepl-empty-password-python
+valid:
+  - |
+    webrepl.start(password=SECURE_PASSWORD_CONFIG["password"])
+invalid:
+  - |
+    webrepl.start(password="")
