From 9ee1cb5d012e0bdb2a4d7a78b8591899d1e77b14 Mon Sep 17 00:00:00 2001
From: ESS-ENN <coderabbit@essenn.associates>
Date: Thu, 17 Oct 2024 17:38:06 +0530
Subject: [PATCH 1/2] python-ldap3-empty-password-python

---
 .../python-ldap3-empty-password-python.yml    | 43 +++++++++++++++++++
 ...ython-ldap3-empty-password-python-test.yml |  9 ++++
 2 files changed, 52 insertions(+)
 create mode 100644 rules/python/security/python-ldap3-empty-password-python.yml
 create mode 100644 tests/python/python-ldap3-empty-password-python-test.yml

diff --git a/rules/python/security/python-ldap3-empty-password-python.yml b/rules/python/security/python-ldap3-empty-password-python.yml
new file mode 100644
index 00000000..9d58d450
--- /dev/null
+++ b/rules/python/security/python-ldap3-empty-password-python.yml
@@ -0,0 +1,43 @@
+id: python-ldap3-empty-password-python
+language: python
+severity: warning
+message: >-
+  The application creates a database connection with an empty password.
+  This can lead to unauthorized access by either an internal or external
+  malicious actor. To prevent this vulnerability, enforce authentication
+  when connecting to a database by using environment variables to securely
+  provide credentials or retrieving them from a secure vault or HSM
+  (Hardware Security Module).
+note: >-
+  [OWASP A07:2021]: Identification and Authentication Failures
+  [REFERENCES]
+       https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+utils:
+  match_empty_password:
+    kind: expression_statement
+    all:
+      - has:
+          stopBy: end
+          kind: attribute
+      - has:
+          stopBy: end
+          kind: argument_list
+          all:
+            - has:
+                stopBy: end
+                kind: keyword_argument
+                all:
+                  - has:
+                      stopBy: end
+                      kind: identifier
+                      regex: "^password$"
+                  - has:
+                      stopBy: neighbor
+                      kind: string
+                      not:
+                        has:
+                          stopBy: neighbor
+                          kind: string_content
+rule:
+  any:
+    - matches: match_empty_password
diff --git a/tests/python/python-ldap3-empty-password-python-test.yml b/tests/python/python-ldap3-empty-password-python-test.yml
new file mode 100644
index 00000000..022ef801
--- /dev/null
+++ b/tests/python/python-ldap3-empty-password-python-test.yml
@@ -0,0 +1,9 @@
+id: python-ldap3-empty-password-python
+valid:
+  - |
+    ldap3.Connection(password=a)
+    ldap3.Connection(password=os.env['SECRET'])
+    ldap3.Connection(password=os.getenv('SECRET'))
+invalid:
+  - |
+    ldap3.Connection(password="")

From 6cf05f722dc3bc89ad032c3621597005307955ae Mon Sep 17 00:00:00 2001
From: ESS-ENN <coderabbit@essenn.associates>
Date: Thu, 17 Oct 2024 17:39:11 +0530
Subject: [PATCH 2/2] openai-hardcoded-secret-password-python

---
 .../openai-hardcoded-secret-python.yml        | 24 +++++++++++++++
 ...dcoded-secret-password-python-snapshot.yml | 10 +++++++
 ...n-ldap3-empty-password-python-snapshot.yml | 29 +++++++++++++++++++
 .../openai-hardcoded-secret-python-test.yml   |  8 +++++
 4 files changed, 71 insertions(+)
 create mode 100644 rules/python/security/openai-hardcoded-secret-python.yml
 create mode 100644 tests/__snapshots__/openai-hardcoded-secret-password-python-snapshot.yml
 create mode 100644 tests/__snapshots__/python-ldap3-empty-password-python-snapshot.yml
 create mode 100644 tests/python/openai-hardcoded-secret-python-test.yml

diff --git a/rules/python/security/openai-hardcoded-secret-python.yml b/rules/python/security/openai-hardcoded-secret-python.yml
new file mode 100644
index 00000000..2d220b19
--- /dev/null
+++ b/rules/python/security/openai-hardcoded-secret-python.yml
@@ -0,0 +1,24 @@
+id: openai-hardcoded-secret-password-python
+language: python
+severity: warning
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source
+  code, such as credentials, identifiers, and other types of sensitive data,
+  can be leaked and used by internal or external malicious actors. Use
+  environment variables to securely provide credentials and other secrets or
+  retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798]: Use of Hard-coded Credentials
+  [OWASP A07:2021]: Identification and Authentication Failures
+  [REFERENCES]
+       https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+utils:
+  match_api_key:
+    kind: string_content
+    pattern: $R
+rule:
+  all:
+    - matches: match_api_key
+constraints:
+  R:
+    regex: \b(sk-[[:alnum:]]{20}T3BlbkFJ[[:alnum:]]{20})\b
diff --git a/tests/__snapshots__/openai-hardcoded-secret-password-python-snapshot.yml b/tests/__snapshots__/openai-hardcoded-secret-password-python-snapshot.yml
new file mode 100644
index 00000000..652bfde5
--- /dev/null
+++ b/tests/__snapshots__/openai-hardcoded-secret-password-python-snapshot.yml
@@ -0,0 +1,10 @@
+id: openai-hardcoded-secret-password-python
+snapshots:
+  ? |
+    api_key="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"
+    f = "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"
+  : labels:
+    - source: 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
+      style: primary
+      start: 9
+      end: 60
diff --git a/tests/__snapshots__/python-ldap3-empty-password-python-snapshot.yml b/tests/__snapshots__/python-ldap3-empty-password-python-snapshot.yml
new file mode 100644
index 00000000..6c50984e
--- /dev/null
+++ b/tests/__snapshots__/python-ldap3-empty-password-python-snapshot.yml
@@ -0,0 +1,29 @@
+id: python-ldap3-empty-password-python
+snapshots:
+  ? |
+    ldap3.Connection(password="")
+  : labels:
+    - source: ldap3.Connection(password="")
+      style: primary
+      start: 0
+      end: 29
+    - source: ldap3.Connection
+      style: secondary
+      start: 0
+      end: 16
+    - source: password
+      style: secondary
+      start: 17
+      end: 25
+    - source: '""'
+      style: secondary
+      start: 26
+      end: 28
+    - source: password=""
+      style: secondary
+      start: 17
+      end: 28
+    - source: (password="")
+      style: secondary
+      start: 16
+      end: 29
diff --git a/tests/python/openai-hardcoded-secret-python-test.yml b/tests/python/openai-hardcoded-secret-python-test.yml
new file mode 100644
index 00000000..eecabd60
--- /dev/null
+++ b/tests/python/openai-hardcoded-secret-python-test.yml
@@ -0,0 +1,8 @@
+id: openai-hardcoded-secret-password-python
+valid:
+  - |
+    openai.api_key="sk-ExamplexT3BlbkFJp6xpvsfpkEsmAJawIm0V"
+invalid:
+  - |
+    api_key="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"
+    f = "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"