Add security rules for detecting hard-coded secrets and empty passwords

[ESS-ENN]

Summary by CodeRabbit

Release Notes

• New Features

  • Introduced security rules for Rust applications to detect hard-coded secrets and empty passwords in the reqwest and tokio-postgres libraries.

• Tests

  • Added comprehensive test cases for validating HTTP requests and database connections, focusing on scenarios with hard-coded credentials and empty passwords.

[coderabbitai]

Walkthrough

This pull request introduces three new security rules for Rust applications, targeting the detection of hard-coded secrets and empty passwords in the reqwest and tokio-postgres libraries. Each rule is categorized with a severity level of "warning" and includes detailed messages advising developers on secure credential management practices. Additionally, corresponding test configurations are added to validate these rules, demonstrating both valid and invalid usage scenarios for authentication methods.

Changes

File Path	Change Summary
rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml	- New rule added: id: secrets-reqwest-hardcoded-auth-rust - Severity level: "warning" - Detects hard-coded authentication credentials in reqwest library using patterns for basic_auth and bearer_auth.
rules/rust/security/tokio-postgres-empty-password-rust.yml	- New rule added: id: tokio-postgres-empty-password-rust - Severity level: "warning" - Detects empty passwords in tokio-postgres library with multiple matching strategies.
rules/rust/security/tokio-postgres-hardcoded-password-rust.yml	- New rule added: id: tokio-postgres-hardcoded-password-rust - Severity level: "warning" - Detects hard-coded passwords in tokio-postgres library using various matching patterns.
tests/snapshots/secrets-reqwest-hardcoded-auth-rust-snapshot.yml	- New functions added: async fn test1() and async fn test2() for testing hard-coded authentication in reqwest.
tests/snapshots/tokio-postgres-empty-password-rust-snapshot.yml	- New functions added: async fn test1() and async fn test2() for testing empty password configurations in tokio-postgres.
tests/snapshots/tokio-postgres-hardcoded-password-rust-snapshot.yml	- New functions added: fn test1() and fn test2() for testing hard-coded passwords in tokio-postgres.
tests/rust/secrets-reqwest-hardcoded-auth-rust-test.yml	- New test functions: async fn test1(pass: &str), async fn test3(), async fn test1(), and async fn test2() for validating HTTP requests using reqwest.
tests/rust/tokio-postgres-empty-password-rust-test.yml	- New test configuration added: id: tokio-postgres-empty-password-rust for testing empty password scenarios in tokio_postgres.
tests/rust/tokio-postgres-hardcoded-password-rust-test.yml	- New test configuration added: id: tokio-postgres-hardcoded-password-rust - Valid and invalid test functions added to demonstrate secure and insecure practices with hard-coded passwords.

Possibly related PRs

• More Rules #8: Introduces a new rule for detecting hard-coded secrets in Rust applications using the reqwest library, which is directly related to the main PR that also focuses on hard-coded secrets in reqwest.
• Two Rust rules 16Oct2024 #35: Includes a rule for detecting hard-coded secrets in Rust applications, specifically targeting the tokio-postgres library, which aligns with the main PR's focus on hard-coded secrets in Rust applications.
• Two Rust rules 17Oct2024 #36: Consolidates rules for tokio-postgres, including those for empty and hard-coded passwords, which relates to the main PR's emphasis on security rules for Rust applications.
• Delete security rule files for empty passwords in multiple languages #60: Involves the deletion of rules related to empty passwords in various languages, including JavaScript and Python, which connects to the main PR's focus on security rules for managing secrets.
• Add Security Rules for Flask, Cassandra, and Couchbase in YAML Configs #65: Introduces new security rules for Python applications, including those for handling empty passwords, which is relevant to the main PR's focus on security practices in code.

Suggested reviewers

• petrisorcoderabbit
• harjotgill

🐰 In the code, we hop and play,
To keep our secrets safe each day.
With rules for passwords, we take a stand,
No hard-coded secrets in our land!
So let’s code wisely, come what may,
And keep those risks far away! 🌟

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Experiment)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 8

🧹 Outside diff range and nitpick comments (9)

tests/rust/secrets-reqwest-hardcoded-auth-rust-test.yml (1)

2-43: Enhance test coverage with additional scenarios

Consider adding test cases for:

1. Environment variable based authentication
2. Secret manager integration
3. Empty/null credentials
4. Special characters in credentials
5. Token-based authentication with dynamic token generation

Would you like me to help generate additional test cases?

🧰 Tools

🪛 yamllint (1.35.1)

[error] 22-22: trailing spaces

(trailing-spaces)

rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml (3)

4-10: Enhance security message with specific remediation steps

The current message could be more actionable. Consider adding:

1. Examples of secure credential management patterns
2. Links to recommended secret vaults/HSM solutions
3. Code examples showing correct implementation

Would you like me to help draft an enhanced message?

---

17-83: Extend pattern matching for additional security scenarios

Consider adding patterns to detect:

1. Empty or default credentials
2. Common password patterns
3. Base64 encoded secrets
4. Environment variable presence checks

Would you like me to help define additional patterns?

Also applies to: 84-135

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 44-44: wrong indentation: expected 16 but found 15

(indentation)

---

[warning] 47-47: wrong indentation: expected 17 but found 16

(indentation)

---

[error] 66-66: trailing spaces

(trailing-spaces)

---

[error] 67-67: trailing spaces

(trailing-spaces)

---

1-142: Fix YAML formatting issues

Several formatting issues need to be addressed:

1. Incorrect indentation at lines 44, 47, 132, 137
2. Trailing spaces at lines 66, 67, 134
3. Extra blank lines at the end

Apply this diff to fix the formatting:

@@ -41,7 +41,7 @@
           kind: arguments
           all:
             - has:
-               stopBy: neighbor
+                stopBy: neighbor
                kind: string_literal
                has:
-                stopBy: neighbor
+                 stopBy: neighbor
                 kind: string_content
@@ -63,8 +63,7 @@
                         has:
                           stopBy: neighbor
                           kind: string_content
-                  
-            
+
       - inside:
           stopBy: end
           kind: let_declaration
@@ -130,15 +129,12 @@
                   kind: string_content
             - not:
                has:
-                 kind: call_expression
-               
-
+                  kind: call_expression
 
 rule:
- kind: call_expression
- any:
-   - matches: MATCH_PATTERN_ONE
-   - matches: MATCH_PATTERN_TWO
-
-
+  kind: call_expression
+  any:
+    - matches: MATCH_PATTERN_ONE
+    - matches: MATCH_PATTERN_TWO

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 44-44: wrong indentation: expected 16 but found 15

(indentation)

---

[warning] 47-47: wrong indentation: expected 17 but found 16

(indentation)

---

[error] 66-66: trailing spaces

(trailing-spaces)

---

[error] 67-67: trailing spaces

(trailing-spaces)

---

[warning] 132-132: wrong indentation: expected 16 but found 15

(indentation)

---

[error] 134-134: trailing spaces

(trailing-spaces)

---

[warning] 137-137: wrong indentation: expected 2 but found 1

(indentation)

---

[warning] 142-142: too many blank lines

(2 > 0) (empty-lines)

tests/rust/tokio-postgres-hardcoded-password-rust-test.yml (1)

39-48: Add test case description and improve variable naming

The test case would benefit from a description comment and more descriptive variable names.

Consider adding a descriptive comment:

+// Test case: Direct hardcoded password in config
 fn test1() {
   let mut config = postgres::Config::new();
   config

rules/rust/security/tokio-postgres-hardcoded-password-rust.yml (2)

4-15: Enhance documentation with examples

The rule documentation would benefit from concrete examples of both compliant and non-compliant code.

Consider adding examples in the documentation:

 note: >-
   [CWE-798] Use of Hard-coded Credentials.
   [REFERENCES]
       - https://docs.rs/tokio-postgres/latest/tokio_postgres/
-      - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
+      - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
+  [EXAMPLES]
+    Non-compliant:
+      config.password("hardcoded-secret")
+    Compliant:
+      config.password(std::env::var("DB_PASSWORD").expect("DB_PASSWORD not set"))

---

281-287: Fix formatting and add pattern descriptions

The rule section would benefit from descriptions for each pattern and consistent formatting.

Add pattern descriptions and fix formatting:

 rule:
   kind: call_expression
   any:
-    - matches: MATCH_PATTERN_WITH_INSTANCE
-    - matches: MATCH_PASSWORD_DIRECTLY
-    - matches: MATCH_PATTERN_PASSWORD_WITH_ITS_INSTANCE
-    - matches: MATCH_PATTERN_WITH_INSTANCE_&_PASSWORD_WITH_ITS_INSTANCE
+    - matches: MATCH_PATTERN_WITH_INSTANCE  # Matches direct config instance usage
+    - matches: MATCH_PASSWORD_DIRECTLY  # Matches inline password setting
+    - matches: MATCH_PATTERN_PASSWORD_WITH_ITS_INSTANCE  # Matches variable assignment
+    - matches: MATCH_PATTERN_WITH_INSTANCE_&_PASSWORD_WITH_ITS_INSTANCE  # Matches combined patterns
+

🧰 Tools

🪛 yamllint (1.35.1)

[error] 287-287: no new line character at the end of file

(new-line-at-end-of-file)

tests/__snapshots__/tokio-postgres-empty-password-rust-snapshot.yml (2)

13-17: Reduce code duplication in error handling.

The error handling logic for the PostgreSQL connection is duplicated across test functions. Consider extracting it into a helper function.

+async fn handle_connection_error(connection: tokio_postgres::Connection) {
+    if let Err(e) = connection.await {
+        tracing::error!("postgres db connection error: {}", e);
+    }
+}

 async fn test1() -> Result<(), anyhow::Error> {
     // ... existing code ...
-    tokio::spawn(async move {
-        if let Err(e) = connection.await {
-            tracing::error!("postgres db connection error: {}", e);
-        }
-    });
+    tokio::spawn(handle_connection_error(connection));
     Ok(())
 }

Also applies to: 265-269

---

261-264: Improve error handling consistency.

test2() uses a different error handling approach with custom error mapping. Consider standardizing the error handling approach across all test functions.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 2f95a8e and 339ec62.

📒 Files selected for processing (9)

• rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml (1 hunks)
• rules/rust/security/tokio-postgres-empty-password-rust.yml (1 hunks)
• rules/rust/security/tokio-postgres-hardcoded-password-rust.yml (1 hunks)
• tests/__snapshots__/secrets-reqwest-hardcoded-auth-rust-snapshot.yml (1 hunks)
• tests/__snapshots__/tokio-postgres-empty-password-rust-snapshot.yml (1 hunks)
• tests/__snapshots__/tokio-postgres-hardcoded-password-rust-snapshot.yml (1 hunks)
• tests/rust/secrets-reqwest-hardcoded-auth-rust-test.yml (1 hunks)
• tests/rust/tokio-postgres-empty-password-rust-test.yml (1 hunks)
• tests/rust/tokio-postgres-hardcoded-password-rust-test.yml (1 hunks)

🧰 Additional context used

🪛 yamllint (1.35.1)

tests/rust/tokio-postgres-empty-password-rust-test.yml

[error] 79-79: no new line character at the end of file

(new-line-at-end-of-file)

rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml

[warning] 44-44: wrong indentation: expected 16 but found 15

(indentation)

---

[warning] 47-47: wrong indentation: expected 17 but found 16

(indentation)

---

[error] 66-66: trailing spaces

(trailing-spaces)

---

[error] 67-67: trailing spaces

(trailing-spaces)

---

[warning] 132-132: wrong indentation: expected 16 but found 15

(indentation)

---

[error] 134-134: trailing spaces

(trailing-spaces)

---

[warning] 137-137: wrong indentation: expected 2 but found 1

(indentation)

---

[warning] 142-142: too many blank lines

(2 > 0) (empty-lines)

tests/rust/tokio-postgres-hardcoded-password-rust-test.yml

[error] 59-59: no new line character at the end of file

(new-line-at-end-of-file)

tests/rust/secrets-reqwest-hardcoded-auth-rust-test.yml

[error] 22-22: trailing spaces

(trailing-spaces)

rules/rust/security/tokio-postgres-hardcoded-password-rust.yml

[warning] 25-25: wrong indentation: expected 16 but found 18

(indentation)

---

[error] 69-69: trailing spaces

(trailing-spaces)

---

[error] 130-130: trailing spaces

(trailing-spaces)

---

[error] 182-182: trailing spaces

(trailing-spaces)

---

[error] 197-197: trailing spaces

(trailing-spaces)

---

[warning] 206-206: wrong indentation: expected 16 but found 18

(indentation)

---

[error] 248-248: trailing spaces

(trailing-spaces)

---

[warning] 271-271: wrong indentation: expected 20 but found 19

(indentation)

---

[error] 287-287: no new line character at the end of file

(new-line-at-end-of-file)

rules/rust/security/tokio-postgres-empty-password-rust.yml

[warning] 24-24: wrong indentation: expected 16 but found 18

(indentation)

---

[warning] 63-63: wrong indentation: expected 14 but found 13

(indentation)

---

[warning] 64-64: wrong indentation: expected 15 but found 14

(indentation)

---

[error] 69-69: trailing spaces

(trailing-spaces)

---

[warning] 128-128: wrong indentation: expected 14 but found 13

(indentation)

---

[warning] 129-129: wrong indentation: expected 15 but found 14

(indentation)

---

[error] 131-131: trailing spaces

(trailing-spaces)

---

[error] 183-183: trailing spaces

(trailing-spaces)

---

[warning] 196-196: wrong indentation: expected 22 but found 21

(indentation)

---

[warning] 197-197: wrong indentation: expected 23 but found 22

(indentation)

---

[error] 199-199: trailing spaces

(trailing-spaces)

---

[warning] 208-208: wrong indentation: expected 16 but found 18

(indentation)

---

[error] 250-250: trailing spaces

(trailing-spaces)

---

[warning] 273-273: wrong indentation: expected 20 but found 19

(indentation)

---

[warning] 281-281: wrong indentation: expected 24 but found 23

(indentation)

---

[warning] 285-285: wrong indentation: expected 2 but found 3

(indentation)

---

[warning] 287-287: wrong indentation: expected 5 but found 4

(indentation)

---

[error] 290-290: no new line character at the end of file

(new-line-at-end-of-file)

🔇 Additional comments (1)

rules/rust/security/tokio-postgres-empty-password-rust.yml (1)

1-14: Well-structured security rule with comprehensive documentation.

The rule is well-defined with:

• Clear message explaining the security implications
• Appropriate severity level
• Relevant references to CWE-287 and OWASP guidelines

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (2)

rules/rust/security/tokio-postgres-hardcoded-password-rust.yml (2)

4-16: Enhance security guidance in the message and references

The message and references are good but could be strengthened:

1. Add a cautionary note about environment variables not being completely secure
2. Include references to secure secret management solutions

 message: >-
   A secret is hard-coded in the application. Secrets stored in source
   code, such as credentials, identifiers, and other types of sensitive data,
   can be leaked and used by internal or external malicious actors. It is
   recommended to rotate the secret and retrieve them from a secure secret
   vault or Hardware Security Module (HSM), alternatively environment
-  variables can be used if allowed by your company policy.
+  variables can be used if allowed by your company policy, but note that
+  they can still be exposed through process inspection or environment dumps.
 note: >-
   [CWE-798] Use of Hard-coded Credentials.
   [REFERENCES]
       - https://docs.rs/tokio-postgres/latest/tokio_postgres/
       - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
+      - https://www.vaultproject.io/
+      - https://aws.amazon.com/secrets-manager/

---

282-288: Improve rule definition and fix file format

1. Consider ordering patterns by specificity (most specific first)
2. Add newline at end of file

 rule:
   kind: call_expression
   any:
-    - matches: MATCH_PATTERN_WITH_INSTANCE
     - matches: MATCH_PASSWORD_DIRECTLY
+    - matches: MATCH_EMPTY_PASSWORD  # Add new pattern
+    - matches: MATCH_CONNECTION_URL  # Add new pattern
+    - matches: MATCH_PATTERN_WITH_INSTANCE
     - matches: MATCH_PATTERN_PASSWORD_WITH_ITS_INSTANCE
     - matches: MATCH_PATTERN_WITH_INSTANCE_&_PASSWORD_WITH_ITS_INSTANCE
+

🧰 Tools

🪛 yamllint (1.35.1)

[error] 288-288: no new line character at the end of file

(new-line-at-end-of-file)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 339ec62 and db972e7.

📒 Files selected for processing (1)

• rules/rust/security/tokio-postgres-hardcoded-password-rust.yml (1 hunks)

🧰 Additional context used

🪛 yamllint (1.35.1)

rules/rust/security/tokio-postgres-hardcoded-password-rust.yml

[warning] 26-26: wrong indentation: expected 16 but found 18

(indentation)

---

[error] 70-70: trailing spaces

(trailing-spaces)

---

[error] 131-131: trailing spaces

(trailing-spaces)

---

[error] 183-183: trailing spaces

(trailing-spaces)

---

[error] 198-198: trailing spaces

(trailing-spaces)

---

[warning] 207-207: wrong indentation: expected 16 but found 18

(indentation)

---

[error] 249-249: trailing spaces

(trailing-spaces)

---

[warning] 272-272: wrong indentation: expected 20 but found 19

(indentation)

---

[error] 288-288: no new line character at the end of file

(new-line-at-end-of-file)

🔇 Additional comments (1)

rules/rust/security/tokio-postgres-hardcoded-password-rust.yml (1)

1-288: Verify rule coverage against common patterns

Let's verify if the rule catches all common patterns of password usage in the codebase.

✅ Verification successful

Rule effectively covers all common hardcoded password patterns

Based on the test cases and snapshots examined, the rule successfully detects all common patterns of hardcoded password usage in tokio-postgres configurations:

• Direct string literals in password method: .password("hardcoded-password")
• Variable assignments with hardcoded values: pwd = "secret"; .password(pwd)
• Both postgres::Config and tokio_postgres::Config variants
• Chained configuration methods in different orders
• Various connection setup patterns (single config vs direct chain)

The test cases provide good coverage of real-world usage patterns, and the rule's AST patterns effectively match these scenarios. The complementary empty-password rule ensures comprehensive coverage of credential-related security issues.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for common password patterns in Rust files

# Search for tokio-postgres usage patterns
echo "Checking for tokio-postgres usage patterns..."
rg -t rust 'postgres::Config::new\(\)' -A 5

# Search for potential password assignments
echo "Checking for password assignments..."
rg -t rust '\.password\(' -A 2

# Search for connection strings
echo "Checking for connection strings..."
rg -t rust 'postgres://' -A 1

Length of output: 818

---

Script:

#!/bin/bash
# Let's try a different approach to find Rust files and patterns

# First, find all Rust files
echo "Finding Rust files..."
fd -e rs

# Look for any postgres related imports or usage
echo "Checking for postgres usage..."
rg "postgres" -l

# Look for test files that might contain examples
echo "Checking test files..."
fd -e rs "test"

# Look for example files
echo "Checking example files..."
fd "example" -e rs

Length of output: 678

---

Script:

#!/bin/bash
# Let's examine the test files to verify rule coverage

# Check the test snapshots
echo "Checking test snapshots for coverage patterns..."
cat tests/__snapshots__/tokio-postgres-hardcoded-password-rust-snapshot.yml

# Check the test cases
echo -e "\nChecking test cases..."
cat tests/rust/tokio-postgres-hardcoded-password-rust-test.yml

# Check the related empty password rule
echo -e "\nChecking related empty password rule..."
cat rules/rust/security/tokio-postgres-empty-password-rust.yml

Length of output: 22732

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 26-26: wrong indentation: expected 16 but found 18

(indentation)

---

[error] 70-70: trailing spaces

(trailing-spaces)

---

[error] 131-131: trailing spaces

(trailing-spaces)

---

[error] 183-183: trailing spaces

(trailing-spaces)

---

[error] 198-198: trailing spaces

(trailing-spaces)

---

[warning] 207-207: wrong indentation: expected 16 but found 18

(indentation)

---

[error] 249-249: trailing spaces

(trailing-spaces)

---

[warning] 272-272: wrong indentation: expected 20 but found 19

(indentation)

---

[error] 288-288: no new line character at the end of file

(new-line-at-end-of-file)

[coderabbitai]

🛠️ Refactor suggestion

Add patterns for additional security scenarios

The current patterns might miss some security-sensitive cases:

1. Empty passwords
2. Connection string URLs containing credentials
3. String concatenation in password assignments

Add these additional patterns:

  MATCH_EMPTY_PASSWORD:
    kind: call_expression
    all:
      - has:
          kind: field_expression
          all:
            - has:
                kind: field_identifier
                regex: '^password$'
            - has:
                kind: arguments
                has:
                  kind: string_literal
                  has:
                    kind: string_content
                    pattern: '^$'

  MATCH_CONNECTION_URL:
    kind: call_expression
    all:
      - has:
          kind: arguments
          has:
            kind: string_literal
            regex: 'postgres://.+:.+@.+'

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 26-26: wrong indentation: expected 16 but found 18

(indentation)

---

[error] 70-70: trailing spaces

(trailing-spaces)

---

[error] 131-131: trailing spaces

(trailing-spaces)

---

[error] 183-183: trailing spaces

(trailing-spaces)

---

[error] 198-198: trailing spaces

(trailing-spaces)

---

[warning] 207-207: wrong indentation: expected 16 but found 18

(indentation)

---

[error] 249-249: trailing spaces

(trailing-spaces)

---

[warning] 272-272: wrong indentation: expected 20 but found 19

(indentation)

---

⚠️ Potential issue

Fix YAML formatting issues and improve pattern names

The utility patterns have formatting issues that could affect parsing:

1. Inconsistent indentation at lines 26, 207, and 272
2. Trailing spaces at lines 70, 131, 183, 198, and 249

Apply these fixes:

1. Fix indentation to be consistent (2 spaces per level)
2. Remove all trailing spaces
3. Add more descriptive pattern names

 utils:
   MATCH_PATTERN_WITH_INSTANCE:
-    # Current implementation...
+  MATCH_CONFIG_INSTANCE_WITH_HARDCODED_PASSWORD:
     # Rest of implementation with fixed indentation...

Also consider consolidating redundant checks in the patterns to improve maintainability.

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 26-26: wrong indentation: expected 16 but found 18

(indentation)

---

[error] 70-70: trailing spaces

(trailing-spaces)

---

[error] 131-131: trailing spaces

(trailing-spaces)

---

[error] 183-183: trailing spaces

(trailing-spaces)

---

[error] 198-198: trailing spaces

(trailing-spaces)

---

[warning] 207-207: wrong indentation: expected 16 but found 18

(indentation)

---

[error] 249-249: trailing spaces

(trailing-spaces)

---

[warning] 272-272: wrong indentation: expected 20 but found 19

(indentation)

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (2)

rules/rust/security/tokio-postgres-hardcoded-password-rust.yml (2)

4-16: Enhance security guidance in the message

Consider enhancing the message with:

1. Specific examples of secure alternatives (e.g., AWS Secrets Manager, HashiCorp Vault)
2. Best practices for credential rotation (e.g., automatic rotation schedules)

 message: >-
   A secret is hard-coded in the application. Secrets stored in source
   code, such as credentials, identifiers, and other types of sensitive data,
   can be leaked and used by internal or external malicious actors. It is
   recommended to rotate the secret and retrieve them from a secure secret
-  vault or Hardware Security Module (HSM), alternatively environment
-  variables can be used if allowed by your company policy.
+  vault (e.g., AWS Secrets Manager, HashiCorp Vault) or Hardware Security Module (HSM).
+  Environment variables can be used if allowed by your company policy.
+  Implement automatic credential rotation with defined schedules (e.g., every 90 days)
+  and ensure proper secret versioning and access controls are in place.

---

26-26: Fix YAML formatting issues

The file has several formatting issues that should be fixed:

• Inconsistent indentation at lines 26, 207, and 272
• Trailing spaces at lines 70, 131, 183, 198, and 249

Also applies to: 70-70, 131-131, 183-183, 198-198, 207-207, 249-249, 272-272

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 26-26: wrong indentation: expected 16 but found 18

(indentation)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between db972e7 and 8cc8cd6.

📒 Files selected for processing (1)

• rules/rust/security/tokio-postgres-hardcoded-password-rust.yml (1 hunks)

🧰 Additional context used

🪛 yamllint (1.35.1)

rules/rust/security/tokio-postgres-hardcoded-password-rust.yml

[warning] 26-26: wrong indentation: expected 16 but found 18

(indentation)

---

[error] 70-70: trailing spaces

(trailing-spaces)

---

[error] 131-131: trailing spaces

(trailing-spaces)

---

[error] 183-183: trailing spaces

(trailing-spaces)

---

[error] 198-198: trailing spaces

(trailing-spaces)

---

[warning] 207-207: wrong indentation: expected 16 but found 18

(indentation)

---

[error] 249-249: trailing spaces

(trailing-spaces)

---

[warning] 272-272: wrong indentation: expected 20 but found 19

(indentation)

🔇 Additional comments (3)

rules/rust/security/tokio-postgres-hardcoded-password-rust.yml (3)

282-288: LGTM! Rule definition is well-structured

The main rule effectively combines all utility patterns to create a comprehensive detection mechanism.

---

17-281: 🛠️ Refactor suggestion

Add patterns for additional security scenarios

The current patterns might miss some security-sensitive cases:

1. Empty passwords
2. Connection string URLs containing credentials
3. String concatenation in password assignments

Add these additional patterns as suggested in the past review comments.

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 26-26: wrong indentation: expected 16 but found 18

(indentation)

---

[error] 70-70: trailing spaces

(trailing-spaces)

---

[error] 131-131: trailing spaces

(trailing-spaces)

---

[error] 183-183: trailing spaces

(trailing-spaces)

---

[error] 198-198: trailing spaces

(trailing-spaces)

---

[warning] 207-207: wrong indentation: expected 16 but found 18

(indentation)

---

[error] 249-249: trailing spaces

(trailing-spaces)

---

[warning] 272-272: wrong indentation: expected 20 but found 19

(indentation)

---

1-288: Verify test coverage and similar rules

Let's verify:

1. Test coverage for these security rules
2. Similar rules for other database frameworks

✅ Verification successful

Security rules are well-tested and properly structured

Based on the verification results:

1. Test coverage is comprehensive:

   • Found test files in tests/rust/tokio-postgres-hardcoded-password-rust-test.yml
   • Found test snapshots in tests/__snapshots__/tokio-postgres-empty-password-rust-snapshot.yml
   • Tests cover various scenarios including environment variables, empty passwords, and hardcoded passwords

2. Similar rules exist:

   • Found complementary rule tokio-postgres-empty-password-rust.yml that checks for empty passwords
   • Both rules work together to catch different types of password-related security issues

3. Usage patterns in tests demonstrate:

   • Correct pattern matching for tokio_postgres::Config::new()
   • Various password configurations including environment variables (secure) and hardcoded strings (insecure)
   • Proper test coverage for both positive and negative cases

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for test coverage and similar rules

# Check for test files
echo "Checking for test files..."
fd -e yml "test.*tokio-postgres-hardcoded-password" rules/

# Check for similar rules in other frameworks
echo "Checking for similar rules..."
fd -e yml . rules/rust/security/ -x grep -l "hardcoded.*password"

# Check for usage patterns
echo "Checking for usage patterns..."
rg "tokio_postgres::Config::new\(\)" -A 5

Length of output: 21923

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 26-26: wrong indentation: expected 16 but found 18

(indentation)

---

[error] 70-70: trailing spaces

(trailing-spaces)

---

[error] 131-131: trailing spaces

(trailing-spaces)

---

[error] 183-183: trailing spaces

(trailing-spaces)

---

[error] 198-198: trailing spaces

(trailing-spaces)

---

[warning] 207-207: wrong indentation: expected 16 but found 18

(indentation)

---

[error] 249-249: trailing spaces

(trailing-spaces)

---

[warning] 272-272: wrong indentation: expected 20 but found 19

(indentation)

[coderabbitai]

⚠️ Potential issue

Fix typo in pattern

The pattern has a typo in the package name:

-                  pattern: tokio_tokio_postgres::Config::new()
+                  pattern: tokio_postgres::Config::new()

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	pattern: tokio_tokio_postgres::Config::new()
	pattern: tokio_postgres::Config::new()