openai-empty-secret-go

Author: ESS-ENN

rules/go/security/openai-empty-secret-go.yml

@@ -0,0 +1,50 @@
+id: openai-empty-secret-go
+language: go
+severity: warning
+message: >-
+  The application uses an empty credential. This can lead to unauthorized
+  access by either an internal or external malicious actor. It is
+  recommended to rotate the secret and retrieve them from a secure secret
+  vault or Hardware Security Module (HSM), alternatively environment
+  variables can be used if allowed by your company policy.
+note: >-
+  [CWE-287] Improper Authentication.
+  [REFERENCES]
+      - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
+utils:
+  MATCH_openai.NewClient:
+    kind: expression_list
+    all:
+      - has:
+          stopBy: neighbor
+          kind: call_expression
+          all:
+            - has:
+                stopBy: neighbor
+                kind: selector_expression
+                all:
+                  - has:
+                      stopBy: neighbor
+                      kind: identifier
+                      regex: "^openai$"
+                  - has:
+                      stopBy: neighbor
+                      kind: field_identifier
+                      regex: "^NewClient$"
+            - has:
+                stopBy: neighbor
+                kind: argument_list
+                regex: \(\s*\"\"\s*\)
+      - inside:
+          stopBy: end
+          kind: function_declaration
+          follows:
+            stopBy: end
+            kind: import_declaration
+            has:
+              stopBy: end
+              kind: import_spec
+              regex: "github.com/sashabaranov/go-openai"
+rule:
+  kind: expression_list
+  matches: MATCH_openai.NewClient

tests/__snapshots__/openai-empty-secret-go-snapshot.yml

@@ -0,0 +1,52 @@
+id: openai-empty-secret-go
+snapshots:
+  ? |
+    import (
+    "github.com/sashabaranov/go-openai"
+    )
+    func main() {
+     client := openai.NewClient("")
+       }
+  : labels:
+    - source: openai.NewClient("")
+      style: primary
+      start: 72
+      end: 92
+    - source: openai
+      style: secondary
+      start: 72
+      end: 78
+    - source: NewClient
+      style: secondary
+      start: 79
+      end: 88
+    - source: openai.NewClient
+      style: secondary
+      start: 72
+      end: 88
+    - source: ("")
+      style: secondary
+      start: 88
+      end: 92
+    - source: openai.NewClient("")
+      style: secondary
+      start: 72
+      end: 92
+    - source: '"github.com/sashabaranov/go-openai"'
+      style: secondary
+      start: 9
+      end: 44
+    - source: |-
+        import (
+        "github.com/sashabaranov/go-openai"
+        )
+      style: secondary
+      start: 0
+      end: 46
+    - source: |-
+        func main() {
+         client := openai.NewClient("")
+           }
+      style: secondary
+      start: 47
+      end: 97

tests/go/openai-empty-secret-go-test.yml

@@ -0,0 +1,17 @@
+id: openai-empty-secret-go
+valid:
+  - |
+    import (
+    "github.com/sashabaranov/go-openai"
+    )
+    func main() {
+     client := openai.NewClient("fvgf")
+       }
+invalid:
+  - |
+    import (
+    "github.com/sashabaranov/go-openai"
+    )
+    func main() {
+     client := openai.NewClient("")
+       }