1+ id : tokio-postgres-hardcoded-password-rust
2+ language : rust
3+ severity : warning
4+ message : >-
5+ A secret is hard-coded in the application. Secrets stored in source
6+ code, such as credentials, identifiers, and other types of sensitive data,
7+ can be leaked and used by internal or external malicious actors. It is
8+ recommended to rotate the secret and retrieve them from a secure secret
9+ vault or Hardware Security Module (HSM), alternatively environment
10+ variables can be used if allowed by your company policy.
11+ note : >-
12+ [CWE-798] Use of Hard-coded Credentials.
13+ [REFERENCES]
14+ - https://docs.rs/tokio-postgres/latest/tokio_postgres/
15+ - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
16+ utils :
17+ MATCH_PATTERN_WITH_INSTANCE :
18+ kind : call_expression
19+ all :
20+ - has :
21+ stopBy : neighbor
22+ kind : field_expression
23+ all :
24+ - has :
25+ stopBy : neighbor
26+ kind : call_expression
27+ all :
28+ - has :
29+ stopBy : neighbor
30+ kind : field_expression
31+ all :
32+ - has :
33+ stopBy : end
34+ kind : call_expression
35+ all :
36+ - has :
37+ stopBy : neighbor
38+ kind : field_expression
39+ all :
40+ - has :
41+ stopBy : neighbor
42+ kind : identifier
43+ pattern : $C
44+ - has :
45+ stopBy : neighbor
46+ kind : arguments
47+ - has :
48+ stopBy : neighbor
49+ kind : field_identifier
50+ - has :
51+ stopBy : neighbor
52+ kind : arguments
53+ - has :
54+ stopBy : neighbor
55+ kind : field_identifier
56+ regex : " ^password$"
57+ - has :
58+ stopBy : neighbor
59+ kind : arguments
60+ has :
61+ stopBy : neighbor
62+ kind : string_literal
63+ has :
64+ stopBy : neighbor
65+ kind : string_content
66+ - inside :
67+ stopBy : end
68+ kind : expression_statement
69+ follows :
70+ stopBy : end
71+ kind : let_declaration
72+ all :
73+ - has :
74+ stopBy : neighbor
75+ kind : identifier
76+ pattern : $C
77+ - has :
78+ stopBy : neighbor
79+ kind : call_expression
80+ pattern : postgres::Config::new()
81+
82+ MATCH_PASSWORD_DIRECTLY :
83+ kind : call_expression
84+ all :
85+ - has :
86+ stopBy : neighbor
87+ kind : field_expression
88+ all :
89+ - has :
90+ stopBy : neighbor
91+ kind : call_expression
92+ all :
93+ - has :
94+ stopBy : neighbor
95+ kind : field_expression
96+ all :
97+ - has :
98+ stopBy : neighbor
99+ kind : call_expression
100+ all :
101+ - has :
102+ stopBy : neighbor
103+ kind : field_expression
104+ has :
105+ stopBy : neighbor
106+ kind : call_expression
107+ pattern : postgres::Config::new()
108+ - has :
109+ stopBy : neighbor
110+ kind : arguments
111+ - has :
112+ stopBy : neighbor
113+ kind : field_identifier
114+ - has :
115+ stopBy : neighbor
116+ kind : arguments
117+ - has :
118+ stopBy : neighbor
119+ kind : field_identifier
120+ regex : ' ^password$'
121+ - has :
122+ stopBy : neighbor
123+ kind : arguments
124+ has :
125+ stopBy : neighbor
126+ kind : string_literal
127+ has :
128+ stopBy : neighbor
129+ kind : string_content
130+
131+ MATCH_PATTERN_PASSWORD_WITH_ITS_INSTANCE :
132+ kind : call_expression
133+ all :
134+ - has :
135+ stopBy : neighbor
136+ kind : field_expression
137+ all :
138+ - has :
139+ stopBy : neighbor
140+ kind : call_expression
141+ all :
142+ - has :
143+ stopBy : neighbor
144+ kind : field_expression
145+ all :
146+ - has :
147+ stopBy : neighbor
148+ kind : call_expression
149+ all :
150+ - has :
151+ stopBy : neighbor
152+ kind : field_expression
153+ has :
154+ stopBy : neighbor
155+ kind : call_expression
156+ pattern : postgres::Config::new()
157+ - has :
158+ stopBy : neighbor
159+ kind : arguments
160+ - has :
161+ stopBy : neighbor
162+ kind : field_identifier
163+ - has :
164+ stopBy : neighbor
165+ kind : arguments
166+ - has :
167+ stopBy : neighbor
168+ kind : field_identifier
169+ regex : ' ^password$'
170+ - has :
171+ stopBy : neighbor
172+ kind : arguments
173+ has :
174+ stopBy : neighbor
175+ kind : identifier
176+ pattern : $E
177+ - inside :
178+ stopBy : end
179+ kind : block
180+ has :
181+ stopby : end
182+ kind : expression_statement
183+ has :
184+ stopBy : end
185+ kind : assignment_expression
186+ all :
187+ - has :
188+ stopBy : neighbor
189+ kind : identifier
190+ pattern : $E
191+ - has :
192+ stopBy : neighbor
193+ kind : string_literal
194+ has :
195+ stopBy : neighbor
196+ kind : string_content
197+
198+ MATCH_PATTERN_WITH_INSTANCE_&_PASSWORD_WITH_ITS_INSTANCE :
199+ kind : call_expression
200+ all :
201+ - has :
202+ stopBy : neighbor
203+ kind : field_expression
204+ all :
205+ - has :
206+ stopBy : neighbor
207+ kind : call_expression
208+ all :
209+ - has :
210+ stopBy : neighbor
211+ kind : field_expression
212+ all :
213+ - has :
214+ stopBy : end
215+ kind : call_expression
216+ all :
217+ - has :
218+ stopBy : neighbor
219+ kind : field_expression
220+ all :
221+ - has :
222+ stopBy : neighbor
223+ kind : identifier
224+ pattern : $C
225+ - has :
226+ stopBy : neighbor
227+ kind : arguments
228+ - has :
229+ stopBy : neighbor
230+ kind : field_identifier
231+ - has :
232+ stopBy : neighbor
233+ kind : arguments
234+ - has :
235+ stopBy : neighbor
236+ kind : field_identifier
237+ regex : " ^password$"
238+ - has :
239+ stopBy : neighbor
240+ kind : arguments
241+ has :
242+ stopBy : neighbor
243+ kind : identifier
244+ pattern : $Z
245+ - inside :
246+ stopBy : end
247+ kind : expression_statement
248+ follows :
249+ stopBy : end
250+ kind : let_declaration
251+ all :
252+ - has :
253+ stopBy : neighbor
254+ kind : identifier
255+ pattern : $C
256+ - has :
257+ stopBy : neighbor
258+ kind : call_expression
259+ pattern : postgres::Config::new()
260+ - inside :
261+ stopBy : end
262+ kind : block
263+ has :
264+ stopBy : end
265+ kind : expression_statement
266+ has :
267+ stopBy : neighbor
268+ kind : assignment_expression
269+ all :
270+ - has :
271+ stopBy : neighbor
272+ kind : identifier
273+ pattern : $Z
274+ - has :
275+ stopBy : neighbor
276+ kind : string_literal
277+ has :
278+ stopBy : neighbor
279+ kind : string_content
280+
281+ rule :
282+ kind : call_expression
283+ any :
284+ - matches : MATCH_PATTERN_WITH_INSTANCE
285+ - matches : MATCH_PASSWORD_DIRECTLY
286+ - matches : MATCH_PATTERN_PASSWORD_WITH_ITS_INSTANCE
287+ - matches : MATCH_PATTERN_WITH_INSTANCE_&_PASSWORD_WITH_ITS_INSTANCE
0 commit comments