secrets-reqwest-hardcoded-auth-rust

ESS-ENN · ESS-ENN · commit 3ea041e8a5bc · 2024-10-17T17:51:12.000+05:30
diff --git a/rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml b/rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml
@@ -0,0 +1,138 @@
+id: secrets-reqwest-hardcoded-auth-rust
+language: rust
+severity: warning
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source
+  code, such as credentials, identifiers, and other types of sensitive data,
+  can be leaked and used by internal or external malicious actors. It is
+  recommended to rotate the secret and retrieve them from a secure secret
+  vault or Hardware Security Module (HSM), alternatively environment
+  variables can be used if allowed by your company policy.
+note: >-
+  [CWE-798] Use of Hard-coded Credentials.
+  [REFERENCES]
+      - https://docs.rs/reqwest/latest/reqwest/
+      - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
+utils:
+  MATCH_PATTERN_ONE:
+    kind: call_expression
+    all:
+      - has:
+          stopBy: neighbor
+          kind: field_expression
+          all:
+            - has:
+                stopBy: neighbor
+                kind: call_expression
+                has:
+                  stopBy: neighbor
+                  kind: field_expression
+                  all:
+                    - has:
+                        stopBy: neighbor
+                        kind: identifier
+                        pattern: $C
+            - has:
+                stopBy: neighbor
+                kind: field_identifier
+                regex: "^bearer_auth|basic_auth$"
+      - has:
+          stopBy: neighbor
+          kind: arguments
+          all:
+            - has:
+                stopBy: neighbor
+                kind: string_literal
+                has:
+                  stopBy: neighbor
+                  kind: string_content
+            - has:
+                stopBy: neighbor
+                kind: call_expression
+                all:
+                  - has:
+                      stopBy: neighbor
+                      kind: identifier
+                      regex: "^Some$"
+                  - has:
+                      stopBy: neighbor
+                      kind: arguments
+                      has:
+                        stopBy: neighbor
+                        kind: string_literal
+                        has:
+                          stopBy: neighbor
+                          kind: string_content
+
+      - inside:
+          stopBy: end
+          kind: let_declaration
+          follows:
+            stopBy: end
+            kind: let_declaration
+            all:
+              - has:
+                  stopBy: neighbor
+                  kind: identifier
+                  pattern: $C
+              - has:
+                  stopBy: neighbor
+                  kind: call_expression
+                  pattern: reqwest::Client::new($$$)
+
+  MATCH_PATTERN_TWO:
+    kind: call_expression
+    all:
+      - has:
+          stopBy: neighbor
+          kind: field_expression
+          all:
+            - has:
+                stopBy: neighbor
+                kind: call_expression
+                has:
+                  stopBy: neighbor
+                  kind: field_expression
+                  all:
+                    - has:
+                        stopBy: neighbor
+                        kind: identifier
+                        pattern: $C
+            - has:
+                stopBy: neighbor
+                kind: field_identifier
+                regex: "^bearer_auth|basic_auth$"
+      - inside:
+          stopBy: end
+          kind: let_declaration
+          follows:
+            stopBy: end
+            kind: let_declaration
+            all:
+              - has:
+                  stopBy: neighbor
+                  kind: identifier
+                  pattern: $C
+              - has:
+                  stopBy: neighbor
+                  kind: call_expression
+                  pattern: reqwest::Client::new($$$)
+      - has:
+          stopBy: neighbor
+          kind: arguments
+          all:
+            - has:
+                stopBy: neighbor
+                kind: string_literal
+                has:
+                  stopBy: neighbor
+                  kind: string_content
+            - not:
+                has:
+                  kind: call_expression
+
+rule:
+  kind: call_expression
+  any:
+    - matches: MATCH_PATTERN_ONE
+    - matches: MATCH_PATTERN_TWO
diff --git a/tests/__snapshots__/secrets-reqwest-hardcoded-auth-rust-snapshot.yml b/tests/__snapshots__/secrets-reqwest-hardcoded-auth-rust-snapshot.yml
@@ -0,0 +1,102 @@
+id: secrets-reqwest-hardcoded-auth-rust
+snapshots:
+  ? |
+    async fn test1() -> Result<(), reqwest::Error> {
+    let client = reqwest::Client::new();
+    let resp = client.delete("http://httpbin.org/delete")
+    .basic_auth("admin", Some("hardcoded-password"))
+    .send()
+    .await?;
+    println!("body = {:?}", resp);
+    Ok(())
+    }
+    async fn test2() -> Result<(), reqwest::Error> {
+    let client = reqwest::Client::new();
+    let resp = client.put("http://httpbin.org/delete")
+    .bearer_auth("hardcoded-token")
+    .send()
+    .await?;
+    println!("body = {:?}", resp);
+    Ok(())
+    }
+  : labels:
+    - source: |-
+        client.delete("http://httpbin.org/delete")
+        .basic_auth("admin", Some("hardcoded-password"))
+      style: primary
+      start: 97
+      end: 188
+    - source: client
+      style: secondary
+      start: 97
+      end: 103
+    - source: client.delete
+      style: secondary
+      start: 97
+      end: 110
+    - source: client.delete("http://httpbin.org/delete")
+      style: secondary
+      start: 97
+      end: 139
+    - source: basic_auth
+      style: secondary
+      start: 141
+      end: 151
+    - source: |-
+        client.delete("http://httpbin.org/delete")
+        .basic_auth
+      style: secondary
+      start: 97
+      end: 151
+    - source: admin
+      style: secondary
+      start: 153
+      end: 158
+    - source: '"admin"'
+      style: secondary
+      start: 152
+      end: 159
+    - source: Some
+      style: secondary
+      start: 161
+      end: 165
+    - source: hardcoded-password
+      style: secondary
+      start: 167
+      end: 185
+    - source: '"hardcoded-password"'
+      style: secondary
+      start: 166
+      end: 186
+    - source: ("hardcoded-password")
+      style: secondary
+      start: 165
+      end: 187
+    - source: Some("hardcoded-password")
+      style: secondary
+      start: 161
+      end: 187
+    - source: ("admin", Some("hardcoded-password"))
+      style: secondary
+      start: 151
+      end: 188
+    - source: client
+      style: secondary
+      start: 53
+      end: 59
+    - source: reqwest::Client::new()
+      style: secondary
+      start: 62
+      end: 84
+    - source: let client = reqwest::Client::new();
+      style: secondary
+      start: 49
+      end: 85
+    - source: |-
+        let resp = client.delete("http://httpbin.org/delete")
+        .basic_auth("admin", Some("hardcoded-password"))
+        .send()
+        .await?;
+      style: secondary
+      start: 86
+      end: 205
diff --git a/tests/rust/secrets-reqwest-hardcoded-auth-rust-test.yml b/tests/rust/secrets-reqwest-hardcoded-auth-rust-test.yml
@@ -0,0 +1,32 @@
+id: secrets-reqwest-hardcoded-auth-rust
+valid:
+  - |
+    async fn test1(pass: &str) -> Result<(), reqwest::Error> {
+    let client = reqwest::Client::new();
+    let resp = client.delete("http://httpbin.org/delete")
+    .basic_auth("admin", Some(pass))
+    .send()
+    .await?;
+    println!("body = {:?}", resp);
+    Ok(())
+    }
+invalid:
+  - |
+    async fn test1() -> Result<(), reqwest::Error> {
+    let client = reqwest::Client::new();
+    let resp = client.delete("http://httpbin.org/delete")
+    .basic_auth("admin", Some("hardcoded-password"))
+    .send()
+    .await?;
+    println!("body = {:?}", resp);
+    Ok(())
+    }
+    async fn test2() -> Result<(), reqwest::Error> {
+    let client = reqwest::Client::new();
+    let resp = client.put("http://httpbin.org/delete")
+    .bearer_auth("hardcoded-token")
+    .send()
+    .await?;
+    println!("body = {:?}", resp);
+    Ok(())
+    }
