File tree Expand file tree Collapse file tree 3 files changed +255
-0
lines changed
Expand file tree Collapse file tree 3 files changed +255
-0
lines changed Original file line number Diff line number Diff line change 1+ id : ruby-cassandra-empty-password-ruby
2+ language : ruby
3+ severity : warning
4+ message : >-
5+ The application creates a database connection with an empty password.
6+ This can lead to unauthorized access by either an internal or external
7+ malicious actor. To prevent this vulnerability, enforce authentication
8+ when connecting to a database by using environment variables to securely
9+ provide credentials or retrieving them from a secure vault or HSM
10+ (Hardware Security Module).
11+ note : >-
12+ [CWE-287] Improper Authentication.
13+ [REFERENCES]
14+ - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
15+ utils :
16+ Cassandra.cluster() :
17+ # Cassandra.cluster(..., password: "", ...)
18+ kind : call
19+ all :
20+ - has :
21+ stopBy : neighbor
22+ kind : constant
23+ regex : ^Cassandra$
24+ - has :
25+ stopBy : neighbor
26+ regex : ^.$
27+ - has :
28+ stopBy : neighbor
29+ kind : identifier
30+ regex : ^cluster$
31+ - has :
32+ stopBy : neighbor
33+ kind : argument_list
34+ has :
35+ stopBy : end
36+ kind : pair
37+ all :
38+ - has :
39+ stopBy : neighbor
40+ kind : hash_key_symbol
41+ regex : ^password$
42+ - has :
43+ stopBy : neighbor
44+ kind : string
45+ not :
46+ has :
47+ stopBy : neighbor
48+ kind : string_content
49+ - inside :
50+ stopBy : end
51+ kind : program
52+ has :
53+ stopBy : end
54+ kind : call
55+ pattern : require 'cassandra'
56+ Cassandra.cluster()_with_instance :
57+ # Cassandra.cluster(..., password: "", ...)
58+ kind : call
59+ all :
60+ - has :
61+ stopBy : neighbor
62+ kind : constant
63+ regex : ^Cassandra$
64+ - has :
65+ stopBy : neighbor
66+ regex : ^.$
67+ - has :
68+ stopBy : neighbor
69+ kind : identifier
70+ regex : ^cluster$
71+ - has :
72+ stopBy : neighbor
73+ kind : argument_list
74+ has :
75+ stopBy : end
76+ kind : pair
77+ all :
78+ - has :
79+ stopBy : neighbor
80+ kind : hash_key_symbol
81+ regex : ^password$
82+ - has :
83+ stopBy : neighbor
84+ kind : identifier
85+ pattern : $SECRET
86+ - inside :
87+ stopBy : end
88+ kind : program
89+ has :
90+ stopBy : end
91+ kind : call
92+ pattern : require 'cassandra'
93+ - any :
94+ - follows :
95+ stopBy : end
96+ kind : assignment
97+ all :
98+ - has :
99+ stopBy : neighbor
100+ kind : identifier
101+ pattern : $SECRET
102+ - has :
103+ stopBy : neighbor
104+ kind : string
105+ not :
106+ has :
107+ stopBy : neighbor
108+ kind : string_content
109+ - inside :
110+ stopBy : end
111+ kind : assignment
112+ follows :
113+ stopBy : end
114+ kind : assignment
115+ all :
116+ - has :
117+ stopBy : neighbor
118+ kind : identifier
119+ pattern : $SECRET
120+ - has :
121+ stopBy : neighbor
122+ kind : string
123+ not :
124+ has :
125+ stopBy : neighbor
126+ kind : string_content
127+ rule :
128+ kind : call
129+ any :
130+ - matches : Cassandra.cluster()
131+ - matches : Cassandra.cluster()_with_instance
Original file line number Diff line number Diff line change 1+ id : ruby-cassandra-empty-password-ruby
2+ snapshots :
3+ ? |
4+ require 'cassandra'
5+ cluster = Cassandra.cluster(username : ' user' ,password: '')
6+ : labels :
7+ - source : ' Cassandra.cluster(username: '' user'' ,password: '''' )'
8+ style : primary
9+ start : 30
10+ end : 78
11+ - source : Cassandra
12+ style : secondary
13+ start : 30
14+ end : 39
15+ - source : .
16+ style : secondary
17+ start : 39
18+ end : 40
19+ - source : cluster
20+ style : secondary
21+ start : 40
22+ end : 47
23+ - source : password
24+ style : secondary
25+ start : 65
26+ end : 73
27+ - source : ' '''' '
28+ style : secondary
29+ start : 75
30+ end : 77
31+ - source : ' password: '''' '
32+ style : secondary
33+ start : 65
34+ end : 77
35+ - source : ' (username: '' user'' ,password: '''' )'
36+ style : secondary
37+ start : 47
38+ end : 78
39+ - source : require 'cassandra'
40+ style : secondary
41+ start : 0
42+ end : 19
43+ - source : |
44+ require 'cassandra'
45+ cluster = Cassandra.cluster(username: 'user',password: '')
46+ style: secondary
47+ start: 0
48+ end: 79
49+ ? |
50+ require 'cassandra'
51+ password = ''
52+ cluster = Cassandra.cluster(username : ' user' ,password: password)
53+ : labels :
54+ - source : ' Cassandra.cluster(username: '' user'' ,password: password)'
55+ style : primary
56+ start : 44
57+ end : 98
58+ - source : Cassandra
59+ style : secondary
60+ start : 44
61+ end : 53
62+ - source : .
63+ style : secondary
64+ start : 53
65+ end : 54
66+ - source : cluster
67+ style : secondary
68+ start : 54
69+ end : 61
70+ - source : password
71+ style : secondary
72+ start : 79
73+ end : 87
74+ - source : password
75+ style : secondary
76+ start : 89
77+ end : 97
78+ - source : ' password: password'
79+ style : secondary
80+ start : 79
81+ end : 97
82+ - source : ' (username: '' user'' ,password: password)'
83+ style : secondary
84+ start : 61
85+ end : 98
86+ - source : require 'cassandra'
87+ style : secondary
88+ start : 0
89+ end : 19
90+ - source : |
91+ require 'cassandra'
92+ password = ''
93+ cluster = Cassandra.cluster(username: 'user',password: password)
94+ style: secondary
95+ start: 0
96+ end: 99
97+ source : password
98+ style : secondary
99+ start : 20
100+ end : 28
101+ - source : ' '''' '
102+ style : secondary
103+ start : 31
104+ end : 33
105+ - source : password = ''
106+ style : secondary
107+ start : 20
108+ end : 33
109+ - source : ' cluster = Cassandra.cluster(username: '' user'' ,password: password)'
110+ style : secondary
111+ start : 34
112+ end : 98
Original file line number Diff line number Diff line change 1+ id : ruby-cassandra-empty-password-ruby
2+ valid :
3+ - |
4+ cluster = Cassandra.cluster(username: 'user',password: '')
5+ invalid :
6+ - |
7+ require 'cassandra'
8+ cluster = Cassandra.cluster(username: 'user',password: '')
9+ |
10+ require 'cassandra'
11+ password = ''
12+ cluster = Cassandra.cluster(username: 'user',password: password)
You can’t perform that action at this time.
0 commit comments