Skip to content

Commit 50919dc

Browse files
committed
python-elasticsearch-hardcoded-bearer-auth-python
1 parent 6e2626e commit 50919dc

3 files changed

+49
-0
lines changed
Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
id: python-elasticsearch-hardcoded-bearer-auth-python
2+
severity: warning
3+
language: python
4+
message: >-
5+
A secret is hard-coded in the application. Secrets stored in source
6+
code, such as credentials, identifiers, and other types of sensitive data,
7+
can be leaked and used by internal or external malicious actors. Use
8+
environment variables to securely provide credentials and other secrets or
9+
retrieve them from a secure vault or Hardware Security Module (HSM).
10+
note: >-
11+
[CWE-798] Use of Hard-coded Credentials.
12+
[REFERENCES]
13+
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
14+
rule:
15+
any:
16+
- pattern: Elasticsearch($$$, bearer_auth="$$$",$$$)
17+
- pattern: Elasticsearch($$$,bearer_auth=$$$)
18+
- pattern: $ES.options(bearer_auth="$$$").$$$
19+
not:
20+
follows:
21+
pattern: elasticsearch.Elasticsearch($$$)
22+
- pattern: $ES.options($$$,bearer_auth="$$$").$$$
23+
not:
24+
follows:
25+
pattern: elasticsearch.Elasticsearch($$$)
26+
- pattern: $ES.options($$$,bearer_auth="$$$",$$$)
27+
not:
28+
follows:
29+
pattern: elasticsearch.Elasticsearch($$$)
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
id: python-elasticsearch-hardcoded-bearer-auth-python
2+
snapshots:
3+
? |
4+
es.options(bearer_auth="password").indices.
5+
es = Elasticsearch("https://localhost:9200",bearer_auth=pswd)
6+
es = Elasticsearch("https://localhost:9200",bearer_auth="token-value")
7+
: labels:
8+
- source: es.options(bearer_auth="password").indices
9+
style: primary
10+
start: 0
11+
end: 42
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
id: python-elasticsearch-hardcoded-bearer-auth-python
2+
valid:
3+
- |
4+
5+
invalid:
6+
- |
7+
es.options(bearer_auth="password").indices.
8+
es = Elasticsearch("https://localhost:9200",bearer_auth=pswd)
9+
es = Elasticsearch("https://localhost:9200",bearer_auth="token-value")

0 commit comments

Comments
 (0)