python-elasticsearch-hardcoded-bearer-auth-python

ESS-ENN · ESS-ENN · commit 50919dcb4389 · 2024-09-20T18:44:24.000+05:30
diff --git a/rules/python/security/python-elasticsearch-hardcoded-bearer-auth-python.yml b/rules/python/security/python-elasticsearch-hardcoded-bearer-auth-python.yml
@@ -0,0 +1,29 @@
+id: python-elasticsearch-hardcoded-bearer-auth-python
+severity: warning
+language: python
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source
+  code, such as credentials, identifiers, and other types of sensitive data,
+  can be leaked and used by internal or external malicious actors. Use
+  environment variables to securely provide credentials and other secrets or
+  retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798] Use of Hard-coded Credentials.
+  [REFERENCES]
+      - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+rule:
+  any:
+    - pattern: Elasticsearch($$$, bearer_auth="$$$",$$$)
+    - pattern: Elasticsearch($$$,bearer_auth=$$$)
+    - pattern: $ES.options(bearer_auth="$$$").$$$
+      not:
+        follows:
+          pattern: elasticsearch.Elasticsearch($$$)
+    - pattern: $ES.options($$$,bearer_auth="$$$").$$$
+      not:
+        follows:
+          pattern: elasticsearch.Elasticsearch($$$)
+    - pattern: $ES.options($$$,bearer_auth="$$$",$$$)
+      not:
+        follows:
+          pattern: elasticsearch.Elasticsearch($$$)
diff --git a/tests/__snapshots__/python-elasticsearch-hardcoded-bearer-auth-python-snapshot.yml b/tests/__snapshots__/python-elasticsearch-hardcoded-bearer-auth-python-snapshot.yml
@@ -0,0 +1,11 @@
+id: python-elasticsearch-hardcoded-bearer-auth-python
+snapshots:
+  ? |
+    es.options(bearer_auth="password").indices.
+    es = Elasticsearch("https://localhost:9200",bearer_auth=pswd)
+    es = Elasticsearch("https://localhost:9200",bearer_auth="token-value")
+  : labels:
+    - source: es.options(bearer_auth="password").indices
+      style: primary
+      start: 0
+      end: 42
diff --git a/tests/python/python-elasticsearch-hardcoded-bearer-auth-python-test.yml b/tests/python/python-elasticsearch-hardcoded-bearer-auth-python-test.yml
@@ -0,0 +1,9 @@
+id: python-elasticsearch-hardcoded-bearer-auth-python
+valid:
+  - |
+
+invalid:
+  - |
+    es.options(bearer_auth="password").indices.
+    es = Elasticsearch("https://localhost:9200",bearer_auth=pswd)
+    es = Elasticsearch("https://localhost:9200",bearer_auth="token-value")
