gorilla-cookie-store-hardcoded-session-key-go

ESS-ENN · ESS-ENN · commit d292cd4b477b · 2024-10-16T10:36:03.000+05:30
diff --git a/rules/go/security/gorilla-cookie-store-hardcoded-session-key-go.yml b/rules/go/security/gorilla-cookie-store-hardcoded-session-key-go.yml
@@ -0,0 +1,63 @@
+id: gorilla-cookie-store-hardcoded-session-key-go
+language: go
+severity: warning
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source
+  code, such as credentials, identifiers, and other types of sensitive data,
+  can be leaked and used by internal or external malicious actors. It is
+  recommended to rotate the secret and retrieve them from a secure secret
+  vault or Hardware Security Module (HSM), alternatively environment
+  variables can be used if allowed by your company policy.
+note: >-
+  [CWE-798] Use of Hard-coded Credentials.
+  [REFERENCES]
+      - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
+utils:
+  MATCH_PATTERN_ONE:
+    kind: expression_list
+    has:
+      stopBy: neighbor
+      kind: call_expression
+      all:
+        - has:
+            stopBy: neighbor
+            kind: selector_expression
+            all:
+              - has:
+                  stopBy: neighbor
+                  kind: identifier
+                  regex: "sessions"
+              - has:
+                  stopBy: neighbor
+                  kind: field_identifier
+                  regex: "^NewCookieStore$"
+        - has:
+            stopBy: neighbor
+            kind: argument_list
+            any:
+              - has:
+                  stopBy: neighbor
+                  kind: type_conversion_expression
+                  all:
+                    - has:
+                        stopBy: neighbor
+                        kind: slice_type
+                        has:
+                          stopBy: neighbor
+                          kind: type_identifier
+                          regex: "^byte$"
+                    - has:
+                        stopBy: neighbor
+                        pattern: $$$
+                    - not:
+                        has:
+                          stopBy: neighbor
+                          kind: call_expression
+              - has:
+                  stopBy: neighbor
+                  kind: interpreted_string_literal
+
+rule:
+  kind: expression_list
+  any:
+    - matches: MATCH_PATTERN_ONE
diff --git a/tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml b/tests/__snapshots__/gorilla-cookie-store-hardcoded-session-key-go-snapshot.yml
@@ -0,0 +1,44 @@
+id: gorilla-cookie-store-hardcoded-session-key-go
+snapshots:
+  ? "import (\n\"github.com/gorilla/sessions\"\n)\n \tvar store = sessions.NewCookieStore([]byte(\"hardcoded-session-key-here\"))\n   var store = sessions.NewCookieStore(\n   []byte(\"new-authentication-key\"),\n   []byte(\"new-encryption-key\"),\n   []byte(\"old-authentication-key\"),\n   []byte(\"old-encryption-key\"),\n   )\n"
+  : labels:
+    - source: sessions.NewCookieStore([]byte("hardcoded-session-key-here"))
+      style: primary
+      start: 55
+      end: 116
+    - source: sessions
+      style: secondary
+      start: 55
+      end: 63
+    - source: NewCookieStore
+      style: secondary
+      start: 64
+      end: 78
+    - source: sessions.NewCookieStore
+      style: secondary
+      start: 55
+      end: 78
+    - source: byte
+      style: secondary
+      start: 81
+      end: 85
+    - source: '[]byte'
+      style: secondary
+      start: 79
+      end: 85
+    - source: '[]byte'
+      style: secondary
+      start: 79
+      end: 85
+    - source: '[]byte("hardcoded-session-key-here")'
+      style: secondary
+      start: 79
+      end: 115
+    - source: ([]byte("hardcoded-session-key-here"))
+      style: secondary
+      start: 78
+      end: 116
+    - source: sessions.NewCookieStore([]byte("hardcoded-session-key-here"))
+      style: secondary
+      start: 55
+      end: 116
diff --git a/tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml b/tests/go/gorilla-cookie-store-hardcoded-session-key-go-test.yml
@@ -0,0 +1,16 @@
+id: gorilla-cookie-store-hardcoded-session-key-go
+valid:
+  - |
+    var store = sessions.NewCookieStore([]byte(os.Getenv("SESSION_KEY")))
+invalid:
+  - |
+    import (
+    "github.com/gorilla/sessions"
+    )
+     	var store = sessions.NewCookieStore([]byte("hardcoded-session-key-here"))
+       var store = sessions.NewCookieStore(
+       []byte("new-authentication-key"),
+       []byte("new-encryption-key"),
+       []byte("old-authentication-key"),
+       []byte("old-encryption-key"),
+       )
