id: python-ldap3-empty-password
language: python
severity: warning
message: >-
    The application creates a database connection with an empty password.
    This can lead to unauthorized access by either an internal or external
    malicious actor. To prevent this vulnerability, enforce authentication
    when connecting to a database by using environment variables to securely
    provide credentials or retrieving them from a secure vault or HSM
    (Hardware Security Module).
note: >-
  [CWE-287]: Improper Authentication
  [OWASP A07:2021]: Identification and Authentication Failures
  [REFERENCES]
       https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
utils:
    match_empty_password:
        kind: call
        all:
            - has:
                stopBy: end
                kind: attribute
            - has:
                stopBy: end
                kind: argument_list 
                all:
                    - has:
                        stopBy: end
                        kind: keyword_argument
                        all:
                            - has:
                               stopBy: end
                               kind: identifier
                               regex: '^password$'
                            - has:
                                  stopBy: neighbor
                                  kind: string
                                  not:
                                      has:
                                          stopBy: neighbor
                                          kind: string_content
rule:
    any:
        - matches: match_empty_password