From 39dbcfe6b894d66ec9c84c9430c23949e8f5dca7 Mon Sep 17 00:00:00 2001 From: jamie-anderson-sonarsource Date: Wed, 26 Jun 2024 11:54:21 +0000 Subject: [PATCH 1/3] Create rule S6989 --- rules/S6989/metadata.json | 2 ++ rules/S6989/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S6989/secrets/rule.adoc | 48 ++++++++++++++++++++++++++ 3 files changed, 106 insertions(+) create mode 100644 rules/S6989/metadata.json create mode 100644 rules/S6989/secrets/metadata.json create mode 100644 rules/S6989/secrets/rule.adoc diff --git a/rules/S6989/metadata.json b/rules/S6989/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S6989/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S6989/secrets/metadata.json b/rules/S6989/secrets/metadata.json new file mode 100644 index 00000000000..dbbafa31049 --- /dev/null +++ b/rules/S6989/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "SECRET_TYPE should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-6989", + "sqKey": "S6989", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S6989/secrets/rule.adoc b/rules/S6989/secrets/rule.adoc new file mode 100644 index 00000000000..bae2119bf94 --- /dev/null +++ b/rules/S6989/secrets/rule.adoc @@ -0,0 +1,48 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +// Optional: Give a general description of the secret and what it's used for. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +// Set value that can be used to refer to the type of secret in, for example: +// "An attacker can use this {secret_type} to ..." +:secret_type: secret + +// Where possible, use predefined content for common impacts. This content can +// be found in the folder "shared_content/secrets/impact". + +//include::../../../shared_content/secrets/impact/some_impact.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: example_secret_value +:example_name: java-property-name +:example_env: ENV_VAR_NAME + +include::../../../shared_content/secrets/examples.adoc[] + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] + +//=== Benchmarks From 520b876388620549ef1da21341f41cdb36fe00b6 Mon Sep 17 00:00:00 2001 From: Jamie Anderson <127742609+jamie-anderson-sonarsource@users.noreply.github.com> Date: Wed, 26 Jun 2024 14:27:52 +0200 Subject: [PATCH 2/3] Add content for S6989 --- rules/S6989/secrets/metadata.json | 2 +- rules/S6989/secrets/rule.adoc | 21 ++++++++++--------- .../secrets/impact/data_modification.adoc | 10 +++++++++ .../secrets/impact/exceed_rate_limits.adoc | 10 +++++++++ 4 files changed, 32 insertions(+), 11 deletions(-) create mode 100644 shared_content/secrets/impact/data_modification.adoc create mode 100644 shared_content/secrets/impact/exceed_rate_limits.adoc diff --git a/rules/S6989/secrets/metadata.json b/rules/S6989/secrets/metadata.json index dbbafa31049..ec18f12a246 100644 --- a/rules/S6989/secrets/metadata.json +++ b/rules/S6989/secrets/metadata.json @@ -1,5 +1,5 @@ { - "title": "SECRET_TYPE should not be disclosed", + "title": "Adafruit IO API keys should not be disclosed", "type": "VULNERABILITY", "code": { "impacts": { diff --git a/rules/S6989/secrets/rule.adoc b/rules/S6989/secrets/rule.adoc index bae2119bf94..ba3b7dcbe77 100644 --- a/rules/S6989/secrets/rule.adoc +++ b/rules/S6989/secrets/rule.adoc @@ -7,19 +7,20 @@ include::../../../shared_content/secrets/rationale.adoc[] === What is the potential impact? -// Optional: Give a general description of the secret and what it's used for. +Adafruit IO provides an API that allows you to interact with IoT devices. The +API can be used to store data, trigger webhook notifications, or modify the +layout and information shown on user dashboards. Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the secret. -// Set value that can be used to refer to the type of secret in, for example: -// "An attacker can use this {secret_type} to ..." -:secret_type: secret +:secret_type: API key -// Where possible, use predefined content for common impacts. This content can -// be found in the folder "shared_content/secrets/impact". +include::../../../shared_content/secrets/impact/exceed_rate_limits.adoc[] -//include::../../../shared_content/secrets/impact/some_impact.adoc[] +include::../../../shared_content/secrets/impact/codeless_vulnerability_chaining.adoc[] + +include::../../../shared_content/secrets/impact/data_modification.adoc[] == How to fix it @@ -29,9 +30,9 @@ include::../../../shared_content/secrets/fix/vault.adoc[] === Code examples -:example_secret: example_secret_value -:example_name: java-property-name -:example_env: ENV_VAR_NAME +:example_secret: aio_XFKJb9078YvbkljV0879vhjkj7G4 +:example_name: adafruit-io-key +:example_env: ADAFRUIT_IO_KEY include::../../../shared_content/secrets/examples.adoc[] diff --git a/shared_content/secrets/impact/data_modification.adoc b/shared_content/secrets/impact/data_modification.adoc new file mode 100644 index 00000000000..85e2d4a2759 --- /dev/null +++ b/shared_content/secrets/impact/data_modification.adoc @@ -0,0 +1,10 @@ +==== Modification of application data + +Applications may rely on data that cannot be distributed with the application +code. This may be due to the size of the data, or because the data is regularly +updated. This data is downloaded by the application as it is needed. + +If an attacker can gain access to an authentication secret, they may be able to +alter or delete this application data. This may cause parts of the application +to misbehave or stop working. Maliciously altered data could also contain +undesirable content which results in reputational damage. diff --git a/shared_content/secrets/impact/exceed_rate_limits.adoc b/shared_content/secrets/impact/exceed_rate_limits.adoc new file mode 100644 index 00000000000..97f2b0d19ba --- /dev/null +++ b/shared_content/secrets/impact/exceed_rate_limits.adoc @@ -0,0 +1,10 @@ +==== Exceeding rate limits + +Using a leaked secret, an attacker may be able to make hundreds or thousands of +authenticated calls to an online service. It is common for online services to +enforce a rate limit to prevent their servers from being overwhelmed. + +If an attacker is able to exceed a user-based rate limit, they may be able to +cause a denial of service for the user. If this continues over a long period of +time, the user may also be subject to additional fees or may have their account +terminated. From b4b8b6f5765e087aa6cdcbca7a4598998791ee75 Mon Sep 17 00:00:00 2001 From: Jamie Anderson <127742609+jamie-anderson-sonarsource@users.noreply.github.com> Date: Thu, 27 Jun 2024 14:04:44 +0200 Subject: [PATCH 3/3] Add documentation link --- rules/S6989/secrets/rule.adoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/S6989/secrets/rule.adoc b/rules/S6989/secrets/rule.adoc index ba3b7dcbe77..6f7f43ee431 100644 --- a/rules/S6989/secrets/rule.adoc +++ b/rules/S6989/secrets/rule.adoc @@ -44,6 +44,10 @@ include::../../../shared_content/secrets/examples.adoc[] == Resources +=== Documentation + +* Adafruit IO documentation - https://io.adafruit.com/api/docs/#authentication[Authentication] + include::../../../shared_content/secrets/resources/standards.adoc[] //=== Benchmarks