From e2aaa63417cb031b6faff45a4f1cf05bc84423f6 Mon Sep 17 00:00:00 2001 From: loris-s-sonarsource Date: Thu, 4 Jul 2024 15:15:24 +0000 Subject: [PATCH 1/6] Create rule S7001 --- rules/S7001/metadata.json | 2 ++ rules/S7001/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7001/secrets/rule.adoc | 48 ++++++++++++++++++++++++++ 3 files changed, 106 insertions(+) create mode 100644 rules/S7001/metadata.json create mode 100644 rules/S7001/secrets/metadata.json create mode 100644 rules/S7001/secrets/rule.adoc diff --git a/rules/S7001/metadata.json b/rules/S7001/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7001/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7001/secrets/metadata.json b/rules/S7001/secrets/metadata.json new file mode 100644 index 00000000000..aa6495faf37 --- /dev/null +++ b/rules/S7001/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "SECRET_TYPE should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7001", + "sqKey": "S7001", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7001/secrets/rule.adoc b/rules/S7001/secrets/rule.adoc new file mode 100644 index 00000000000..bae2119bf94 --- /dev/null +++ b/rules/S7001/secrets/rule.adoc @@ -0,0 +1,48 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +// Optional: Give a general description of the secret and what it's used for. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +// Set value that can be used to refer to the type of secret in, for example: +// "An attacker can use this {secret_type} to ..." +:secret_type: secret + +// Where possible, use predefined content for common impacts. This content can +// be found in the folder "shared_content/secrets/impact". + +//include::../../../shared_content/secrets/impact/some_impact.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: example_secret_value +:example_name: java-property-name +:example_env: ENV_VAR_NAME + +include::../../../shared_content/secrets/examples.adoc[] + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] + +//=== Benchmarks From 34f9b210a3216e727e8a815bc837ade3d80f631d Mon Sep 17 00:00:00 2001 From: Loris Sierra Date: Fri, 5 Jul 2024 12:23:48 +0200 Subject: [PATCH 2/6] Add everything --- rules/S7001/secrets/metadata.json | 2 +- rules/S7001/secrets/rule.adoc | 18 +++++++++++++----- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/rules/S7001/secrets/metadata.json b/rules/S7001/secrets/metadata.json index aa6495faf37..fe5f96d6647 100644 --- a/rules/S7001/secrets/metadata.json +++ b/rules/S7001/secrets/metadata.json @@ -1,5 +1,5 @@ { - "title": "SECRET_TYPE should not be disclosed", + "title": "Azure App Service deployment passwords should not be disclosed", "type": "VULNERABILITY", "code": { "impacts": { diff --git a/rules/S7001/secrets/rule.adoc b/rules/S7001/secrets/rule.adoc index bae2119bf94..2a2e3e403ef 100644 --- a/rules/S7001/secrets/rule.adoc +++ b/rules/S7001/secrets/rule.adoc @@ -14,12 +14,20 @@ exploiting the secret. // Set value that can be used to refer to the type of secret in, for example: // "An attacker can use this {secret_type} to ..." -:secret_type: secret +:secret_type: deployment password // Where possible, use predefined content for common impacts. This content can // be found in the folder "shared_content/secrets/impact". -//include::../../../shared_content/secrets/impact/some_impact.adoc[] +include::../../../shared_content/secrets/impact/infrastructure_takeover.adoc[] + +include::../../../shared_content/secrets/impact/data_compromise.adoc[] + +include::../../../shared_content/secrets/impact/data_modification.adoc[] + +include::../../../shared_content/secrets/impact/malware_distribution.adoc[] + +include::../../../shared_content/secrets/impact/financial_loss.adoc[] == How to fix it @@ -29,9 +37,9 @@ include::../../../shared_content/secrets/fix/vault.adoc[] === Code examples -:example_secret: example_secret_value -:example_name: java-property-name -:example_env: ENV_VAR_NAME +:example_secret: o9tBKqylnMn2snB96hk5CMZbZkRhDJ1re5RiqzfdBjQytgTR4ly0M8ilEyfh¬ +:example_name: azure-app-service-deployment-password +:example_env: AZURE_APP_SERVICE_DEPLOYMENT_PASSWORD include::../../../shared_content/secrets/examples.adoc[] From cde2697cbe459795003e6e5a3d8ac81ef56ab7b6 Mon Sep 17 00:00:00 2001 From: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Date: Fri, 12 Jul 2024 15:28:38 +0200 Subject: [PATCH 3/6] Apply suggestions from code review --- rules/S7001/secrets/rule.adoc | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/rules/S7001/secrets/rule.adoc b/rules/S7001/secrets/rule.adoc index 2a2e3e403ef..fd24e710f8c 100644 --- a/rules/S7001/secrets/rule.adoc +++ b/rules/S7001/secrets/rule.adoc @@ -16,8 +16,7 @@ exploiting the secret. // "An attacker can use this {secret_type} to ..." :secret_type: deployment password -// Where possible, use predefined content for common impacts. This content can -// be found in the folder "shared_content/secrets/impact". +:service_name: Azure App Service include::../../../shared_content/secrets/impact/infrastructure_takeover.adoc[] @@ -37,11 +36,29 @@ include::../../../shared_content/secrets/fix/vault.adoc[] === Code examples -:example_secret: o9tBKqylnMn2snB96hk5CMZbZkRhDJ1re5RiqzfdBjQytgTR4ly0M8ilEyfh¬ -:example_name: azure-app-service-deployment-password -:example_env: AZURE_APP_SERVICE_DEPLOYMENT_PASSWORD - -include::../../../shared_content/secrets/examples.adoc[] +==== Noncompliant code example + +In general, never disclose the "PublishSettings" file, or any data coming from it. It looks like that: + +[source,xml] +---- + + + destinationAppUrl="https://example.net" + SQLServerDBConnectionString="" + mySQLDBConnectionString="" + hostingProviderForumLink="" + controlPanelLink="https://portal.azure.com" + webSystem="WebSites"> + + + + ---- //=== How does this work? From a09d807ad494c8013f16220d2a93601435148447 Mon Sep 17 00:00:00 2001 From: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Date: Fri, 12 Jul 2024 15:30:12 +0200 Subject: [PATCH 4/6] Update rules/S7001/secrets/rule.adoc --- rules/S7001/secrets/rule.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/S7001/secrets/rule.adoc b/rules/S7001/secrets/rule.adoc index fd24e710f8c..ce5baf34157 100644 --- a/rules/S7001/secrets/rule.adoc +++ b/rules/S7001/secrets/rule.adoc @@ -38,7 +38,7 @@ include::../../../shared_content/secrets/fix/vault.adoc[] ==== Noncompliant code example -In general, never disclose the "PublishSettings" file, or any data coming from it. It looks like that: +Never disclose the "PublishSettings" file or at least never disclose its `userPWD` field: [source,xml] ---- From 0e37bb038402c875a5cbe9edf4b6c2eecf651459 Mon Sep 17 00:00:00 2001 From: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> Date: Fri, 12 Jul 2024 15:30:52 +0200 Subject: [PATCH 5/6] Update rules/S7001/secrets/rule.adoc --- rules/S7001/secrets/rule.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/S7001/secrets/rule.adoc b/rules/S7001/secrets/rule.adoc index ce5baf34157..ab6b250d94b 100644 --- a/rules/S7001/secrets/rule.adoc +++ b/rules/S7001/secrets/rule.adoc @@ -38,7 +38,7 @@ include::../../../shared_content/secrets/fix/vault.adoc[] ==== Noncompliant code example -Never disclose the "PublishSettings" file or at least never disclose its `userPWD` field: +Never share the "PublishSettings" file, especially its `userPWD` field: [source,xml] ---- From 06f58710ec86fd71bc076024e38612a945c8d71b Mon Sep 17 00:00:00 2001 From: Hendrik Buchwald <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Date: Mon, 15 Jul 2024 13:50:28 +0200 Subject: [PATCH 6/6] Update rules/S7001/secrets/rule.adoc --- rules/S7001/secrets/rule.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/S7001/secrets/rule.adoc b/rules/S7001/secrets/rule.adoc index ab6b250d94b..640a58cc2a9 100644 --- a/rules/S7001/secrets/rule.adoc +++ b/rules/S7001/secrets/rule.adoc @@ -58,7 +58,7 @@ Never share the "PublishSettings" file, especially its `userPWD` field: - ---- +---- //=== How does this work?