Skip to content

Create rule S7001: Detect Azure App Service Secrets APPSEC-1846 #4037

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jul 29, 2024
Merged

Create rule S7001: Detect Azure App Service Secrets APPSEC-1846 #4037

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e2aaa63
Create rule S7001
loris-s-sonarsource Jul 4, 2024
34f9b21
Add everything
loris-s-sonarsource Jul 5, 2024
cde2697
Apply suggestions from code review
loris-s-sonarsource Jul 12, 2024
a09d807
Update rules/S7001/secrets/rule.adoc
loris-s-sonarsource Jul 12, 2024
0e37bb0
Update rules/S7001/secrets/rule.adoc
loris-s-sonarsource Jul 12, 2024
06f5871
Update rules/S7001/secrets/rule.adoc
hendrik-buchwald-sonarsource Jul 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions rules/S7001/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
{
}
56 changes: 56 additions & 0 deletions rules/S7001/secrets/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{
"title": "Azure App Service deployment passwords should not be disclosed",
"type": "VULNERABILITY",
"code": {
"impacts": {
"SECURITY": "HIGH"
},
"attribute": "TRUSTWORTHY"
},
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "30min"
},
"tags": [
"cwe",
"cert"
],
"defaultSeverity": "Blocker",
"ruleSpecification": "RSPEC-7001",
"sqKey": "S7001",
"scope": "All",
"securityStandards": {
"CWE": [
798,
259
],
"OWASP": [
"A3"
],
"CERT": [
"MSC03-J."
],
"OWASP Top 10 2021": [
"A7"
],
"PCI DSS 3.2": [
"6.5.10"
],
"PCI DSS 4.0": [
"6.2.4"
],
"ASVS 4.0": [
"2.10.4",
"3.5.2",
"6.4.1"
],
"STIG ASD 2023-06-08": [
"V-222642"
]
Comment on lines +48 to +50
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@loris-s-sonarsource @hendrik-buchwald-sonarsource
Hey. I noticed the CI complains about this:

Rule S7001 failed validation for these reasons:
 - Rule secrets:S7001 has invalid metadata in securityStandards: Additional properties are not allowed ('STIG ASD 2023-06-08' was unexpected)

(The CI only runs this check if the rule is modified or if rspec-tools is modified. I'm in the latter case.)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR #4098 modified the name of this metadata section from STIG ASD 2023-06-08 to STIG ASD_V5R3. I think this PR failed to get merged, so was not included in that PR, and then was merged later.

I'll create a PR to update the name of this section.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @jamie-anderson-sonarsource. FYI there is this similar other issue: #4040 (comment)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR #4144 is now merged and it fixes this issue. I'll open another PR for S7003.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, Jamie !

},
"defaultQualityProfiles": [
"Sonar way"
],
"quickfix": "unknown"
}
73 changes: 73 additions & 0 deletions rules/S7001/secrets/rule.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@

include::../../../shared_content/secrets/description.adoc[]

== Why is this an issue?

include::../../../shared_content/secrets/rationale.adoc[]

=== What is the potential impact?

// Optional: Give a general description of the secret and what it's used for.

Below are some real-world scenarios that illustrate some impacts of an attacker
exploiting the secret.

// Set value that can be used to refer to the type of secret in, for example:
// "An attacker can use this {secret_type} to ..."
:secret_type: deployment password

:service_name: Azure App Service

include::../../../shared_content/secrets/impact/infrastructure_takeover.adoc[]

include::../../../shared_content/secrets/impact/data_compromise.adoc[]

include::../../../shared_content/secrets/impact/data_modification.adoc[]

include::../../../shared_content/secrets/impact/malware_distribution.adoc[]

include::../../../shared_content/secrets/impact/financial_loss.adoc[]

== How to fix it

include::../../../shared_content/secrets/fix/revoke.adoc[]

include::../../../shared_content/secrets/fix/vault.adoc[]

=== Code examples

==== Noncompliant code example

In general, never disclose the "PublishSettings" file, or any data coming from it. It looks like that:

[source,xml]
----
<publishData>
<publishProfile
profileName="example" publishMethod="MSDeploy"
publishUrl="example.net:443"
msdeploySite="example"
userName="$example"
userPWD="6kkBCdit4ZTfs01By2RJjgRon9ly9yqetEBZhlz8MfDhn5qKrb5yhQRnMliM" <!-- Noncompliant -->
destinationAppUrl="https://example.net"
SQLServerDBConnectionString=""
mySQLDBConnectionString=""
hostingProviderForumLink=""
controlPanelLink="https://portal.azure.com"
webSystem="WebSites">
<databases/>
</publishProfile>
</publishData>
----

//=== How does this work?

//=== Pitfalls

//=== Going the extra mile

== Resources

include::../../../shared_content/secrets/resources/standards.adoc[]

//=== Benchmarks
Loading