rspec/rules/S7004/secrets/rule.adoc


include::../../../shared_content/secrets/description.adoc[]

== Why is this an issue?

include::../../../shared_content/secrets/rationale.adoc[]

=== What is the potential impact?

Application keys and secrets allow applications to authenticate with Huawei
Cloud services. If an application secret is disclosed, an attacker will be able
to call Huawei Cloud resources with the same privileges as the application.

Below are some real-world scenarios that illustrate some impacts of an attacker
exploiting the secret.

:secret_type: application secret

include::../../../shared_content/secrets/impact/phishing.adoc[]

==== Financial loss

Cloud providers charge for their services based on their usage. This may be
based on the number of API calls made, bandwidth, or how many server instances
are running.

An attacker can use a disclosed secret to send large numbers of requests to the
cloud provider. This can lead to a large and unexpected increase in cloud
provider costs.

==== Denial of service

The cloud provider may monitor requests to identify unusual usage activity. If
an attacker is able to send enough requests, the cloud provider may flag your
account and take action against it. This could lead to the suspension or
termination of your account, thus causing significant inconvenience and
disruption for your customers or partners.

== How to fix it

include::../../../shared_content/secrets/fix/revoke.adoc[]

include::../../../shared_content/secrets/fix/vault.adoc[]

=== Code examples

:example_secret: 2bcd82072fdd4d396eadd7095a27c0f2f93d527618605a631107fb75026b59cb
:example_name: huawei-cloud.app-secret
:example_env: HUAWEI_CLOUD_APP_SECRET

include::../../../shared_content/secrets/examples.adoc[]

//=== How does this work?

//=== Pitfalls

//=== Going the extra mile

== Resources

=== Documentation

* Huawei Developer Documentation - https://developer.huawei.com/consumer/en/doc/HMSCore-Guides/oauth2-0000001212610981[OAuth 2.0-based Authentication]

include::../../../shared_content/secrets/resources/standards.adoc[]

//=== Benchmarks
Create rule S7004: Huawei Cloud application secrets should not be disclosed (#4041) * Create rule S7004 * Add content for Huawei Cloud * Add documentation link * Adjust RSPEC content to account for more use cases * Remove references to API gateway I had initially found some documentation that seemed to indicate that API Gateway may use the same format secret. However, I cannot find that documentation any more. I'm going to remove anything related to API Gateway and just focus on the main APIs, with Push Kit being called out because that has the most examples on SourceGraph. * Use shared phishing content --------- Co-authored-by: jamie-anderson-sonarsource <jamie-anderson-sonarsource@users.noreply.github.com> Co-authored-by: Jamie Anderson <127742609+jamie-anderson-sonarsource@users.noreply.github.com> Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> 2024-07-10 16:06:54 +01:00
			`include::../../../shared_content/secrets/description.adoc[]`

			`== Why is this an issue?`

			`include::../../../shared_content/secrets/rationale.adoc[]`

			`=== What is the potential impact?`

			`Application keys and secrets allow applications to authenticate with Huawei`
			`Cloud services. If an application secret is disclosed, an attacker will be able`
			`to call Huawei Cloud resources with the same privileges as the application.`

			`Below are some real-world scenarios that illustrate some impacts of an attacker`
			`exploiting the secret.`

			`:secret_type: application secret`

			`include::../../../shared_content/secrets/impact/phishing.adoc[]`

			`==== Financial loss`

			`Cloud providers charge for their services based on their usage. This may be`
			`based on the number of API calls made, bandwidth, or how many server instances`
			`are running.`

			`An attacker can use a disclosed secret to send large numbers of requests to the`
			`cloud provider. This can lead to a large and unexpected increase in cloud`
			`provider costs.`

			`==== Denial of service`

			`The cloud provider may monitor requests to identify unusual usage activity. If`
			`an attacker is able to send enough requests, the cloud provider may flag your`
			`account and take action against it. This could lead to the suspension or`
			`termination of your account, thus causing significant inconvenience and`
			`disruption for your customers or partners.`

			`== How to fix it`

			`include::../../../shared_content/secrets/fix/revoke.adoc[]`

			`include::../../../shared_content/secrets/fix/vault.adoc[]`

			`=== Code examples`

			`:example_secret: 2bcd82072fdd4d396eadd7095a27c0f2f93d527618605a631107fb75026b59cb`
			`:example_name: huawei-cloud.app-secret`
			`:example_env: HUAWEI_CLOUD_APP_SECRET`

			`include::../../../shared_content/secrets/examples.adoc[]`

			`//=== How does this work?`

			`//=== Pitfalls`

			`//=== Going the extra mile`

			`== Resources`

			`=== Documentation`

			`* Huawei Developer Documentation - https://developer.huawei.com/consumer/en/doc/HMSCore-Guides/oauth2-0000001212610981[OAuth 2.0-based Authentication]`

			`include::../../../shared_content/secrets/resources/standards.adoc[]`

			`//=== Benchmarks`