rspec/rules/S6710/secrets/rule.adoc

include::../../../shared_content/secrets/description.adoc[]

== Why is this an issue?

include::../../../shared_content/secrets/rationale.adoc[]

=== What is the potential impact?

A FCM API key leak is particularly severe if the affected key has
administrative privileges: The range of topics to which an attacker can
subscribe and send messages is much larger than with normal privileges.

Below are some real-world scenarios that illustrate some impacts of an attacker
exploiting the secret.

include::../../../shared_content/secrets/impact/phishing.adoc[]

include::../../../shared_content/secrets/impact/malware_distribution.adoc[]

include::../../../shared_content/secrets/impact/codeless_vulnerability_chaining.adoc[]

== How to fix it

include::../../../shared_content/secrets/fix/revoke.adoc[]

include::../../../shared_content/secrets/fix/vault.adoc[]

=== Code examples

:example_secret: cfUDlZL9YBQ:APA91bJxU9oMf3RbiyqnmUO60KU_JLawjf2yrTfSs3_ZAp3dxZS0J88G5P5AoKWoviAdUK5i-2SB7iHcb4Wd38EMsZXBAAb6GZMaSOeKfaI0DuLxAFTOgGNKRSmj2R9gIQyzpjoThmqe
:example_name: fcm_key
:example_env: FCM_KEY

include::../../../shared_content/secrets/examples.adoc[]

//=== How does this work?

//=== Pitfalls

//=== Going the extra mile

== Resources

include::../../../shared_content/secrets/resources/standards.adoc[]

//=== Benchmarks
Create rule S6710(secrets): Firebase Cloud Messaging keys should not be disclosed (#2923) You can preview this rule [here](https://sonarsource.github.io/rspec/#/rspec/S6710/secrets) (updated a few minutes after each push). ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> 2023-08-29 15:36:40 +02:00			`include::../../../shared_content/secrets/description.adoc[]`

			`== Why is this an issue?`

			`include::../../../shared_content/secrets/rationale.adoc[]`

			`=== What is the potential impact?`

			`A FCM API key leak is particularly severe if the affected key has`
			`administrative privileges: The range of topics to which an attacker can`
			`subscribe and send messages is much larger than with normal privileges.`

			`Below are some real-world scenarios that illustrate some impacts of an attacker`
			`exploiting the secret.`

			`include::../../../shared_content/secrets/impact/phishing.adoc[]`

			`include::../../../shared_content/secrets/impact/malware_distribution.adoc[]`

			`include::../../../shared_content/secrets/impact/codeless_vulnerability_chaining.adoc[]`

			`== How to fix it`

			`include::../../../shared_content/secrets/fix/revoke.adoc[]`

			`include::../../../shared_content/secrets/fix/vault.adoc[]`

			`=== Code examples`

Modify S6710(secrets): Improve sample (#3131) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-09-22 17:00:16 +02:00			`:example_secret: cfUDlZL9YBQ:APA91bJxU9oMf3RbiyqnmUO60KU_JLawjf2yrTfSs3_ZAp3dxZS0J88G5P5AoKWoviAdUK5i-2SB7iHcb4Wd38EMsZXBAAb6GZMaSOeKfaI0DuLxAFTOgGNKRSmj2R9gIQyzpjoThmqe`
Create rule S6710(secrets): Firebase Cloud Messaging keys should not be disclosed (#2923) You can preview this rule [here](https://sonarsource.github.io/rspec/#/rspec/S6710/secrets) (updated a few minutes after each push). ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com> 2023-08-29 15:36:40 +02:00			`:example_name: fcm_key`
			`:example_env: FCM_KEY`

			`include::../../../shared_content/secrets/examples.adoc[]`

			`//=== How does this work?`

			`//=== Pitfalls`

			`//=== Going the extra mile`

			`== Resources`

			`include::../../../shared_content/secrets/resources/standards.adoc[]`

			`//=== Benchmarks`