rspec/rules/S6698/secrets/rule.adoc

include::../../../shared_content/secrets/description.adoc[]

== Why is this an issue?

include::../../../shared_content/secrets/rationale.adoc[]

=== What is the potential impact?

Passwords in PostgreSQL are used to authenticate users against the database
engine. They are associated with user accounts that are granted specific
permissions over the database and its hosted data.

If a PostgreSQL password leaks to an unintended audience, it can have serious
consequences for the security of your database, the data stored within it, and
the applications that rely on it.

include::../../../shared_content/secrets/impact/data_compromise.adoc[]

==== Security downgrade

Applications relying on a PostgreSQL database instance can suffer a security
downgrade if an access password is leaked to attackers. Depending on the
purposes the application uses the database for, consequences can range from
low-severity issues, like defacement, to complete compromise.

For example, if the PostgreSQL instance is used as part of the authentication
process of an application, attackers with access to the database will likely be
able to bypass this security mechanism.

== How to fix it

include::../../../shared_content/secrets/fix/revoke.adoc[]

include::../../../shared_content/secrets/fix/recent_use.adoc[]

By default, no connection information is logged by PostgreSQL server. The
`log_connections` parameter must be set to `true` in the server configuration
for this to happen.

include::../../../shared_content/secrets/fix/vault.adoc[]

=== Code examples

==== Noncompliant code example

[source,python,diff-id=1,diff-type=noncompliant]
----
uri = "postgres://foouser:foopass@example.com/testdb"
----

==== Compliant solution

[source,python,diff-id=1,diff-type=compliant]
----
import os

user = os.environ["PG_USER"]
password = os.environ["PG_PASSWORD"]
uri = f"postgres://{user}:{password}@example.com/testdb"
----

//=== How does this work?

//=== Pitfalls

//=== Going the extra mile

== Resources

include::../../../shared_content/secrets/resources/standards.adoc[]

=== Documentation

* PostgreSQL Documentation - https://www.postgresql.org/docs/15/client-authentication.html[Client Authentication]
* PostgreSQL Documentation - https://www.postgresql.org/docs/current/runtime-config-logging.html[Error Reporting and Logging]

//=== Benchmarks
Create rule S6698: PostgreSQL database passwords should not be disclosed (#2854) 2023-08-11 07:56:54 +00:00			`include::../../../shared_content/secrets/description.adoc[]`

			`== Why is this an issue?`

			`include::../../../shared_content/secrets/rationale.adoc[]`

			`=== What is the potential impact?`

			`Passwords in PostgreSQL are used to authenticate users against the database`
			`engine. They are associated with user accounts that are granted specific`
			`permissions over the database and its hosted data.`

			`If a PostgreSQL password leaks to an unintended audience, it can have serious`
			`consequences for the security of your database, the data stored within it, and`
			`the applications that rely on it.`

			`include::../../../shared_content/secrets/impact/data_compromise.adoc[]`

			`==== Security downgrade`

			`Applications relying on a PostgreSQL database instance can suffer a security`
			`downgrade if an access password is leaked to attackers. Depending on the`
			`purposes the application uses the database for, consequences can range from`
			`low-severity issues, like defacement, to complete compromise.`

			`For example, if the PostgreSQL instance is used as part of the authentication`
			`process of an application, attackers with access to the database will likely be`
			`able to bypass this security mechanism.`

			`== How to fix it`

			`include::../../../shared_content/secrets/fix/revoke.adoc[]`

			`include::../../../shared_content/secrets/fix/recent_use.adoc[]`

			`By default, no connection information is logged by PostgreSQL server. The`
			`log_connections` parameter must be set to `true` in the server configuration
			`for this to happen.`

			`include::../../../shared_content/secrets/fix/vault.adoc[]`

			`=== Code examples`

			`==== Noncompliant code example`

			`[source,python,diff-id=1,diff-type=noncompliant]`
			`----`
			`uri = "postgres://foouser:foopass@example.com/testdb"`
			`----`

			`==== Compliant solution`

			`[source,python,diff-id=1,diff-type=compliant]`
			`----`
			`import os`

			`user = os.environ["PG_USER"]`
			`password = os.environ["PG_PASSWORD"]`
			`uri = f"postgres://{user}:{password}@example.com/testdb"`
			`----`

			`//=== How does this work?`

			`//=== Pitfalls`

			`//=== Going the extra mile`

			`== Resources`

			`include::../../../shared_content/secrets/resources/standards.adoc[]`

			`=== Documentation`

			`* PostgreSQL Documentation - https://www.postgresql.org/docs/15/client-authentication.html[Client Authentication]`
			`* PostgreSQL Documentation - https://www.postgresql.org/docs/current/runtime-config-logging.html[Error Reporting and Logging]`

			`//=== Benchmarks`