rspec/rules/S7011/secrets/rule.adoc


include::../../../shared_content/secrets/description.adoc[]

== Why is this an issue?

include::../../../shared_content/secrets/rationale.adoc[]

=== What is the potential impact?

Access keys are used to authenticate to Azure Event Grid resources and can be
employed for event publication to the resource.

Shared Access Secrets (SAS) are generated from access keys and used to
authenticate specific resources with particular permissions within a defined
time frame. +
Using Shared Access Signatures is always better than using access keys,
because they reduce risk thanks to their scope and time limitation.
However, hardcoding secret tokens is always a bad practice, and still
exposes the resources to attacks. +
This is a risk unless the whole resource is free of sensitive data.

Note that the Microsoft docs can use different terminologies for these
two tokens:

* Access Keys are also called SAS keys
* Shared Access Secrets are also called SAS tokens

Below are some real-world scenarios that illustrate some impacts of an attacker
exploiting these types of secrets.

// Set value that can be used to refer to the type of secret in, for example:
// "An attacker can use this {secret_type} to ..."
:secret_type: secret

// Where possible, use predefined content for common impacts. This content can
// be found in the folder "shared_content/secrets/impact".
// When using predefined content, search for any required variables to be set and include them in this file.
// Not adding them will not trigger warnings.

include::../../../shared_content/secrets/impact/non_repudiation.adoc[]

include::../../../shared_content/secrets/impact/data_compromise.adoc[]

include::../../../shared_content/secrets/impact/financial_loss.adoc[]

== How to fix it

include::../../../shared_content/secrets/fix/revoke.adoc[]

include::../../../shared_content/secrets/fix/vault.adoc[]

On top of that, use the Azure SDK as much as possible and their diverse
credential objects.

=== Code examples

==== Noncompliant code example


:example_secret: r=https%3a%2f%2fexample.westeurope-1.eventgrid.azure.net%2fapi%2fevents&e=1%2f1%2f0001%2012%3a02%3a52%20AM&s=gdcIr5dXR4dC3sNyK4Qree4XogaRma3YdtH7%2boCxSQo%3d
:example_name: aeg-sas-token
:example_env: AEG_SAS_TOKEN

include::../../../shared_content/secrets/examples.adoc[]

== Resources

include::../../../shared_content/secrets/resources/standards.adoc[]
Create rule S7011: Detect Azure EventGrid SAS (#4055) * Create rule S7011 * Add text * Add specific definitions * Apply suggestions from code review * Update rules/S7011/secrets/rule.adoc --------- Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com> Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com> 2024-07-19 18:01:17 +02:00
			`include::../../../shared_content/secrets/description.adoc[]`

			`== Why is this an issue?`

			`include::../../../shared_content/secrets/rationale.adoc[]`

			`=== What is the potential impact?`

			`Access keys are used to authenticate to Azure Event Grid resources and can be`
			`employed for event publication to the resource.`

			`Shared Access Secrets (SAS) are generated from access keys and used to`
			`authenticate specific resources with particular permissions within a defined`
			`time frame. +`
			`Using Shared Access Signatures is always better than using access keys,`
			`because they reduce risk thanks to their scope and time limitation.`
			`However, hardcoding secret tokens is always a bad practice, and still`
			`exposes the resources to attacks. +`
			`This is a risk unless the whole resource is free of sensitive data.`

			`Note that the Microsoft docs can use different terminologies for these`
			`two tokens:`

			`* Access Keys are also called SAS keys`
			`* Shared Access Secrets are also called SAS tokens`

			`Below are some real-world scenarios that illustrate some impacts of an attacker`
			`exploiting these types of secrets.`

			`// Set value that can be used to refer to the type of secret in, for example:`
			`// "An attacker can use this {secret_type} to ..."`
			`:secret_type: secret`

			`// Where possible, use predefined content for common impacts. This content can`
			`// be found in the folder "shared_content/secrets/impact".`
			`// When using predefined content, search for any required variables to be set and include them in this file.`
			`// Not adding them will not trigger warnings.`

			`include::../../../shared_content/secrets/impact/non_repudiation.adoc[]`

			`include::../../../shared_content/secrets/impact/data_compromise.adoc[]`

			`include::../../../shared_content/secrets/impact/financial_loss.adoc[]`

			`== How to fix it`

			`include::../../../shared_content/secrets/fix/revoke.adoc[]`

			`include::../../../shared_content/secrets/fix/vault.adoc[]`

			`On top of that, use the Azure SDK as much as possible and their diverse`
			`credential objects.`

			`=== Code examples`

			`==== Noncompliant code example`


			`:example_secret: r=https%3a%2f%2fexample.westeurope-1.eventgrid.azure.net%2fapi%2fevents&e=1%2f1%2f0001%2012%3a02%3a52%20AM&s=gdcIr5dXR4dC3sNyK4Qree4XogaRma3YdtH7%2boCxSQo%3d`
			`:example_name: aeg-sas-token`
			`:example_env: AEG_SAS_TOKEN`

			`include::../../../shared_content/secrets/examples.adoc[]`

			`== Resources`

			`include::../../../shared_content/secrets/resources/standards.adoc[]`