From 054bdfb71c13eace77ccd25edb42053cb51cbbed Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Fri, 15 Sep 2023 15:25:35 +0200
Subject: [PATCH] Create rule S6751: PyPI tokens should not be disclosed
 (APPSEC-1073) (#3021)

You can preview this rule
[here](https://sonarsource.github.io/rspec/#/rspec/S6751/secrets)
(updated a few minutes after each push).

## Review

A dedicated reviewer checked the rule description successfully for:

- [ ] logical errors and incorrect information
- [ ] information gaps and missing content
- [ ] text style and tone
- [ ] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)

---------

Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com>
Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
---
 rules/S6751/metadata.json              |  1 +
 rules/S6751/secrets/metadata.json      | 56 +++++++++++++++++++++++
 rules/S6751/secrets/rule.adoc          | 63 ++++++++++++++++++++++++++
 shared_content/secrets/fix/revoke.adoc |  2 +-
 4 files changed, 121 insertions(+), 1 deletion(-)
 create mode 100644 rules/S6751/metadata.json
 create mode 100644 rules/S6751/secrets/metadata.json
 create mode 100644 rules/S6751/secrets/rule.adoc

diff --git a/rules/S6751/metadata.json b/rules/S6751/metadata.json
new file mode 100644
index 0000000000..9e26dfeeb6
--- /dev/null
+++ b/rules/S6751/metadata.json
@@ -0,0 +1 @@
+{}
\ No newline at end of file
diff --git a/rules/S6751/secrets/metadata.json b/rules/S6751/secrets/metadata.json
new file mode 100644
index 0000000000..709a0dfc79
--- /dev/null
+++ b/rules/S6751/secrets/metadata.json
@@ -0,0 +1,56 @@
+{
+  "title": "PyPI tokens should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "extra": {
+    "replacementRules": []
+  },
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-6751",
+  "sqKey": "S6751",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
\ No newline at end of file
diff --git a/rules/S6751/secrets/rule.adoc b/rules/S6751/secrets/rule.adoc
new file mode 100644
index 0000000000..1559fc42c2
--- /dev/null
+++ b/rules/S6751/secrets/rule.adoc
@@ -0,0 +1,63 @@
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+The exact consequences of a PyPI API token compromise can vary depending on the scope of the affected token. Depending on this factor, the attacker might get access to the full account the token is bound to or only to a project belonging to that user.
+
+In any case, such a compromise can lead to source code leaks, data leaks and even serious supply chain attacks. In general, a reputational loss is also a common threat.
+
+include::../../../shared_content/secrets/impact/source_code_compromise.adoc[]
+
+include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+For PyPI, `keyring` is a recommended solution to securely store secrets. Further explanation is given in the example below.
+
+=== Code examples
+
+==== Noncompliant code example
+
+PyPI API tokens can be used to authenticate with PyPI by setting the token as a password in `.pypirc`.
+
+[source,text]
+----
+[pypi]
+username = __token__
+password = pypi-YBf3ZAIKOMPwNZ1VaQ0RAtjww5lI1az1CMLEOWgDQN56EPADfzRmgsENVcmIUh2mSBwYlTtyNKGmVlLm2MZD2aJOTWmD2EO5PMyWjvUY3Ii2CjsidALCNCNmvX8N8gcijBliFN2ciBCLgQdi2YYfGjA1kz19z1UBKg
+----
+
+==== Compliant solution
+
+Instead, Python's https://pypi.org/project/keyring/[`keyring` package] can be used to securely authenticate with PyPI. Once `keyring` is installed using pip, it should be used for authentication automatically. It is also possible to configure it manually using the following:
+
+[source,bash]
+----
+pip config set --global global.keyring-provider subprocess
+----
+
+//=== How does this work?
+
+//=== Pitfalls
+
+=== Going the extra mile
+
+include::../../../shared_content/secrets/extra_mile/permissions_scope.adoc[]
+
+== Resources
+
+=== Documentation
+
+* pip Documentation - https://pip.pypa.io/en/stable/topics/authentication/#authentication[Authentication]
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+//=== Benchmarks
diff --git a/shared_content/secrets/fix/revoke.adoc b/shared_content/secrets/fix/revoke.adoc
index 7d947e8874..ccfa795440 100644
--- a/shared_content/secrets/fix/revoke.adoc
+++ b/shared_content/secrets/fix/revoke.adoc
@@ -3,6 +3,6 @@
 Revoke any leaked secrets and remove them from the application source code.
 
 
-Before revoking the secret, ensure that no other applications or processes is
+Before revoking the secret, ensure that no other applications or processes are
 using it. Other usages of the secret will also be impacted when the secret is
 revoked.