Create rule S6769: Shopify tokens should not be disclosed (APPSEC-1076) (#3068)

You can preview this rule [here](https://sonarsource.github.io/rspec/#/rspec/S6769/secrets) (updated a few minutes after each push). ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com> Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2023-09-20 10:12:37 +02:00 · 2023-09-20 10:12:37 +02:00 · 168f231de8
commit 168f231de8
parent 42b25db4ca
4 changed files with 127 additions and 0 deletions
--- a/rules/S6769/metadata.json
+++ b/rules/S6769/metadata.json
@ -0,0 +1 @@
+{}
--- a/rules/S6769/secrets/metadata.json
+++ b/rules/S6769/secrets/metadata.json
@ -0,0 +1,56 @@
+{
+  "title": "Shopify tokens should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "extra": {
+    "replacementRules": []
+  },
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-6769",
+  "sqKey": "S6769",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
--- a/rules/S6769/secrets/rule.adoc
+++ b/rules/S6769/secrets/rule.adoc
@ -0,0 +1,65 @@
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+If an attacker gains access to a Shopify app token or a Shopify Partners token, they might be able to compromise the Shopify environment linked to this token. As this environment typically contains both important financial data and the personal information of clients, a breach by a malicious entity could have a serious impact on the organization.
+
+=== What is the potential impact?
+
+Shopify contains both important information about customers, as well as financial information in general. If an attacker manages to get access to either of those through a leaked secret, they could severely impact the business in multiple ways. 
+
+include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[]
+
+Furthermore, the personal identifiable information contained by the Shopify platform could be used for phishing. Not sufficiently protecting the sensitive information of clients, such as addresses, email addresses and even financial information, can directly hurt these clients and will also hurt the reputation of the organization.
+
+include::../../../shared_content/secrets/impact/disclosure_of_financial_data.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,python,diff-id=1,diff-type=noncompliant]
+----
+import requests
+
+token = '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'  # Noncompliant
+response = requests.get('https://test-shop.myshopify.com/admin/api/2021-07/shop.json', headers={
+    'X-Shopify-Access-Token': token,
+    'Content-Type': 'application/json'
+})
+----
+
+==== Compliant solution
+
+[source,python,diff-id=1,diff-type=compliant]
+----
+import requests
+
+token = os.getenv('SHOPIFY_ACCESS_TOKEN')
+response = requests.get('https://test-shop.myshopify.com/admin/api/2021-07/shop.json', headers={
+    'X-Shopify-Access-Token': token,
+    'Content-Type': 'application/json'
+})
+----
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+=== Documentation
+
+Shopify.dev docs - https://shopify.dev/docs/apps/auth/admin-app-access-tokens#requirements[Access tokens for custom apps in the Shopify admin]
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
--- a/shared_content/secrets/impact/disclosure_of_financial_data.adoc
+++ b/shared_content/secrets/impact/disclosure_of_financial_data.adoc
@ -0,0 +1,5 @@
+==== Disclosure of financial data
+
+When an attacker gains access to an organization's financial information, it can have severe consequences for the organization. One of the primary concerns is the potential leakage of sensitive financial data. This information may include bank account details, credit card information, or confidential financial reports. If this data falls into the wrong hands, it can be used for malicious purposes such as identity theft, unauthorized access to financial accounts, or even blackmail.
+
+The disclosure of financial information can also lead to a loss of confidence and damage the organization's reputation with its stakeholders. Customers, partners, and investors place trust in organizations to protect their financial data. In case of a breach, customers may be hesitant to continue doing business with this company, leading to a loss of revenue and market share. Similarly, partners and investors may reconsider their long-term collaborations or investments due to concerns about the organization's overall security posture.