ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create rule S6910 (#3610)

Browse Source 
* Create rule S6910

* Added description and metadata

---------

Co-authored-by: daniel-teuchert-sonarsource <daniel-teuchert-sonarsource@users.noreply.github.com>
Co-authored-by: Daniel Teuchert <daniel.teuchert@sonarsource.com>
Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com>
This commit is contained in:
github-actions[bot] 2024-02-08 11:31:38 +01:00 committed by GitHub
parent c34f7fdbc9
commit 65ec930f11
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 107 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/S6910/metadata.json Normal file
View File

@ -0,0 +1,2 @@
{
}

56
rules/S6910/secrets/metadata.json Normal file
View File

@ -0,0 +1,56 @@
{
"title": "Postmark server token should not be disclosed",
"type": "VULNERABILITY",
"code": {
"impacts": {
"SECURITY": "HIGH"
},
"attribute": "TRUSTWORTHY"
},
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "30min"
},
"tags": [
"cwe",
"cert"
],
"extra": {
"replacementRules": []
},
"defaultSeverity": "Blocker",
"ruleSpecification": "RSPEC-6910",
"sqKey": "S6910",
"scope": "All",
"securityStandards": {
"CWE": [
798,
259
],
"OWASP": [
"A3"
],
"CERT": [
"MSC03-J."
],
"OWASP Top 10 2021": [
"A7"
],
"PCI DSS 3.2": [
"6.5.10"
],
"PCI DSS 4.0": [
"6.2.4"
],
"ASVS 4.0": [
"2.10.4",
"3.5.2",
"6.4.1"
]
},
"defaultQualityProfiles": [
"Sonar way"
],
"quickfix": "unknown"
}

48
rules/S6910/secrets/rule.adoc Normal file
View File

@ -0,0 +1,48 @@
include::../../../shared_content/secrets/description.adoc[]
== Why is this an issue?
include::../../../shared_content/secrets/rationale.adoc[]
=== What is the potential impact?
Postmark server tokens are used to authenticate requests to the Postmark API. When a request is made to the Postmark API, the server token is included in the header of the request. This process enables Postmark to confirm that the request originates from a trusted source and should be processed accordingly.
These tokens are sensitive because they provide full access to all features and data on a specific server in Postmark.
Below are some real-world scenarios that illustrate some impacts of an attacker
exploiting the secret.
:secret_type: token
include::../../../shared_content/secrets/impact/phishing.adoc[]
include::../../../shared_content/secrets/impact/malware_distribution.adoc[]
include::../../../shared_content/secrets/impact/suspicious_activities_termination.adoc[]
== How to fix it
include::../../../shared_content/secrets/fix/revoke.adoc[]
include::../../../shared_content/secrets/fix/vault.adoc[]
=== Code examples
:example_secret: 0a9e83b47-938b-aed2-239a-29e8b3a90a83
:example_name: X-Postmark-Server-Token
:example_env: POSTMARK_SERVER_TOKEN
include::../../../shared_content/secrets/examples.adoc[]
//=== How does this work?
//=== Pitfalls
//=== Going the extra mile
== Resources
include::../../../shared_content/secrets/resources/standards.adoc[]
//=== Benchmarks

2
shared_content/secrets/examples.adoc
View File

@ -2,7 +2,7 @@
[source,java,diff-id=1,diff-type=noncompliant,subs="attributes"] [source,java,diff-id=1,diff-type=noncompliant,subs="attributes"]
---- ----
props.set("{example_name}", "{example_secret}") props.set("{example_name}", "{example_secret}") // Noncompliant
---- ----
==== Compliant solution ==== Compliant solution