Create rule S6701: Telegram bot keys should not be disclosed (#2861)

2023-08-11 13:57:33 +00:00 · 2023-08-11 13:57:33 +00:00 · 7da41a60be
commit 7da41a60be
parent 79647231c4
3 changed files with 104 additions and 0 deletions
--- a/rules/S6701/metadata.json
+++ b/rules/S6701/metadata.json
@ -0,0 +1,2 @@
+{
+}
--- a/rules/S6701/secrets/metadata.json
+++ b/rules/S6701/secrets/metadata.json
@ -0,0 +1,58 @@
+{
+  "title": "Telegram bot keys should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "extra": {
+    "replacementRules": [
+
+    ]
+  },
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-6701",
+  "sqKey": "S6701",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
--- a/rules/S6701/secrets/rule.adoc
+++ b/rules/S6701/secrets/rule.adoc
@ -0,0 +1,44 @@
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+Telegram bot keys are used to authenticate and authorize a bot to interact with
+the Telegram Bot API. These keys are essentially access tokens that allow the
+bot to send and receive messages, manage groups and channels, and perform other
+actions on behalf of the bot.
+
+If a Telegram bot key is accidentally exposed to an unintended audience, the
+primary concern is that unauthorized individuals may gain access to the bot's
+functionalities and data. This could result in misuse or abuse of the bot's
+capabilities. For instance, unauthorized users could send unsolicited
+messages, spam users, or engage in other disruptive activities using the bot.
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+:example_secret: 7299363101:AAWJlilLyeMaKgTTrrfsyrtxDqqI-cdI-TF
+:example_name: api_token
+:example_env: API_TOKEN
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+//=== Benchmarks