Create rule S6989: Adafruit IO API keys should not be disclosed (#4009)

* Create rule S6989 * Add content for S6989 * Add documentation link --------- Co-authored-by: jamie-anderson-sonarsource <jamie-anderson-sonarsource@users.noreply.github.com> Co-authored-by: Jamie Anderson <127742609+jamie-anderson-sonarsource@users.noreply.github.com>
2024-06-28 11:17:39 +01:00 · 2024-06-28 11:17:39 +01:00 · 7e2174bd6f
commit 7e2174bd6f
parent ba9bab2a5e
4 changed files with 121 additions and 0 deletions
--- a/rules/S6989/metadata.json
+++ b/rules/S6989/metadata.json
@ -0,0 +1,2 @@
+{
+}
--- a/rules/S6989/secrets/metadata.json
+++ b/rules/S6989/secrets/metadata.json
@ -0,0 +1,56 @@
+{
+  "title": "Adafruit IO API keys should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-6989",
+  "sqKey": "S6989",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ],
+    "STIG ASD 2023-06-08": [
+      "V-222642"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
--- a/rules/S6989/secrets/rule.adoc
+++ b/rules/S6989/secrets/rule.adoc
@ -0,0 +1,53 @@
+
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+Adafruit IO provides an API that allows you to interact with IoT devices. The
+API can be used to store data, trigger webhook notifications, or modify the
+layout and information shown on user dashboards.
+
+Below are some real-world scenarios that illustrate some impacts of an attacker
+exploiting the secret.
+
+:secret_type: API key
+
+include::../../../shared_content/secrets/impact/exceed_rate_limits.adoc[]
+
+include::../../../shared_content/secrets/impact/codeless_vulnerability_chaining.adoc[]
+
+include::../../../shared_content/secrets/impact/data_modification.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+:example_secret: aio_XFKJb9078YvbkljV0879vhjkj7G4
+:example_name: adafruit-io-key
+:example_env: ADAFRUIT_IO_KEY
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+=== Documentation
+
+* Adafruit IO documentation - https://io.adafruit.com/api/docs/#authentication[Authentication]
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+//=== Benchmarks
--- a/shared_content/secrets/impact/exceed_rate_limits.adoc
+++ b/shared_content/secrets/impact/exceed_rate_limits.adoc
@ -0,0 +1,10 @@
+==== Exceeding rate limits
+
+Using a leaked secret, an attacker may be able to make hundreds or thousands of
+authenticated calls to an online service. It is common for online services to
+enforce a rate limit to prevent their servers from being overwhelmed.
+
+If an attacker is able to exceed a user-based rate limit, they may be able to
+cause a denial of service for the user. If this continues over a long period of
+time, the user may also be subject to additional fees or may have their account
+terminated.