Create rule S6755: DigitalOcean tokens should not be disclosed (APPSEC-1063) (#3029)

You can preview this rule [here](https://sonarsource.github.io/rspec/#/rspec/S6755/secrets) (updated a few minutes after each push). ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com> Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com> Co-authored-by: gaetan-ferry-sonarsource <112399173+gaetan-ferry-sonarsource@users.noreply.github.com>
2023-09-19 17:40:09 +02:00 · 2023-09-19 17:40:09 +02:00 · 95d7e2c516
commit 95d7e2c516
parent 08a359a6ae
4 changed files with 123 additions and 0 deletions
--- a/rules/S6755/metadata.json
+++ b/rules/S6755/metadata.json
@ -0,0 +1 @@
+{}
--- a/rules/S6755/secrets/metadata.json
+++ b/rules/S6755/secrets/metadata.json
@ -0,0 +1,56 @@
+{
+  "title": "DigitalOcean tokens should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "extra": {
+    "replacementRules": []
+  },
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-6755",
+  "sqKey": "S6755",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
--- a/rules/S6755/secrets/rule.adoc
+++ b/rules/S6755/secrets/rule.adoc
@ -0,0 +1,59 @@
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+If an attacker gains access to a DigitalOcean personal access token or OAuth token, they might be able to compromise your DigitalOcean environment. This includes control over Droplets and any applications that are running, as well as databases and other assets that are managed by the account.
+
+=== What is the potential impact?
+
+If an attacker manages to gain access to the DigitalOcean environment, there exist several ways that they could seriously harm your organization. Any data that is stored in the environment could be leaked, but the environment itself could even be tampered with.
+
+include::../../../shared_content/secrets/impact/data_compromise.adoc[]
+
+:service_name: DigitalOcean
+
+include::../../../shared_content/secrets/impact/infrastructure_takeover.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,ruby,diff-id=1,diff-type=noncompliant]
+----
+require 'droplet_kit'
+
+token = 'dop_v1_1adc4095c3c676ff1c31789a1a86480195a5b3d955010c94fcfa554b34640e1e'  # Noncompliant
+client = DropletKit::Client.new(access_token: token)
+----
+
+==== Compliant solution
+
+[source,ruby,diff-id=1,diff-type=compliant]
+----
+require 'droplet_kit'
+
+token = ENV['DIGITALOCEAN_TOKEN']
+client = DropletKit::Client.new(access_token: token)
+----
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+=== Documentation
+
+DigitalOcean Documentation - https://docs.digitalocean.com/reference/api/create-personal-access-token/[How to Create a Personal Access Token]
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
--- a/shared_content/secrets/impact/infrastructure_takeover.adoc
+++ b/shared_content/secrets/impact/infrastructure_takeover.adoc
@ -0,0 +1,7 @@
+==== Infrastructure takeover
+
+By obtaining a leaked secret, an attacker can gain control over your organization's {service_name} infrastructure. They can modify DNS settings, redirect traffic, or launch malicious instances that can be used for various nefarious activities, including launching DDoS attacks, hosting phishing websites, or distributing malware. Malicious instances may also be used for resource-intensive tasks such as cryptocurrency mining. 
+
+This can result in legal liability, but also increased costs, degraded performance, and potential service disruptions.
+
+Furthermore, corporate {service_name} infrastructures are often connected to other services and to the internal networks of the organization. Because of this, cloud infrastructure is often used by attackers as a gateway to other assets. Attackers can leverage this gateway to gain access to more services, to compromise more business-critical data and to cause more damage to the overall infrastructure.