From a278258b88a41646d773bf5d070f9d0e01b5dd09 Mon Sep 17 00:00:00 2001 From: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Date: Wed, 9 Aug 2023 14:49:28 +0200 Subject: [PATCH] Modify rule S6338: Use common text (#2832) --- rules/S6338/secrets/metadata.json | 5 +++ rules/S6338/secrets/rule.adoc | 54 ++++++++++++++++++++++++------- 2 files changed, 47 insertions(+), 12 deletions(-) diff --git a/rules/S6338/secrets/metadata.json b/rules/S6338/secrets/metadata.json index e6488e259f..7f036648c4 100644 --- a/rules/S6338/secrets/metadata.json +++ b/rules/S6338/secrets/metadata.json @@ -16,6 +16,11 @@ "cwe", "cert" ], + "extra": { + "replacementRules": [ + + ] + }, "defaultSeverity": "Blocker", "ruleSpecification": "RSPEC-6338", "sqKey": "S6338", diff --git a/rules/S6338/secrets/rule.adoc b/rules/S6338/secrets/rule.adoc index 43ef044e95..3345408477 100644 --- a/rules/S6338/secrets/rule.adoc +++ b/rules/S6338/secrets/rule.adoc @@ -1,25 +1,55 @@ +include::../../../shared_content/secrets/description.adoc[] + == Why is this an issue? -Azure Storage Account Keys are similar to the root password, allowing full access to Azure Storage Accounts. +include::../../../shared_content/secrets/rationale.adoc[] -If the application interacts with Azure Cloud Storage services, access keys should be secured and not be disclosed. +=== What is the potential impact? +Azure Storage Account Keys are used to authenticate and authorize access to +Azure Storage resources, such as blobs, queues, tables, and files. These keys +are used to authenticate requests made against the storage account. -== Recommended Secure Coding Practices +If an Azure Storage Account Key is leaked to an unintended audience, it can pose +a significant security risk to your Azure Storage account. -Only administrators should have access to storage account keys. To authorize an application to access an Azure Storage, it's recommended to create a service principal and assign it the required privileges only. https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-msi?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#authenticate-with-the-azure-identity-library[Azure Identity SDK] provides several options such as _DefaultAzureCredential_ that can be used to retrieve secrets from, for instance, environment variables. +An attacker with access to your storage account key can potentially access and +modify all the data stored in your storage account. They can also create new +resources, delete existing ones, and perform other actions that can compromise +the integrity and confidentiality of your data. -Storage account keys should not be stored with the application code or saved anywhere in plain text accessible to others. Consider using an https://azure.microsoft.com/en-us/services/key-vault/[Azure Key Vault] to store and manage keys. +In addition, an attacker with access to your storage account key can also incur +charges on your account by creating and using resources, which can result in +unexpected billing charges. -When credentials are disclosed in the application code, consider them as compromised and rotate them immediately. +== How to fix it +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/recent_use.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: 4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg== +:example_name: storage_key +:example_env: STORAGE_KEY + +include::../../../shared_content/secrets/examples.adoc[] + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile == Resources -* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures -* https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal[docs.microsoft.com] - Manage storage account access keys -* https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[OWASP Top 10 2017 Category A3] - Sensitive Data Exposure -* https://cwe.mitre.org/data/definitions/798[MITRE, CWE-798] - Use of Hard-coded Credentials -* https://cwe.mitre.org/data/definitions/259[MITRE, CWE-259] - Use of Hard-coded Password -* https://www.sans.org/top25-software-errors/#cat3[SANS Top 25] - Porous Defenses +include::../../../shared_content/secrets/resources/standards.adoc[] +=== Documentation + +* Microsoft Documentation - https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal[Manage storage account access keys] + +//=== Benchmarks