ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create rule S7144: Bitbucket keys should not be disclosed (APPSEC-1864) (#4476)

Browse Source
This commit is contained in:
github-actions[bot] 2024-11-12 11:42:40 +01:00 committed by GitHub
parent 78497b8212
commit c36fc7cc5f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 120 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/S7144/metadata.json Normal file
View File

@ -0,0 +1,2 @@
{
}

56
rules/S7144/secrets/metadata.json Normal file
View File

@ -0,0 +1,56 @@
{
"title": "BitBucket OAuth credentials should not be disclosed",
"type": "VULNERABILITY",
"code": {
"impacts": {
"SECURITY": "HIGH"
},
"attribute": "TRUSTWORTHY"
},
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "30min"
},
"tags": [
"cwe",
"cert"
],
"defaultSeverity": "Blocker",
"ruleSpecification": "RSPEC-7144",
"sqKey": "S7144",
"scope": "All",
"securityStandards": {
"CWE": [
798,
259
],
"OWASP": [
"A3"
],
"CERT": [
"MSC03-J."
],
"OWASP Top 10 2021": [
"A7"
],
"PCI DSS 3.2": [
"6.5.10"
],
"PCI DSS 4.0": [
"6.2.4"
],
"ASVS 4.0": [
"2.10.4",
"3.5.2",
"6.4.1"
],
"STIG ASD_V5R3": [
"V-222642"
]
},
"defaultQualityProfiles": [
"Sonar way"
],
"quickfix": "unknown"
}

62
rules/S7144/secrets/rule.adoc Normal file
View File

@ -0,0 +1,62 @@
include::../../../shared_content/secrets/description.adoc[]
== Why is this an issue?
include::../../../shared_content/secrets/rationale.adoc[]
If attackers gain access to a BitBucket OAuth credentials, they will be able to interact with BitBucket API on behalf of the compromised account.
=== What is the potential impact?
Bitbucket keys allow external services to access resources on a users behalf with the OAuth 2.0 protocol.
They are used to authenticate applications, services, or APIs using BitBucket for login and access-control.
Below are some real-world scenarios that illustrate some impacts of an attacker
exploiting the secret.
include::../../../shared_content/secrets/impact/source_code_compromise.adoc[]
include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]
== How to fix it
include::../../../shared_content/secrets/fix/revoke.adoc[]
include::../../../shared_content/secrets/fix/recent_use.adoc[]
include::../../../shared_content/secrets/fix/vault.adoc[]
=== Code examples
==== Noncompliant code example
[source,java,diff-id=1,diff-type=noncompliant,subs="attributes"]
----
props.set("bitbucket.oauth-key", "MP76PZGLQmw63rxZYJ") // Noncompliant
props.set("bitbucket.oauth-secret", "ASgzPac3EPbXHbTSw6DyUagJZ8ThnUFG") // Noncompliant
----
==== Compliant solution
[source,java,diff-id=1,diff-type=compliant,subs="attributes"]
----
props.set("bitbucket.oauth-key", System.getenv("BITBUCKET_OAUTH_KEY")
props.set("bitbucket.oauth-secret", System.getenv("BITBUCKET_OAUTH_SECRET")
----
//=== How does this work?
//=== Pitfalls
//=== Going the extra mile
== Resources
* Bitbucket Support - https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/[Use OAuth on Bitbucket Cloud]
include::../../../shared_content/secrets/resources/standards.adoc[]
//=== Benchmarks