Create rule S6699: Spotify API secrets should not be disclosed (#2855)

2023-08-11 12:17:49 +02:00 · 2023-08-11 12:17:49 +02:00 · d54de6f117
commit d54de6f117
parent 5377fe4f2e
3 changed files with 109 additions and 0 deletions
--- a/rules/S6699/metadata.json
+++ b/rules/S6699/metadata.json
@ -0,0 +1,2 @@
+{
+}
--- a/rules/S6699/secrets/metadata.json
+++ b/rules/S6699/secrets/metadata.json
@ -0,0 +1,58 @@
+{
+  "title": "Spotify API secrets should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "extra": {
+    "replacementRules": [
+
+    ]
+  },
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-6699",
+  "sqKey": "S6699",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
--- a/rules/S6699/secrets/rule.adoc
+++ b/rules/S6699/secrets/rule.adoc
@ -0,0 +1,49 @@
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+The Spotify API secret is a confidential key used for authentication and
+authorization purposes when accessing the Spotify API.
+
+The Spotify API grants applications access to Spotify's services and, by
+extension, user data. Should this secret fall into the wrong hands, two
+immediate concerns arise: unauthorized access to user data and data
+manipulation.
+
+When unauthorized entities obtain the API secret, they have potential access to
+users' personal Spotify information. This includes the details of their
+playlists, saved tracks, and listening history. Such exposure might not only
+breach personal boundaries but also infringe upon privacy standards set by
+platforms and regulators.
+
+In addition to simply gaining access, there is the risk of data manipulation. If malicious individuals obtain the secret, they could tamper with user content on Spotify. This includes modifying playlists, deleting beloved tracks, or even adding unsolicited ones. Such actions not only disrupt the user experience but also violate the trust that users have in both Spotify and third-party applications connected to it.
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+:example_secret: f3fbd32510154334aaf0394aca3ac4c3
+:example_name: spotify_secret
+:example_env: SPOTIFY_SECRET
+
+include::../../../shared_content/secrets/examples.adoc[]
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+//=== Benchmarks