diff --git a/rules/S6777/metadata.json b/rules/S6777/metadata.json new file mode 100644 index 0000000000..2c63c08510 --- /dev/null +++ b/rules/S6777/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S6777/secrets/metadata.json b/rules/S6777/secrets/metadata.json new file mode 100644 index 0000000000..15ec071519 --- /dev/null +++ b/rules/S6777/secrets/metadata.json @@ -0,0 +1,59 @@ +{ + "title": "Shippo tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "extra": { + "replacementRules": [ + + ] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-6777", + "sqKey": "S6777", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" + } + \ No newline at end of file diff --git a/rules/S6777/secrets/rule.adoc b/rules/S6777/secrets/rule.adoc new file mode 100644 index 0000000000..42a1c42a3a --- /dev/null +++ b/rules/S6777/secrets/rule.adoc @@ -0,0 +1,82 @@ +Shippo is a multi-carrier shipping platform that helps businesses streamline their shipping processes. It provides a unified API and dashboard that allows businesses to connect with multiple shipping carriers. Shippo API tokens are used for authentication and authorization purposes when making API requests. + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +If a Shippo API token is leaked, it can have several consequences: + +==== Financial Loss + +If the leaked API token is used to generate shipping labels or make shipping-related transactions, it can result in financial loss. Unauthorized individuals may exploit the token to generate fraudulent labels or make unauthorized shipments, leading to additional shipping costs or potential chargebacks. +==== Data Breach + +If the leaked API token is associated with a user account that has access to sensitive customer or business data, it can result in a data breach. This can lead to the exposure of personal information, shipping addresses, payment details, or other confidential data, potentially causing harm to your customers and your business reputation. + + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/recent_use.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +==== Noncompliant code example + +[source,java,diff-id=1,diff-type=noncompliant] +---- +Shippo.setApiKey('shippo_live_258d9b4c41a8cb88ca7fb4b12c65083f658435ac'); // Noncompliant + +HashMap addressMap = new HashMap(); +addressMap.put("name", "Mr. Hippo"); +addressMap.put("company", "Shippo"); +addressMap.put("street1", "215 Clayton St."); +addressMap.put("city", "San Francisco"); +addressMap.put("state", "CA"); +addressMap.put("zip", "94117"); +addressMap.put("country", "US"); +addressMap.put("phone", "+1 555 341 9393"); +addressMap.put("email", "support@goshipppo.com"); + +Address createAddress = Address.create(addressMap); +---- + +==== Compliant solution + +[source,java,diff-id=1,diff-type=compliant] +---- +Shippo.setApiKey(System.getenv("SHIPPO_API_TOKEN")); + +HashMap addressMap = new HashMap(); +addressMap.put("name", "Mr. Hippo"); +addressMap.put("company", "Shippo"); +addressMap.put("street1", "215 Clayton St."); +addressMap.put("city", "San Francisco"); +addressMap.put("state", "CA"); +addressMap.put("zip", "94117"); +addressMap.put("country", "US"); +addressMap.put("phone", "+1 555 341 9393"); +addressMap.put("email", "support@goshipppo.com"); + +Address createAddress = Address.create(addressMap); +---- + + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] + +//=== Benchmarks