diff --git a/rules/S6437/python/metadata.json b/rules/S6437/python/metadata.json new file mode 100644 index 0000000000..7a73a41bfd --- /dev/null +++ b/rules/S6437/python/metadata.json @@ -0,0 +1,2 @@ +{ +} \ No newline at end of file diff --git a/rules/S6437/python/rule.adoc b/rules/S6437/python/rule.adoc new file mode 100644 index 0000000000..93d021481e --- /dev/null +++ b/rules/S6437/python/rule.adoc @@ -0,0 +1,112 @@ +include::../description.adoc[] + +== Noncompliant Code Example + +[source,python] +---- +from requests_oauthlib.oauth2_session import OAuth2Session + +scope = ['https://www.api.example.com/auth/example.data'] + +oauth = OAuth2Session( + 'example_client_id', + redirect_uri='https://callback.example.com/uri', + scope=scope) + +token = oauth.fetch_token( + 'https://api.example.com/o/oauth2/token', + client_secret='example_Password') # Noncompliant + +data = oauth.get('https://www.api.example.com/oauth2/v1/exampledata') +---- + +== Compliant Solution + +Using https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/secretsmanager[AWS Secrets Manager]: + +[source,python] +---- +import boto3 +from requests_oauthlib.oauth2_session import OAuth2Session + +def get_client_secret(): + + session = boto3.session.Session() + client = session.client(service_name='secretsmanager', region_name='eu-west-1') + + return client.get_secret_value(SecretId='example_oauth_secret_id') + +client_secret = get_client_secret() +scope = ['https://www.api.example.com/auth/example.data'] + +oauth = OAuth2Session( + 'example_client_id', + redirect_uri='https://callback.example.com/uri', + scope=scope) + +token = oauth.fetch_token( + 'https://api.example.com/o/oauth2/token', + client_secret=client_secret) + +data = oauth.get('https://www.api.example.com/oauth2/v1/exampledata') +---- + +Using https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-java?tabs=azure-cli[Azure Key Vault Secret]: + +[source,python] +---- +from azure.keyvault.secrets import SecretClient +from azure.identity import DefaultAzureCredential + +def get_client_secret(): + vault_uri = "https://example.vault.azure.net" + credential = DefaultAzureCredential() + client = SecretClient(vault_url=vault_uri, credential=credential) + + return client.get_secret('example_oauth_secret_name') + +client_secret = get_client_secret() +scope = ['https://www.api.example.com/auth/example.data'] + +oauth = OAuth2Session( + 'example_client_id', + redirect_uri='https://callback.example.com/uri', + scope=scope) + +token = oauth.fetch_token( + 'https://api.example.com/o/oauth2/token', + client_secret=client_secret) + +data = oauth.get('https://www.api.example.com/oauth2/v1/exampledata') + +---- + +== See + +* https://aws.amazon.com/fr/secrets-manager/[AWS] - Secret Manager +* https://azure.microsoft.com/fr-fr/services/key-vault/[Azure] - Key Vault +* https://cloud.google.com/secret-manager[GCP] - Secret Manager +* https://www.vaultproject.io/[Hashicorp Vault] - Secret Management +* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures +* https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication +* https://cwe.mitre.org/data/definitions/798.html[MITRE, CWE-798] - Use of Hard-coded Credentials +* https://cwe.mitre.org/data/definitions/259.html[MITRE, CWE-259] - Use of Hard-coded Password +* https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[CERT, MSC03-J.] - Never hard code sensitive information + +ifdef::env-github,rspecator-view[] +''' +== Implementation Specification +(visible only on this page) + +=== Message + +Revoke and change this password, as it is compromised. + +=== Highlighting + +Highlight the credential use and its initialization. + +''' +endif::env-github,rspecator-view[] + +