ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6753/secrets/rule.adoc
github-actions[bot] 496edb7d4a
Create rule S6753: Zuplo (APPSEC-1067) (#3026) 
You can preview this rule
[here](https://sonarsource.github.io/rspec/#/rspec/S6753/secrets)
(updated a few minutes after each push).

## Review

A dedicated reviewer checked the rule description successfully for:

- [ ] logical errors and incorrect information
- [ ] information gaps and missing content
- [ ] text style and tone
- [ ] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)

---------

Co-authored-by: sebastien-andrivet-sonarsource <sebastien-andrivet-sonarsource@users.noreply.github.com>
Co-authored-by: sebastien-andrivet-sonarsource <sebastien.andrivet@sonarsource.com>
2023-09-19 15:32:25 +02:00

49 lines
1.7 KiB
Plaintext
Raw Permalink Blame History

Zuplo is an API management platform built for developers. It handles authentification and access to your API and provides additional functionalities such as rate limiting the number of requests to your backend.
In order for your backend to validate that a request has been processed by Zuplo, it relies on an API key generated in Zuplo Developer Portal. If this key is compromised, attackers will be able to bypass Zuplo and access your API without authentication and authorization.
include::../../../shared_content/secrets/description.adoc[]
== Why is this an issue?
include::../../../shared_content/secrets/rationale.adoc[]
=== What is the potential impact?
The exact impact of a Zuplo API key being leaked varies greatly depending on the type of services the software is used to implement. In general, consequences ranging from a denial of service to application compromise can be expected.
:secret_type: credentials
include::../../../shared_content/secrets/impact/codeless_vulnerability_chaining.adoc[]
include::../../../shared_content/secrets/impact/data_compromise.adoc[]
== How to fix it
include::../../../shared_content/secrets/fix/revoke.adoc[]
include::../../../shared_content/secrets/fix/vault.adoc[]
=== Code examples
:example_secret: zpka_213d294a9a5a44619cd6a02e55a20417_5f43e4d0
:example_name: zapi_key
:example_env: ZAPI_KEY
include::../../../shared_content/secrets/examples.adoc[]
//=== How does this work?
//=== Pitfalls
//=== Going the extra mile
== Resources
=== Documentation
* Zuplo API documentation - https://zuplo.com/docs/articles/api-key-management[API Keys Overview]
include::../../../shared_content/secrets/resources/standards.adoc[]
//=== Benchmarks
Reference in New Issue View Git Blame Copy Permalink