ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6698/secrets/rule.adoc
Loris S cf35afd3dd
Modify S6698&S6703&S6697: Add a warning against default values (#3121) 
## Review

A dedicated reviewer checked the rule description successfully for:

- [ ] logical errors and incorrect information
- [ ] information gaps and missing content
- [ ] text style and tone
- [ ] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)

---------

Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com>
2023-09-22 10:48:47 +00:00

80 lines
2.3 KiB
Plaintext
Raw Permalink Blame History

include::../../../shared_content/secrets/description.adoc[]
== Why is this an issue?
include::../../../shared_content/secrets/rationale.adoc[]
=== What is the potential impact?
Passwords in PostgreSQL are used to authenticate users against the database
engine. They are associated with user accounts that are granted specific
permissions over the database and its hosted data.
If a PostgreSQL password leaks to an unintended audience, it can have serious
consequences for the security of your database, the data stored within it, and
the applications that rely on it.
include::../../../shared_content/secrets/impact/data_compromise.adoc[]
==== Security downgrade
Applications relying on a PostgreSQL database instance can suffer a security
downgrade if an access password is leaked to attackers. Depending on the
purposes the application uses the database for, consequences can range from
low-severity issues, like defacement, to complete compromise.
For example, if the PostgreSQL instance is used as part of the authentication
process of an application, attackers with access to the database will likely be
able to bypass this security mechanism.
== How to fix it
include::../../../shared_content/secrets/fix/revoke.adoc[]
include::../../../shared_content/secrets/fix/recent_use.adoc[]
By default, no connection information is logged by PostgreSQL server. The
`log_connections` parameter must be set to `true` in the server configuration
for this to happen.
include::../../../shared_content/secrets/fix/vault.adoc[]
include::../../../shared_content/secrets/fix/default.adoc[]
=== Code examples
==== Noncompliant code example
[source,python,diff-id=1,diff-type=noncompliant]
----
uri = "postgres://foouser:foopass@example.com/testdb"
----
==== Compliant solution
[source,python,diff-id=1,diff-type=compliant]
----
import os
user = os.environ["PG_USER"]
password = os.environ["PG_PASSWORD"]
uri = f"postgres://{user}:{password}@example.com/testdb"
----
//=== How does this work?
//=== Pitfalls
//=== Going the extra mile
== Resources
include::../../../shared_content/secrets/resources/standards.adoc[]
=== Documentation
* PostgreSQL Documentation - https://www.postgresql.org/docs/15/client-authentication.html[Client Authentication]
* PostgreSQL Documentation - https://www.postgresql.org/docs/current/runtime-config-logging.html[Error Reporting and Logging]
//=== Benchmarks
Reference in New Issue View Git Blame Copy Permalink