ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S7004/secrets/rule.adoc
github-actions[bot] 09ac17157d
Create rule S7004: Huawei Cloud application secrets should not be disclosed (#4041) 
* Create rule S7004

* Add content for Huawei Cloud

* Add documentation link

* Adjust RSPEC content to account for more use cases

* Remove references to API gateway

I had initially found some documentation that seemed to indicate that API Gateway may use the same format secret. However, I cannot find that documentation any more.

I'm going to remove anything related to API Gateway and just focus on the main APIs, with Push Kit being called out because that has the most examples on SourceGraph.

* Use shared phishing content

---------

Co-authored-by: jamie-anderson-sonarsource <jamie-anderson-sonarsource@users.noreply.github.com>
Co-authored-by: Jamie Anderson <127742609+jamie-anderson-sonarsource@users.noreply.github.com>
Co-authored-by: Loris S <91723853+loris-s-sonarsource@users.noreply.github.com>
2024-07-10 16:06:54 +01:00

68 lines
2.0 KiB
Plaintext
Raw Permalink Blame History

include::../../../shared_content/secrets/description.adoc[]
== Why is this an issue?
include::../../../shared_content/secrets/rationale.adoc[]
=== What is the potential impact?
Application keys and secrets allow applications to authenticate with Huawei
Cloud services. If an application secret is disclosed, an attacker will be able
to call Huawei Cloud resources with the same privileges as the application.
Below are some real-world scenarios that illustrate some impacts of an attacker
exploiting the secret.
:secret_type: application secret
include::../../../shared_content/secrets/impact/phishing.adoc[]
==== Financial loss
Cloud providers charge for their services based on their usage. This may be
based on the number of API calls made, bandwidth, or how many server instances
are running.
An attacker can use a disclosed secret to send large numbers of requests to the
cloud provider. This can lead to a large and unexpected increase in cloud
provider costs.
==== Denial of service
The cloud provider may monitor requests to identify unusual usage activity. If
an attacker is able to send enough requests, the cloud provider may flag your
account and take action against it. This could lead to the suspension or
termination of your account, thus causing significant inconvenience and
disruption for your customers or partners.
== How to fix it
include::../../../shared_content/secrets/fix/revoke.adoc[]
include::../../../shared_content/secrets/fix/vault.adoc[]
=== Code examples
:example_secret: 2bcd82072fdd4d396eadd7095a27c0f2f93d527618605a631107fb75026b59cb
:example_name: huawei-cloud.app-secret
:example_env: HUAWEI_CLOUD_APP_SECRET
include::../../../shared_content/secrets/examples.adoc[]
//=== How does this work?
//=== Pitfalls
//=== Going the extra mile
== Resources
=== Documentation
* Huawei Developer Documentation - https://developer.huawei.com/consumer/en/doc/HMSCore-Guides/oauth2-0000001212610981[OAuth 2.0-based Authentication]
include::../../../shared_content/secrets/resources/standards.adoc[]
//=== Benchmarks
Reference in New Issue View Git Blame Copy Permalink