ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6755/secrets/rule.adoc
github-actions[bot] 95d7e2c516
Create rule S6755: DigitalOcean tokens should not be disclosed (APPSEC-1063) (#3029) 
You can preview this rule
[here](https://sonarsource.github.io/rspec/#/rspec/S6755/secrets)
(updated a few minutes after each push).

## Review

A dedicated reviewer checked the rule description successfully for:

- [ ] logical errors and incorrect information
- [ ] information gaps and missing content
- [ ] text style and tone
- [ ] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)

---------

Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com>
Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
Co-authored-by: gaetan-ferry-sonarsource <112399173+gaetan-ferry-sonarsource@users.noreply.github.com>
2023-09-19 17:40:09 +02:00

60 lines
1.8 KiB
Plaintext
Raw Permalink Blame History

include::../../../shared_content/secrets/description.adoc[]
== Why is this an issue?
include::../../../shared_content/secrets/rationale.adoc[]
If an attacker gains access to a DigitalOcean personal access token or OAuth token, they might be able to compromise your DigitalOcean environment. This includes control over Droplets and any applications that are running, as well as databases and other assets that are managed by the account.
=== What is the potential impact?
If an attacker manages to gain access to the DigitalOcean environment, there exist several ways that they could seriously harm your organization. Any data that is stored in the environment could be leaked, but the environment itself could even be tampered with.
include::../../../shared_content/secrets/impact/data_compromise.adoc[]
:service_name: DigitalOcean
include::../../../shared_content/secrets/impact/infrastructure_takeover.adoc[]
== How to fix it
include::../../../shared_content/secrets/fix/revoke.adoc[]
include::../../../shared_content/secrets/fix/vault.adoc[]
=== Code examples
==== Noncompliant code example
[source,ruby,diff-id=1,diff-type=noncompliant]
----
require 'droplet_kit'
token = 'dop_v1_1adc4095c3c676ff1c31789a1a86480195a5b3d955010c94fcfa554b34640e1e' # Noncompliant
client = DropletKit::Client.new(access_token: token)
----
==== Compliant solution
[source,ruby,diff-id=1,diff-type=compliant]
----
require 'droplet_kit'
token = ENV['DIGITALOCEAN_TOKEN']
client = DropletKit::Client.new(access_token: token)
----
//=== How does this work?
//=== Pitfalls
//=== Going the extra mile
== Resources
=== Documentation
DigitalOcean Documentation - https://docs.digitalocean.com/reference/api/create-personal-access-token/[How to Create a Personal Access Token]
include::../../../shared_content/secrets/resources/standards.adoc[]
Reference in New Issue View Git Blame Copy Permalink