ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S7011/secrets/rule.adoc
hashicorp-vault-sonar-prod[bot] f033cba397
Create rule S7011: Detect Azure EventGrid SAS (#4055) 
* Create rule S7011

* Add text

* Add specific definitions

* Apply suggestions from code review

* Update rules/S7011/secrets/rule.adoc

---------

Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com>
Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com>
Co-authored-by: Loris S. <91723853+loris-s-sonarsource@users.noreply.github.com>
2024-07-19 18:01:17 +02:00

70 lines
2.3 KiB
Plaintext
Raw Permalink Blame History

include::../../../shared_content/secrets/description.adoc[]
== Why is this an issue?
include::../../../shared_content/secrets/rationale.adoc[]
=== What is the potential impact?
Access keys are used to authenticate to Azure Event Grid resources and can be
employed for event publication to the resource.
Shared Access Secrets (SAS) are generated from access keys and used to
authenticate specific resources with particular permissions within a defined
time frame. +
Using Shared Access Signatures is always better than using access keys,
because they reduce risk thanks to their scope and time limitation.
However, hardcoding secret tokens is always a bad practice, and still
exposes the resources to attacks. +
This is a risk unless the whole resource is free of sensitive data.
Note that the Microsoft docs can use different terminologies for these
two tokens:
* Access Keys are also called SAS keys
* Shared Access Secrets are also called SAS tokens
Below are some real-world scenarios that illustrate some impacts of an attacker
exploiting these types of secrets.
// Set value that can be used to refer to the type of secret in, for example:
// "An attacker can use this {secret_type} to ..."
:secret_type: secret
// Where possible, use predefined content for common impacts. This content can
// be found in the folder "shared_content/secrets/impact".
// When using predefined content, search for any required variables to be set and include them in this file.
// Not adding them will not trigger warnings.
include::../../../shared_content/secrets/impact/non_repudiation.adoc[]
include::../../../shared_content/secrets/impact/data_compromise.adoc[]
include::../../../shared_content/secrets/impact/financial_loss.adoc[]
== How to fix it
include::../../../shared_content/secrets/fix/revoke.adoc[]
include::../../../shared_content/secrets/fix/vault.adoc[]
On top of that, use the Azure SDK as much as possible and their diverse
credential objects.
=== Code examples
==== Noncompliant code example
:example_secret: r=https%3a%2f%2fexample.westeurope-1.eventgrid.azure.net%2fapi%2fevents&e=1%2f1%2f0001%2012%3a02%3a52%20AM&s=gdcIr5dXR4dC3sNyK4Qree4XogaRma3YdtH7%2boCxSQo%3d
:example_name: aeg-sas-token
:example_env: AEG_SAS_TOKEN
include::../../../shared_content/secrets/examples.adoc[]
== Resources
include::../../../shared_content/secrets/resources/standards.adoc[]
Reference in New Issue View Git Blame Copy Permalink