ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2068/cfamily/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

91 lines
3.5 KiB
Plaintext
Raw Permalink Blame History

Because it is easy to extract strings from an application source code or binary, credentials should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.
In the past, it has led to the following vulnerabilities:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13466[CVE-2019-13466]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15389[CVE-2018-15389]
Credentials should be stored outside of the code in a configuration file, a database, or a management service for secrets.
This rule looks for hard-coded credentials in variable names that match any of the patterns from the provided list.
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
----
dbi_conn conn = dbi_conn_new("mysql");
string password = "secret"; // Sensitive
dbi_conn_set_option(conn, "password", password.c_str());
----
== Compliant Solution
[source,cpp]
----
dbi_conn conn = dbi_conn_new("mysql");
string password = getDatabasePassword(); // Compliant
dbi_conn_set_option(conn, "password", password.c_str()); // Compliant
----
== See
* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures]
* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication]
* CWE - https://cwe.mitre.org/data/definitions/798[CWE-798 - Use of Hard-coded Credentials]
* CWE - https://cwe.mitre.org/data/definitions/259[CWE-259 - Use of Hard-coded Password]
* Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#HARD_CODE_PASSWORD[Hard Coded Password]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
include::../parameters.adoc[]
'''
== Comments And Links
(visible only on this page)
=== on 3 Dec 2020, 11:17:07 Geoffray Adde wrote:
\[~hendrik.buchwald], I did the implementation of the rule in its current state. While doing so, we discussed 3 improvements with [~loic.joly] that could be added to the C/{cpp} version.
* Macros: they are very often used as global variable, especially in C.
----
#define PASSWD secret
----
* For function calls, we could apply the rule to names of parameters (which are a sort of variable). This could catch hard-coded credentials in calls.
----
int connect( const std::string& Url, const std::string& Passwd);
...
connect("124.234.56.7", "secret"); // "secret" is used for parameter Passwd, so we should raise an issue there
----
* Still for the case of hard-coded credentials in function calls. Some libraries/frameworks do something like set(PASSWD, "secret)". So maybe flagging, such function calls with enum named with "passwd" and literals could work.
----
curl_easy_setopt(easyhandle, CURLOPT_USERPWD, "myname:thesecret");
----
What do you think Hendrik?
=== on 3 Dec 2020, 13:53:57 Hendrik Buchwald wrote:
\[~geoffray.adde] all 3 things make sense to me. For the enums it might be hard to detect when they are actually used for assigning literal values though. I fear that just checking for a string literal and an enum with a password-name in a function call might result in too many false-positives. But I don't see a way how to check this before it is implemented. WDYT?
=== on 18 Dec 2020, 08:52:03 Geoffray Adde wrote:
I created https://jira.sonarsource.com/browse/CPP-2852
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink