ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6768/secrets/rule.adoc
github-actions[bot] 09a3ffc000
Create rule S6768: Typeform tokens should not be disclosed (APPSEC-1071) (#3066) 
You can preview this rule
[here](https://sonarsource.github.io/rspec/#/rspec/S6768/secrets)
(updated a few minutes after each push).

## Review

A dedicated reviewer checked the rule description successfully for:

- [ ] logical errors and incorrect information
- [ ] information gaps and missing content
- [ ] text style and tone
- [ ] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)

---------

Co-authored-by: egon-okerman-sonarsource <egon-okerman-sonarsource@users.noreply.github.com>
Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2023-09-18 18:55:38 +02:00

74 lines
2.9 KiB
Plaintext
Raw Permalink Blame History

include::../../../shared_content/secrets/description.adoc[]
== Why is this an issue?
include::../../../shared_content/secrets/rationale.adoc[]
If an attacker gains access to a Typeform personal access token, they might be able to compromise the data that is accessible to the linked Typeform account. By doing so, it might be possible for customer data to be leaked by the attacker.
=== What is the potential impact?
If an attacker gains access to forms and the data linked to the forms, your organization may be impacted in several ways.
==== Data compromise
Typeform often is used to store private information that users have shared through their forms. This is called https://gdpr.eu/eu-gdpr-personal-data/[`Personally Identifiable Information`]. +
The leaked app key could provide a gateway for unauthorized individuals to access and misuse this data, compromising the privacy and safety of the application users.
In many industries and locations, there are legal and compliance requirements to protect sensitive personal information. If this kind of sensitive personal data gets leaked, companies face legal consequences, penalties, or violations of privacy laws.
==== Phishing attacks
An attacker can use the Typeform access token to lure them into links to a malicious domain controlled by the attacker.
They can use the data stored in the forms to create attacks that look legitimate to the victims. In some cases, they might even edit existing forms to lead users to a malicious domain directly.
Once a user has been phished on a legitimate-seeming third-party website, the attacker can trick users into submitting sensitive information, such as login credentials or financial details. This can lead to identity theft, financial fraud, or unauthorized access to other systems.
== How to fix it
include::../../../shared_content/secrets/fix/revoke.adoc[]
include::../../../shared_content/secrets/fix/vault.adoc[]
=== Code examples
==== Noncompliant code example
[source,python,diff-id=1,diff-type=noncompliant]
----
import requests
token = 'tfp_DEueEgDipkmx52r7rgU5EC7VC5K2MzzsR61ELEkqmh3Y_3mJqwKJ2vtfX5N' # Noncompliant
response = requests.get('https://api.typeform.com/forms', headers={
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
})
----
==== Compliant solution
[source,python,diff-id=1,diff-type=compliant]
----
import requests
token = os.getenv('TYPEFORM_PERSONAL_ACCESS_TOKEN')
response = requests.get('https://api.typeform.com/forms', headers={
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
})
----
//=== How does this work?
//=== Pitfalls
//=== Going the extra mile
== Resources
=== Documentation
Typeform Developers - https://www.typeform.com/developers/get-started/personal-access-token/#regenerate-your-personal-access-token[Regenerate your personal access token]
include::../../../shared_content/secrets/resources/standards.adoc[]
Reference in New Issue View Git Blame Copy Permalink