ec4643680c
You can preview this rule [here](https://sonarsource.github.io/rspec/#/rspec/S6720/secrets) (updated a few minutes after each push). ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: loris-s-sonarsource <loris-s-sonarsource@users.noreply.github.com> Co-authored-by: Loris Sierra <loris.sierra@sonarsource.com>
47 lines
1.2 KiB
Plaintext
47 lines
1.2 KiB
Plaintext
include::../../../shared_content/secrets/description.adoc[]
|
|
|
|
== Why is this an issue?
|
|
|
|
include::../../../shared_content/secrets/rationale.adoc[]
|
|
|
|
=== What is the potential impact?
|
|
|
|
Zapier webhook URLs have different effects depending on their permissions: They
|
|
can be used only to write simple messages in instant messaging apps or trigger
|
|
other advanced workflows.
|
|
|
|
Below are some real-world scenarios that illustrate some impacts of an attacker
|
|
exploiting the secret.
|
|
|
|
include::../../../shared_content/secrets/impact/phishing.adoc[]
|
|
|
|
include::../../../shared_content/secrets/impact/malware_distribution.adoc[]
|
|
|
|
include::../../../shared_content/secrets/impact/codeless_vulnerability_chaining.adoc[]
|
|
|
|
== How to fix it
|
|
|
|
include::../../../shared_content/secrets/fix/revoke.adoc[]
|
|
|
|
include::../../../shared_content/secrets/fix/vault.adoc[]
|
|
|
|
=== Code examples
|
|
|
|
:example_secret: https://hooks.zapier.com/hooks/catch/3017724/t0q8ed/
|
|
:example_name: zapier_webhook_url
|
|
:example_env: ZAPIER_WEBHOOK_URL
|
|
|
|
include::../../../shared_content/secrets/examples.adoc[]
|
|
|
|
//=== How does this work?
|
|
|
|
//=== Pitfalls
|
|
|
|
//=== Going the extra mile
|
|
|
|
== Resources
|
|
|
|
include::../../../shared_content/secrets/resources/standards.adoc[]
|
|
|
|
//=== Benchmarks
|