coderabbitai
diff --git a/‎rules/python/security/avoid-mktemp-python.yml‎
Lines changed: 74 additions & 0 deletions b/‎rules/python/security/avoid-mktemp-python.yml‎
Lines changed: 74 additions & 0 deletions
diff --git a/‎rules/python/security/python-ldap3-empty-password-python.yml‎
Lines changed: 44 additions & 0 deletions b/‎rules/python/security/python-ldap3-empty-password-python.yml‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎tests/__snapshots__/avoid-mktemp-python-snapshot.yml‎
Lines changed: 42 additions & 0 deletions b/‎tests/__snapshots__/avoid-mktemp-python-snapshot.yml‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎tests/__snapshots__/python-ldap3-empty-password-snapshot.yml‎
Lines changed: 29 additions & 0 deletions b/‎tests/__snapshots__/python-ldap3-empty-password-snapshot.yml‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎tests/python/avoid-mktemp-python-test.yml‎
Lines changed: 8 additions & 0 deletions b/‎tests/python/avoid-mktemp-python-test.yml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎tests/python/python-ldap3-empty-password-python-test.yml‎
Lines changed: 9 additions & 0 deletions b/‎tests/python/python-ldap3-empty-password-python-test.yml‎
Lines changed: 9 additions & 0 deletions
@@ -0,0 +1,74 @@
+id: avoid-mktemp-python
+language: python
+severity: warning
+message: >-
+ The function `mktemp` is deprecated. When using this function, it is
+ possible for an attacker to modify the created file before the filename is
+ returned. Use `NamedTemporaryFile()` instead and pass it the
+ `delete=False` parameter.
+note: >-
+ [CWE-377]: Insecure Temporary File
+ [OWASP A01:2021]: Broken Access Control
+ [REFERENCES]
+ https://docs.python.org/3/library/tempfile.html#tempfile.mktemp
+ https://owasp.org/Top10/A01_2021-Broken_Access_Control
+utils:
+ match_call:
+ kind: call
+ all:
+ - has:
+ stopBy: end
+ kind: attribute
+ field: function
+ all:
+ - has:
+ stopBy: end
+ kind: identifier
+ field: object
+ regex: "^tempfile$"
+ - has:
+ stopBy: end
+ kind: identifier
+ field: attribute
+ regex: "^mktemp$"
+ - has:
+ stopBy: end
+ kind: argument_list
+ field: arguments
+ match_second_call:
+ kind: call
+ all:
+ - has:
+ stopBy: end
+ kind: identifier
+ field: function
+ regex: "^mktemp$"
+ - has:
+ stopBy: end
+ kind: argument_list
+ field: arguments
+ inside:
+ stopBy: end
+ kind: expression_statement
+ follows:
+ stopBy: end
+ kind: import_from_statement
+ all:
+ - has:
+ kind: dotted_name
+ field: module_name
+ has:
+ kind: identifier
+ regex: "^tempfile$"
+ - has:
+ stopBy: end
+ kind: dotted_name
+ field: name
+ has:
+ stopBy: end
+ kind: identifier
+ regex: "^mktemp$"
+rule:
+ any:
+ - matches: match_call
+ - matches: match_second_call
@@ -0,0 +1,44 @@
+id: python-ldap3-empty-password
+language: python
+severity: warning
+message: >-
+ The application creates a database connection with an empty password.
+ This can lead to unauthorized access by either an internal or external
+ malicious actor. To prevent this vulnerability, enforce authentication
+ when connecting to a database by using environment variables to securely
+ provide credentials or retrieving them from a secure vault or HSM
+ (Hardware Security Module).
+note: >-
+ [CWE-287]: Improper Authentication
+ [OWASP A07:2021]: Identification and Authentication Failures
+ [REFERENCES]
+ https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+utils:
+ match_empty_password:
+ kind: call
+ all:
+ - has:
+ stopBy: end
+ kind: attribute
+ - has:
+ stopBy: end
+ kind: argument_list 
+ all:
+ - has:
+ stopBy: end
+ kind: keyword_argument
+ all:
+ - has:
+ stopBy: end
+ kind: identifier
+ regex: '^password$'
+ - has:
+ stopBy: neighbor
+ kind: string
+ not:
+ has:
+ stopBy: neighbor
+ kind: string_content
+rule:
+ any:
+ - matches: match_empty_password
@@ -0,0 +1,42 @@
+id: avoid-mktemp-python
+snapshots:
+ ? |
+ from tempfile import mktemp
+ ff = mktemp()
+ : labels:
+ - source: mktemp()
+ style: primary
+ start: 33
+ end: 41
+ - source: mktemp
+ style: secondary
+ start: 33
+ end: 39
+ - source: ()
+ style: secondary
+ start: 39
+ end: 41
+ - source: tempfile
+ style: secondary
+ start: 5
+ end: 13
+ - source: tempfile
+ style: secondary
+ start: 5
+ end: 13
+ - source: mktemp
+ style: secondary
+ start: 21
+ end: 27
+ - source: mktemp
+ style: secondary
+ start: 21
+ end: 27
+ - source: from tempfile import mktemp
+ style: secondary
+ start: 0
+ end: 27
+ - source: ff = mktemp()
+ style: secondary
+ start: 28
+ end: 41
@@ -0,0 +1,29 @@
+id: python-ldap3-empty-password
+snapshots:
+ ? |
+ ldap3.Connection(password="")
+ : labels:
+ - source: ldap3.Connection(password="")
+ style: primary
+ start: 0
+ end: 29
+ - source: ldap3.Connection
+ style: secondary
+ start: 0
+ end: 16
+ - source: password
+ style: secondary
+ start: 17
+ end: 25
+ - source: '""'
+ style: secondary
+ start: 26
+ end: 28
+ - source: password=""
+ style: secondary
+ start: 17
+ end: 28
+ - source: (password="")
+ style: secondary
+ start: 16
+ end: 29
@@ -0,0 +1,8 @@
+id: avoid-mktemp-python
+valid:
+ - |
+ 
+invalid:
+ - |
+ from tempfile import mktemp
+ ff = mktemp()
@@ -0,0 +1,9 @@
+id: python-ldap3-empty-password
+valid:
+ - |
+ ldap3.Connection(password=a)
+ ldap3.Connection(password=os.env['SECRET'])
+ ldap3.Connection(password=os.getenv('SECRET'))
+invalid:
+ - |
+ ldap3.Connection(password="")