-
Notifications
You must be signed in to change notification settings - Fork 28
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create rule S6437(Python): Credentials should not be hard-coded (#1609)
- Loading branch information
1 parent
005bfc0
commit 38232f1
Showing
2 changed files
with
114 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
{ | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,112 @@ | ||
include::../description.adoc[] | ||
|
||
== Noncompliant Code Example | ||
|
||
[source,python] | ||
---- | ||
from requests_oauthlib.oauth2_session import OAuth2Session | ||
scope = ['https://www.api.example.com/auth/example.data'] | ||
oauth = OAuth2Session( | ||
'example_client_id', | ||
redirect_uri='https://callback.example.com/uri', | ||
scope=scope) | ||
token = oauth.fetch_token( | ||
'https://api.example.com/o/oauth2/token', | ||
client_secret='example_Password') # Noncompliant | ||
data = oauth.get('https://www.api.example.com/oauth2/v1/exampledata') | ||
---- | ||
|
||
== Compliant Solution | ||
|
||
Using https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/secretsmanager[AWS Secrets Manager]: | ||
|
||
[source,python] | ||
---- | ||
import boto3 | ||
from requests_oauthlib.oauth2_session import OAuth2Session | ||
def get_client_secret(): | ||
session = boto3.session.Session() | ||
client = session.client(service_name='secretsmanager', region_name='eu-west-1') | ||
return client.get_secret_value(SecretId='example_oauth_secret_id') | ||
client_secret = get_client_secret() | ||
scope = ['https://www.api.example.com/auth/example.data'] | ||
oauth = OAuth2Session( | ||
'example_client_id', | ||
redirect_uri='https://callback.example.com/uri', | ||
scope=scope) | ||
token = oauth.fetch_token( | ||
'https://api.example.com/o/oauth2/token', | ||
client_secret=client_secret) | ||
data = oauth.get('https://www.api.example.com/oauth2/v1/exampledata') | ||
---- | ||
|
||
Using https://docs.microsoft.com/en-us/azure/key-vault/secrets/quick-create-java?tabs=azure-cli[Azure Key Vault Secret]: | ||
|
||
[source,python] | ||
---- | ||
from azure.keyvault.secrets import SecretClient | ||
from azure.identity import DefaultAzureCredential | ||
def get_client_secret(): | ||
vault_uri = "https://example.vault.azure.net" | ||
credential = DefaultAzureCredential() | ||
client = SecretClient(vault_url=vault_uri, credential=credential) | ||
return client.get_secret('example_oauth_secret_name') | ||
client_secret = get_client_secret() | ||
scope = ['https://www.api.example.com/auth/example.data'] | ||
oauth = OAuth2Session( | ||
'example_client_id', | ||
redirect_uri='https://callback.example.com/uri', | ||
scope=scope) | ||
token = oauth.fetch_token( | ||
'https://api.example.com/o/oauth2/token', | ||
client_secret=client_secret) | ||
data = oauth.get('https://www.api.example.com/oauth2/v1/exampledata') | ||
---- | ||
|
||
== See | ||
|
||
* https://aws.amazon.com/fr/secrets-manager/[AWS] - Secret Manager | ||
* https://azure.microsoft.com/fr-fr/services/key-vault/[Azure] - Key Vault | ||
* https://cloud.google.com/secret-manager[GCP] - Secret Manager | ||
* https://www.vaultproject.io/[Hashicorp Vault] - Secret Management | ||
* https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[OWASP Top 10 2021 Category A7] - Identification and Authentication Failures | ||
* https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication[OWASP Top 10 2017 Category A2] - Broken Authentication | ||
* https://cwe.mitre.org/data/definitions/798.html[MITRE, CWE-798] - Use of Hard-coded Credentials | ||
* https://cwe.mitre.org/data/definitions/259.html[MITRE, CWE-259] - Use of Hard-coded Password | ||
* https://wiki.sei.cmu.edu/confluence/x/OjdGBQ[CERT, MSC03-J.] - Never hard code sensitive information | ||
|
||
ifdef::env-github,rspecator-view[] | ||
''' | ||
== Implementation Specification | ||
(visible only on this page) | ||
|
||
=== Message | ||
|
||
Revoke and change this password, as it is compromised. | ||
|
||
=== Highlighting | ||
|
||
Highlight the credential use and its initialization. | ||
|
||
''' | ||
endif::env-github,rspecator-view[] | ||
|
||
|