From 3b88387f4f7763792576541516de84e22bf18db6 Mon Sep 17 00:00:00 2001 From: loris-s-sonarsource Date: Tue, 5 Nov 2024 10:15:54 +0000 Subject: [PATCH 1/3] Create rule S7141 --- rules/S7141/metadata.json | 2 ++ rules/S7141/secrets/metadata.json | 56 +++++++++++++++++++++++++++++++ rules/S7141/secrets/rule.adoc | 50 +++++++++++++++++++++++++++ 3 files changed, 108 insertions(+) create mode 100644 rules/S7141/metadata.json create mode 100644 rules/S7141/secrets/metadata.json create mode 100644 rules/S7141/secrets/rule.adoc diff --git a/rules/S7141/metadata.json b/rules/S7141/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S7141/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S7141/secrets/metadata.json b/rules/S7141/secrets/metadata.json new file mode 100644 index 00000000000..5a1430e73d5 --- /dev/null +++ b/rules/S7141/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "SECRET_TYPE should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-7141", + "sqKey": "S7141", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD_V5R3": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S7141/secrets/rule.adoc b/rules/S7141/secrets/rule.adoc new file mode 100644 index 00000000000..28f3a64def8 --- /dev/null +++ b/rules/S7141/secrets/rule.adoc @@ -0,0 +1,50 @@ + +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +// Optional: Give a general description of the secret and what it's used for. + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +// Set value that can be used to refer to the type of secret in, for example: +// "An attacker can use this {secret_type} to ..." +:secret_type: secret + +// Where possible, use predefined content for common impacts. This content can +// be found in the folder "shared_content/secrets/impact". +// When using predefined content, search for any required variables to be set and include them in this file. +// Not adding them will not trigger warnings. + +//include::../../../shared_content/secrets/impact/some_impact.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +:example_secret: example_secret_value +:example_name: java-property-name +:example_env: ENV_VAR_NAME + +include::../../../shared_content/secrets/examples.adoc[] + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + +== Resources + +include::../../../shared_content/secrets/resources/standards.adoc[] + +//=== Benchmarks From a630380147267468d5cc26e5a042d438026bfc4d Mon Sep 17 00:00:00 2001 From: Loris Sierra Date: Wed, 6 Nov 2024 10:52:47 +0100 Subject: [PATCH 2/3] Add main logic --- rules/S7141/secrets/metadata.json | 2 +- rules/S7141/secrets/rule.adoc | 49 +++++++++++++++++++------------ 2 files changed, 31 insertions(+), 20 deletions(-) diff --git a/rules/S7141/secrets/metadata.json b/rules/S7141/secrets/metadata.json index 5a1430e73d5..469a48bbf70 100644 --- a/rules/S7141/secrets/metadata.json +++ b/rules/S7141/secrets/metadata.json @@ -1,5 +1,5 @@ { - "title": "SECRET_TYPE should not be disclosed", + "title": "Chief Tools API tokens should not be disclosed", "type": "VULNERABILITY", "code": { "impacts": { diff --git a/rules/S7141/secrets/rule.adoc b/rules/S7141/secrets/rule.adoc index 28f3a64def8..ea5d251e0e6 100644 --- a/rules/S7141/secrets/rule.adoc +++ b/rules/S7141/secrets/rule.adoc @@ -7,21 +7,39 @@ include::../../../shared_content/secrets/rationale.adoc[] === What is the potential impact? -// Optional: Give a general description of the secret and what it's used for. +Leaking this secret can allow an attacker to exploit the Chief Tools API, and +therefore any of the Chief apps. Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the secret. -// Set value that can be used to refer to the type of secret in, for example: -// "An attacker can use this {secret_type} to ..." -:secret_type: secret +==== Domain hijacking +If the leaked secret gives an attacker a Cert Chief entitlement, the attacker +can use it to stay informed about the certificates of your domain to +automatically renew and take ownership of the next certificate. This can lead to +a domain hijacking attack. -// Where possible, use predefined content for common impacts. This content can -// be found in the folder "shared_content/secrets/impact". -// When using predefined content, search for any required variables to be set and include them in this file. -// Not adding them will not trigger warnings. +==== Supply chain attacks +If the leaked secret gives an attacker a Deploy Chief entitlement, then there +may exist grave consequences beyond the compromise of source code. The attacker +may inject malware, backdoors, or other harmful code into these private +repositories. -//include::../../../shared_content/secrets/impact/some_impact.adoc[] +This can cause further security breaches inside the organization, but will also +affect clients if the malicious code gets added to any products. Distributing +code that (unintentionally) contains backdoors or malware can lead to widespread +security vulnerabilities, reputational damage, and potential legal liabilities. + +==== Phishing and spam +I the leaked secret gives an attacker a Tny entitlement, an attacker can use +this API token to hide a malicious domain and use it in spam/phishing campaigns. + +Spam can cause users to be exposed to the following: + +* Unsolicited, inappropriate content, such as pornographic material +* Fraudulent attempts to trick users into sending information or money +* Abusive or hateful statements +* False advertising or fraudulent claims == How to fix it @@ -31,20 +49,13 @@ include::../../../shared_content/secrets/fix/vault.adoc[] === Code examples -:example_secret: example_secret_value -:example_name: java-property-name -:example_env: ENV_VAR_NAME +:example_secret: ctp_em36qdLHVWKcCm25gGc9oPhsrR0KYX2bymJH +:example_name: chief-api-token +:example_env: CHIEF_API_TOKEN include::../../../shared_content/secrets/examples.adoc[] -//=== How does this work? - -//=== Pitfalls - -//=== Going the extra mile - == Resources include::../../../shared_content/secrets/resources/standards.adoc[] -//=== Benchmarks From 33d93968b18ff850812b0383a6e281f415872480 Mon Sep 17 00:00:00 2001 From: "Loris S." <91723853+loris-s-sonarsource@users.noreply.github.com> Date: Thu, 7 Nov 2024 09:50:40 +0100 Subject: [PATCH 3/3] Update rules/S7141/secrets/rule.adoc --- rules/S7141/secrets/rule.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/S7141/secrets/rule.adoc b/rules/S7141/secrets/rule.adoc index ea5d251e0e6..2ba478c683f 100644 --- a/rules/S7141/secrets/rule.adoc +++ b/rules/S7141/secrets/rule.adoc @@ -36,7 +36,7 @@ this API token to hide a malicious domain and use it in spam/phishing campaigns. Spam can cause users to be exposed to the following: -* Unsolicited, inappropriate content, such as pornographic material +* Unsolicited, inappropriate content * Fraudulent attempts to trick users into sending information or money * Abusive or hateful statements * False advertising or fraudulent claims