-
Notifications
You must be signed in to change notification settings - Fork 29
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create rule S6751: PyPI tokens should not be disclosed (APPSEC-1073) (#…
…3021) You can preview this rule [here](https://sonarsource.github.io/rspec/#/rspec/S6751/secrets) (updated a few minutes after each push). ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: egon-okerman-sonarsource <[email protected]> Co-authored-by: Egon Okerman <[email protected]>
- Loading branch information
3 people
authored
Sep 15, 2023
1 parent
83c164c
commit 054bdfb
Showing
4 changed files
with
121 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| { | ||
| "title": "PyPI tokens should not be disclosed", | ||
| "type": "VULNERABILITY", | ||
| "code": { | ||
| "impacts": { | ||
| "SECURITY": "HIGH" | ||
| }, | ||
| "attribute": "TRUSTWORTHY" | ||
| }, | ||
| "status": "ready", | ||
| "remediation": { | ||
| "func": "Constant\/Issue", | ||
| "constantCost": "30min" | ||
| }, | ||
| "tags": [ | ||
| "cwe", | ||
| "cert" | ||
| ], | ||
| "extra": { | ||
| "replacementRules": [] | ||
| }, | ||
| "defaultSeverity": "Blocker", | ||
| "ruleSpecification": "RSPEC-6751", | ||
| "sqKey": "S6751", | ||
| "scope": "All", | ||
| "securityStandards": { | ||
| "CWE": [ | ||
| 798, | ||
| 259 | ||
| ], | ||
| "OWASP": [ | ||
| "A3" | ||
| ], | ||
| "CERT": [ | ||
| "MSC03-J." | ||
| ], | ||
| "OWASP Top 10 2021": [ | ||
| "A7" | ||
| ], | ||
| "PCI DSS 3.2": [ | ||
| "6.5.10" | ||
| ], | ||
| "PCI DSS 4.0": [ | ||
| "6.2.4" | ||
| ], | ||
| "ASVS 4.0": [ | ||
| "2.10.4", | ||
| "3.5.2", | ||
| "6.4.1" | ||
| ] | ||
| }, | ||
| "defaultQualityProfiles": [ | ||
| "Sonar way" | ||
| ], | ||
| "quickfix": "unknown" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| include::../../../shared_content/secrets/description.adoc[] | ||
|
|
||
| == Why is this an issue? | ||
|
|
||
| include::../../../shared_content/secrets/rationale.adoc[] | ||
|
|
||
| === What is the potential impact? | ||
|
|
||
| The exact consequences of a PyPI API token compromise can vary depending on the scope of the affected token. Depending on this factor, the attacker might get access to the full account the token is bound to or only to a project belonging to that user. | ||
|
|
||
| In any case, such a compromise can lead to source code leaks, data leaks and even serious supply chain attacks. In general, a reputational loss is also a common threat. | ||
|
|
||
| include::../../../shared_content/secrets/impact/source_code_compromise.adoc[] | ||
|
|
||
| include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[] | ||
|
|
||
| == How to fix it | ||
|
|
||
| include::../../../shared_content/secrets/fix/revoke.adoc[] | ||
|
|
||
| include::../../../shared_content/secrets/fix/vault.adoc[] | ||
|
|
||
| For PyPI, `keyring` is a recommended solution to securely store secrets. Further explanation is given in the example below. | ||
|
|
||
| === Code examples | ||
|
|
||
| ==== Noncompliant code example | ||
|
|
||
| PyPI API tokens can be used to authenticate with PyPI by setting the token as a password in `.pypirc`. | ||
|
|
||
| [source,text] | ||
| ---- | ||
| [pypi] | ||
| username = __token__ | ||
| password = pypi-YBf3ZAIKOMPwNZ1VaQ0RAtjww5lI1az1CMLEOWgDQN56EPADfzRmgsENVcmIUh2mSBwYlTtyNKGmVlLm2MZD2aJOTWmD2EO5PMyWjvUY3Ii2CjsidALCNCNmvX8N8gcijBliFN2ciBCLgQdi2YYfGjA1kz19z1UBKg | ||
| ---- | ||
|
|
||
| ==== Compliant solution | ||
|
|
||
| Instead, Python's https://pypi.org/project/keyring/[`keyring` package] can be used to securely authenticate with PyPI. Once `keyring` is installed using pip, it should be used for authentication automatically. It is also possible to configure it manually using the following: | ||
|
|
||
| [source,bash] | ||
| ---- | ||
| pip config set --global global.keyring-provider subprocess | ||
| ---- | ||
|
|
||
| //=== How does this work? | ||
|
|
||
| //=== Pitfalls | ||
|
|
||
| === Going the extra mile | ||
|
|
||
| include::../../../shared_content/secrets/extra_mile/permissions_scope.adoc[] | ||
|
|
||
| == Resources | ||
|
|
||
| === Documentation | ||
|
|
||
| * pip Documentation - https://pip.pypa.io/en/stable/topics/authentication/#authentication[Authentication] | ||
|
|
||
| include::../../../shared_content/secrets/resources/standards.adoc[] | ||
|
|
||
| //=== Benchmarks |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters