Create rule S6648: Secure strings and objects should not have default…

… values (APPSEC-803) (#2250) [Specification ticket](https://sonarsource.atlassian.net/browse/APPSEC-803) [Implementation ticket](https://sonarsource.atlassian.net/browse/SONARIAC-896) [RSPEC Preview](https://sonarsource.github.io/rspec/#/rspec/S6648/azureresourcemanager) Bicep PR: #2277 ## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: pierre-loup-tristant-sonarsource <[email protected]> Co-authored-by: Pierre-Loup Tristant <[email protected]> Co-authored-by: Egon Okerman <[email protected]>
SonarSource · Jul 3, 2023 · b11bd37 · b11bd37
1 parent 9e57069
commit b11bd37
Show file tree

Hide file tree

Showing 4 changed files with 104 additions and 0 deletions.
diff --git a/docs/header_names/allowed_framework_names.adoc b/docs/header_names/allowed_framework_names.adoc
@@ -103,3 +103,5 @@
 * CommonCrypto
 * CryptoSwift
 * IDZSwiftCommonCrypto
+// Azure resource manager
+* ARM templates
diff --git a/rules/S6648/azureresourcemanager/metadata.json b/rules/S6648/azureresourcemanager/metadata.json
@@ -0,0 +1,27 @@
+{
+  "title": "Secure strings and objects should not have default values",
+  "type": "VULNERABILITY",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "60min"
+  },
+  "tags": [
+    "azure"
+  ],
+  "securityStandards": {
+    "CWE": [
+      200,
+      532
+    ],
+    "ASVS 4.0": [
+      "7.1.1"
+    ]
+  },
+  "defaultSeverity": "Critical",
+  "ruleSpecification": "RSPEC-6648",
+  "sqKey": "S6648",
+  "scope": "All",
+  "defaultQualityProfiles": ["Sonar way"],
+  "quickfix": "unknown"
+}
diff --git a/rules/S6648/azureresourcemanager/rule.adoc b/rules/S6648/azureresourcemanager/rule.adoc
@@ -0,0 +1,73 @@
+Azure Resource Manager templates define parameters as a way to reuse templates in different environments. Secure parameters (secure strings and secure objects) should not be assigned a default value.
+
+== Why is this an issue?
+
+Parameters with the type `securestring` and `secureObject` are designed to pass sensitive data to the resources being deployed. Unlike other data types, they cannot be accessed after the deployment is completed. They can neither be logged nor used as an output.
+
+Secure parameters can be assigned a default value which will be used if the parameter is not supplied. This default value is not protected and is stored in cleartext in the deployment history.
+
+=== What is the potential impact?
+
+If the default value contains a secret, it will be disclosed to all accounts that have read access to the deployment history. 
+
+== How to fix it in ARM templates
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,json,diff-id=1,diff-type=noncompliant]
+----
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "secretValue": {
+      "type": "securestring",
+      "defaultValue": "S3CR3T"
+    }
+  }
+}
+----
+
+==== Compliant solution
+
+[source,json,diff-id=1,diff-type=compliant]
+----
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "secretValue": {
+      "type": "securestring"
+    }
+  }
+}
+----
+
+
+== Resources
+=== Documentation
+
+* https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/data-types[Data types in ARM templates]
+* https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/best-practices#security-recommendations-for-parameters[ARM template best practices - Security recommendations for parameters]
+
+=== Standards
+
+* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor
+* https://cwe.mitre.org/data/definitions/532[MITRE, CWE-532] - Insertion of Sensitive Information into Log File
+
+ifdef::env-github,rspecator-view[]
+== Implementation Specification
+(visible only on this page)
+
+=== Message
+
+- Remove the default value from this secure string.
+- Remove the default value from this secure object.
+
+=== Highlight
+
+The default value 
+
+endif::env-github,rspecator-view[]
diff --git a/rules/S6648/metadata.json b/rules/S6648/metadata.json
@@ -0,0 +1,2 @@
+{
+}