From b11bd37556d5b554aa710bef62b870a24cfd8c67 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 3 Jul 2023 17:54:12 +0200
Subject: [PATCH] Create rule S6648: Secure strings and objects should not have
 default values (APPSEC-803) (#2250)

[Specification
ticket](https://sonarsource.atlassian.net/browse/APPSEC-803)
[Implementation
ticket](https://sonarsource.atlassian.net/browse/SONARIAC-896)
[RSPEC
Preview](https://sonarsource.github.io/rspec/#/rspec/S6648/azureresourcemanager)

Bicep PR: https://github.com/SonarSource/rspec/pull/2277

## Review

A dedicated reviewer checked the rule description successfully for:

- [x] logical errors and incorrect information
- [x] information gaps and missing content
- [x] text style and tone
- [x] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)

---------

Co-authored-by: pierre-loup-tristant-sonarsource <pierre-loup-tristant-sonarsource@users.noreply.github.com>
Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com>
Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
---
 .../header_names/allowed_framework_names.adoc |  2 +
 .../S6648/azureresourcemanager/metadata.json  | 27 +++++++
 rules/S6648/azureresourcemanager/rule.adoc    | 73 +++++++++++++++++++
 rules/S6648/metadata.json                     |  2 +
 4 files changed, 104 insertions(+)
 create mode 100644 rules/S6648/azureresourcemanager/metadata.json
 create mode 100644 rules/S6648/azureresourcemanager/rule.adoc
 create mode 100644 rules/S6648/metadata.json

diff --git a/docs/header_names/allowed_framework_names.adoc b/docs/header_names/allowed_framework_names.adoc
index e8b5f72cf1e..943682505a8 100644
--- a/docs/header_names/allowed_framework_names.adoc
+++ b/docs/header_names/allowed_framework_names.adoc
@@ -103,3 +103,5 @@
 * CommonCrypto
 * CryptoSwift
 * IDZSwiftCommonCrypto
+// Azure resource manager
+* ARM templates
diff --git a/rules/S6648/azureresourcemanager/metadata.json b/rules/S6648/azureresourcemanager/metadata.json
new file mode 100644
index 00000000000..60539d9869f
--- /dev/null
+++ b/rules/S6648/azureresourcemanager/metadata.json
@@ -0,0 +1,27 @@
+{
+  "title": "Secure strings and objects should not have default values",
+  "type": "VULNERABILITY",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "60min"
+  },
+  "tags": [
+    "azure"
+  ],
+  "securityStandards": {
+    "CWE": [
+      200,
+      532
+    ],
+    "ASVS 4.0": [
+      "7.1.1"
+    ]
+  },
+  "defaultSeverity": "Critical",
+  "ruleSpecification": "RSPEC-6648",
+  "sqKey": "S6648",
+  "scope": "All",
+  "defaultQualityProfiles": ["Sonar way"],
+  "quickfix": "unknown"
+}
diff --git a/rules/S6648/azureresourcemanager/rule.adoc b/rules/S6648/azureresourcemanager/rule.adoc
new file mode 100644
index 00000000000..507f570db42
--- /dev/null
+++ b/rules/S6648/azureresourcemanager/rule.adoc
@@ -0,0 +1,73 @@
+Azure Resource Manager templates define parameters as a way to reuse templates in different environments. Secure parameters (secure strings and secure objects) should not be assigned a default value.
+
+== Why is this an issue?
+
+Parameters with the type `securestring` and `secureObject` are designed to pass sensitive data to the resources being deployed. Unlike other data types, they cannot be accessed after the deployment is completed. They can neither be logged nor used as an output.
+
+Secure parameters can be assigned a default value which will be used if the parameter is not supplied. This default value is not protected and is stored in cleartext in the deployment history.
+
+=== What is the potential impact?
+
+If the default value contains a secret, it will be disclosed to all accounts that have read access to the deployment history. 
+
+== How to fix it in ARM templates
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,json,diff-id=1,diff-type=noncompliant]
+----
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "secretValue": {
+      "type": "securestring",
+      "defaultValue": "S3CR3T"
+    }
+  }
+}
+----
+
+==== Compliant solution
+
+[source,json,diff-id=1,diff-type=compliant]
+----
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "secretValue": {
+      "type": "securestring"
+    }
+  }
+}
+----
+
+
+== Resources
+=== Documentation
+
+* https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/data-types[Data types in ARM templates]
+* https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/best-practices#security-recommendations-for-parameters[ARM template best practices - Security recommendations for parameters]
+
+=== Standards
+
+* https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor
+* https://cwe.mitre.org/data/definitions/532[MITRE, CWE-532] - Insertion of Sensitive Information into Log File
+
+ifdef::env-github,rspecator-view[]
+== Implementation Specification
+(visible only on this page)
+
+=== Message
+
+- Remove the default value from this secure string.
+- Remove the default value from this secure object.
+
+=== Highlight
+
+The default value 
+
+endif::env-github,rspecator-view[]
\ No newline at end of file
diff --git a/rules/S6648/metadata.json b/rules/S6648/metadata.json
new file mode 100644
index 00000000000..2c63c085104
--- /dev/null
+++ b/rules/S6648/metadata.json
@@ -0,0 +1,2 @@
+{
+}