-
Notifications
You must be signed in to change notification settings - Fork 29
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create rule S6764: WakaTime (APPSEC-1069) (#3052)
You can preview this rule [here](https://sonarsource.github.io/rspec/#/rspec/S6764/secrets) (updated a few minutes after each push). ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: sebastien-andrivet-sonarsource <[email protected]> Co-authored-by: sebastien-andrivet-sonarsource <[email protected]>
- Loading branch information
3 people
authored
Sep 15, 2023
1 parent
054bdfb
commit d386e4a
Showing
3 changed files
with
127 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| { | ||
| "title": "WakaTime tokens should not be disclosed", | ||
| "type": "VULNERABILITY", | ||
| "code": { | ||
| "impacts": { | ||
| "SECURITY": "HIGH" | ||
| }, | ||
| "attribute": "TRUSTWORTHY" | ||
| }, | ||
| "status": "ready", | ||
| "remediation": { | ||
| "func": "Constant\/Issue", | ||
| "constantCost": "30min" | ||
| }, | ||
| "tags": [ | ||
| "cwe", | ||
| "cert" | ||
| ], | ||
| "extra": { | ||
| "replacementRules": [] | ||
| }, | ||
| "defaultSeverity": "Blocker", | ||
| "ruleSpecification": "RSPEC-6764", | ||
| "sqKey": "S6764", | ||
| "scope": "All", | ||
| "securityStandards": { | ||
| "CWE": [ | ||
| 798, | ||
| 259 | ||
| ], | ||
| "OWASP": [ | ||
| "A3" | ||
| ], | ||
| "CERT": [ | ||
| "MSC03-J." | ||
| ], | ||
| "OWASP Top 10 2021": [ | ||
| "A7" | ||
| ], | ||
| "PCI DSS 3.2": [ | ||
| "6.5.10" | ||
| ], | ||
| "PCI DSS 4.0": [ | ||
| "6.2.4" | ||
| ], | ||
| "ASVS 4.0": [ | ||
| "2.10.4", | ||
| "3.5.2", | ||
| "6.4.1" | ||
| ] | ||
| }, | ||
| "defaultQualityProfiles": [ | ||
| "Sonar way" | ||
| ], | ||
| "quickfix": "unknown" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| include::../../../shared_content/secrets/description.adoc[] | ||
|
|
||
| == Why is this an issue? | ||
|
|
||
| include::../../../shared_content/secrets/rationale.adoc[] | ||
|
|
||
| If attackers gain access to your WakaTime OAuth token or secret, they can potentially use it to make unauthorized requests to the WakaTime API on your behalf. | ||
|
|
||
| === What is the potential impact? | ||
|
|
||
| Attackers exploiting leaked WakaTime OAuth tokens or secrets can potentially access sensitive information, modify data, or perform actions on behalf of the user without their consent. The exact capabilities of the attackers will depend on the authorizations the corresponding application has been granted. | ||
|
|
||
| Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the secret. | ||
|
|
||
| include::../../../shared_content/secrets/impact/data_compromise.adoc[] | ||
|
|
||
| include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[] | ||
|
|
||
| == How to fix it | ||
|
|
||
| include::../../../shared_content/secrets/fix/revoke.adoc[] | ||
|
|
||
| include::../../../shared_content/secrets/fix/vault.adoc[] | ||
|
|
||
| === Code examples | ||
|
|
||
| ==== Noncompliant code example | ||
|
|
||
| [source,python,diff-id=1,diff-type=noncompliant] | ||
| ---- | ||
| from rauth import OAuth2Service | ||
| service = OAuth2Service( | ||
| client_id='d130uKF73fueZSCM9tUodIFN', | ||
| client_secret='waka_sec_ez0kI3tQlYVvYSJOAjoI5n3PpyG69HQl91TZKFjSdb0X0XXgY7dahXiPpAhYL2kNxqDBzHuHNuzCPr5d', # Noncompliant | ||
| name='wakatime', | ||
| authorize_url='https://wakatime.com/oauth/authorize', | ||
| access_token_url='https://wakatime.com/oauth/token', | ||
| base_url='https://wakatime.com/api/v1/') | ||
| ---- | ||
|
|
||
| ==== Compliant solution | ||
|
|
||
| [source,python,diff-id=1,diff-type=compliant] | ||
| ---- | ||
| import os | ||
| from rauth import OAuth2Service | ||
| service = OAuth2Service( | ||
| client_id=os.environ['WAKA_CLIENT_ID'], | ||
| client_secret=os.environ['WAKA_CLIENT_SECRET'], | ||
| name='wakatime', | ||
| authorize_url='https://wakatime.com/oauth/authorize', | ||
| access_token_url='https://wakatime.com/oauth/token', | ||
| base_url='https://wakatime.com/api/v1/') | ||
| ---- | ||
|
|
||
| //=== How does this work? | ||
|
|
||
| //=== Pitfalls | ||
|
|
||
| //=== Going the extra mile | ||
|
|
||
| == Resources | ||
|
|
||
| === Documentation | ||
|
|
||
| WakaTime API Documentation - https://wakatime.com/developers#authentication[WakaTime API Authenticationb] | ||
|
|
||
| include::../../../shared_content/secrets/resources/standards.adoc[] |