diff --git a/rules/S6764/metadata.json b/rules/S6764/metadata.json new file mode 100644 index 00000000000..0967ef424bc --- /dev/null +++ b/rules/S6764/metadata.json @@ -0,0 +1 @@ +{} diff --git a/rules/S6764/secrets/metadata.json b/rules/S6764/secrets/metadata.json new file mode 100644 index 00000000000..3c14aaa369e --- /dev/null +++ b/rules/S6764/secrets/metadata.json @@ -0,0 +1,56 @@ +{ + "title": "WakaTime tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "extra": { + "replacementRules": [] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-6764", + "sqKey": "S6764", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} \ No newline at end of file diff --git a/rules/S6764/secrets/rule.adoc b/rules/S6764/secrets/rule.adoc new file mode 100644 index 00000000000..eeb2d87a1c3 --- /dev/null +++ b/rules/S6764/secrets/rule.adoc @@ -0,0 +1,70 @@ +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +If attackers gain access to your WakaTime OAuth token or secret, they can potentially use it to make unauthorized requests to the WakaTime API on your behalf. + +=== What is the potential impact? + +Attackers exploiting leaked WakaTime OAuth tokens or secrets can potentially access sensitive information, modify data, or perform actions on behalf of the user without their consent. The exact capabilities of the attackers will depend on the authorizations the corresponding application has been granted. + +Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the secret. + +include::../../../shared_content/secrets/impact/data_compromise.adoc[] + +include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +==== Noncompliant code example + +[source,python,diff-id=1,diff-type=noncompliant] +---- +from rauth import OAuth2Service + +service = OAuth2Service( + client_id='d130uKF73fueZSCM9tUodIFN', + client_secret='waka_sec_ez0kI3tQlYVvYSJOAjoI5n3PpyG69HQl91TZKFjSdb0X0XXgY7dahXiPpAhYL2kNxqDBzHuHNuzCPr5d', # Noncompliant + name='wakatime', + authorize_url='https://wakatime.com/oauth/authorize', + access_token_url='https://wakatime.com/oauth/token', + base_url='https://wakatime.com/api/v1/') +---- + +==== Compliant solution + +[source,python,diff-id=1,diff-type=compliant] +---- +import os +from rauth import OAuth2Service + +service = OAuth2Service( + client_id=os.environ['WAKA_CLIENT_ID'], + client_secret=os.environ['WAKA_CLIENT_SECRET'], + name='wakatime', + authorize_url='https://wakatime.com/oauth/authorize', + access_token_url='https://wakatime.com/oauth/token', + base_url='https://wakatime.com/api/v1/') +---- + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + +== Resources + +=== Documentation + +WakaTime API Documentation - https://wakatime.com/developers#authentication[WakaTime API Authenticationb] + +include::../../../shared_content/secrets/resources/standards.adoc[]