From d386e4a699376cde9d3f49d4f38535842e2382f5 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Fri, 15 Sep 2023 15:34:28 +0200
Subject: [PATCH] Create rule S6764: WakaTime (APPSEC-1069) (#3052)

You can preview this rule
[here](https://sonarsource.github.io/rspec/#/rspec/S6764/secrets)
(updated a few minutes after each push).

## Review

A dedicated reviewer checked the rule description successfully for:

- [ ] logical errors and incorrect information
- [ ] information gaps and missing content
- [ ] text style and tone
- [ ] PR summary and labels follow [the
guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)

---------

Co-authored-by: sebastien-andrivet-sonarsource <sebastien-andrivet-sonarsource@users.noreply.github.com>
Co-authored-by: sebastien-andrivet-sonarsource <sebastien.andrivet@sonarsource.com>
---
 rules/S6764/metadata.json         |  1 +
 rules/S6764/secrets/metadata.json | 56 +++++++++++++++++++++++++
 rules/S6764/secrets/rule.adoc     | 70 +++++++++++++++++++++++++++++++
 3 files changed, 127 insertions(+)
 create mode 100644 rules/S6764/metadata.json
 create mode 100644 rules/S6764/secrets/metadata.json
 create mode 100644 rules/S6764/secrets/rule.adoc

diff --git a/rules/S6764/metadata.json b/rules/S6764/metadata.json
new file mode 100644
index 00000000000..0967ef424bc
--- /dev/null
+++ b/rules/S6764/metadata.json
@@ -0,0 +1 @@
+{}
diff --git a/rules/S6764/secrets/metadata.json b/rules/S6764/secrets/metadata.json
new file mode 100644
index 00000000000..3c14aaa369e
--- /dev/null
+++ b/rules/S6764/secrets/metadata.json
@@ -0,0 +1,56 @@
+{
+  "title": "WakaTime tokens should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe",
+    "cert"
+  ],
+  "extra": {
+    "replacementRules": []
+  },
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-6764",
+  "sqKey": "S6764",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown"
+}
\ No newline at end of file
diff --git a/rules/S6764/secrets/rule.adoc b/rules/S6764/secrets/rule.adoc
new file mode 100644
index 00000000000..eeb2d87a1c3
--- /dev/null
+++ b/rules/S6764/secrets/rule.adoc
@@ -0,0 +1,70 @@
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+If attackers gain access to your WakaTime OAuth token or secret, they can potentially use it to make unauthorized requests to the WakaTime API on your behalf.
+
+=== What is the potential impact?
+
+Attackers exploiting leaked WakaTime OAuth tokens or secrets can potentially access sensitive information, modify data, or perform actions on behalf of the user without their consent. The exact capabilities of the attackers will depend on the authorizations the corresponding application has been granted.
+
+Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the secret.
+
+include::../../../shared_content/secrets/impact/data_compromise.adoc[]
+
+include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[]
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,python,diff-id=1,diff-type=noncompliant]
+----
+from rauth import OAuth2Service
+
+service = OAuth2Service(
+    client_id='d130uKF73fueZSCM9tUodIFN',
+    client_secret='waka_sec_ez0kI3tQlYVvYSJOAjoI5n3PpyG69HQl91TZKFjSdb0X0XXgY7dahXiPpAhYL2kNxqDBzHuHNuzCPr5d', # Noncompliant
+    name='wakatime',
+    authorize_url='https://wakatime.com/oauth/authorize',
+    access_token_url='https://wakatime.com/oauth/token',
+    base_url='https://wakatime.com/api/v1/')
+----
+
+==== Compliant solution
+
+[source,python,diff-id=1,diff-type=compliant]
+----
+import os
+from rauth import OAuth2Service
+
+service = OAuth2Service(
+    client_id=os.environ['WAKA_CLIENT_ID'],
+    client_secret=os.environ['WAKA_CLIENT_SECRET'],
+    name='wakatime',
+    authorize_url='https://wakatime.com/oauth/authorize',
+    access_token_url='https://wakatime.com/oauth/token',
+    base_url='https://wakatime.com/api/v1/')
+----
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+=== Documentation
+
+WakaTime API Documentation - https://wakatime.com/developers#authentication[WakaTime API Authenticationb]
+
+include::../../../shared_content/secrets/resources/standards.adoc[]