SONARPY-1297 Rule S6437: Credentials should not be hard-coded (#1462)

Author: maksim-grebeniuk-sonarsource

its/ruling/src/test/resources/expected/python-S6437.json

@@ -0,0 +1,162 @@
+{
+'project:buildbot-0.8.6p1/buildbot/clients/tryclient.py':[
+600,
+],
+'project:buildbot-0.8.6p1/buildbot/test/unit/test_pbmanager.py':[
+54,
+],
+'project:buildbot-0.8.6p1/contrib/bb_applet.py':[
+184,
+],
+'project:buildbot-0.8.6p1/contrib/bitbucket_buildbot.py':[
+104,
+],
+'project:buildbot-0.8.6p1/contrib/bk_buildbot.py':[
+118,
+],
+'project:buildbot-0.8.6p1/contrib/fakechange.py':[
+77,
+],
+'project:buildbot-0.8.6p1/contrib/github_buildbot.py':[
+114,
+],
+'project:buildbot-0.8.6p1/contrib/viewcvspoll.py':[
+94,
+],
+'project:twisted-12.1.0/doc/core/examples/pb_exceptions.py':[
+27,
+],
+'project:twisted-12.1.0/doc/core/examples/pbbenchclient.py':[
+33,
+],
+'project:twisted-12.1.0/doc/core/examples/pbbenchserver.py':[
+48,
+],
+'project:twisted-12.1.0/doc/core/examples/pbecho.py':[
+48,
+],
+'project:twisted-12.1.0/doc/core/examples/pbechoclient.py':[
+30,
+],
+'project:twisted-12.1.0/doc/core/howto/listings/pb/chatclient.py':[
+17,
+],
+'project:twisted-12.1.0/doc/core/howto/listings/pb/pb5client.py':[
+13,
+],
+'project:twisted-12.1.0/doc/core/howto/listings/pb/pb6client1.py':[
+13,
+],
+'project:twisted-12.1.0/doc/core/howto/listings/pb/pb6client2.py':[
+16,
+],
+'project:twisted-12.1.0/doc/core/howto/listings/pb/pbAnonClient.py':[
+59,
+],
+'project:twisted-12.1.0/doc/words/examples/jabber_client.py':[
+26,
+],
+'project:twisted-12.1.0/twisted/conch/test/test_checkers.py':[
+106,
+126,
+147,
+199,
+206,
+255,
+385,
+387,
+405,
+407,
+417,
+468,
+471,
+473,
+474,
+487,
+524,
+540,
+552,
+567,
+586,
+597,
+598,
+605,
+608,
+],
+'project:twisted-12.1.0/twisted/conch/test/test_keys.py':[
+194,
+],
+'project:twisted-12.1.0/twisted/conch/test/test_tap.py':[
+119,
+],
+'project:twisted-12.1.0/twisted/mail/test/test_mail.py':[
+618,
+624,
+],
+'project:twisted-12.1.0/twisted/mail/test/test_smtp.py':[
+599,
+621,
+645,
+819,
+],
+'project:twisted-12.1.0/twisted/test/test_ftp_options.py':[
+62,
+],
+'project:twisted-12.1.0/twisted/test/test_newcred.py':[
+100,
+142,
+150,
+269,
+],
+'project:twisted-12.1.0/twisted/test/test_pb.py':[
+1196,
+1355,
+1384,
+1433,
+1461,
+1463,
+1491,
+1493,
+1589,
+1613,
+1675,
+],
+'project:twisted-12.1.0/twisted/test/test_strcred.py':[
+95,
+96,
+97,
+98,
+186,
+187,
+188,
+189,
+267,
+268,
+269,
+270,
+],
+'project:twisted-12.1.0/twisted/words/test/test_basechat.py':[
+19,
+],
+'project:twisted-12.1.0/twisted/words/test/test_jabberclient.py':[
+396,
+],
+'project:twisted-12.1.0/twisted/words/test/test_jabbercomponent.py':[
+70,
+110,
+216,
+363,
+],
+'project:twisted-12.1.0/twisted/words/test/test_jabbersaslmechanisms.py':[
+17,
+38,
+],
+'project:twisted-12.1.0/twisted/words/test/test_jabberxmlstream.py':[
+36,
+60,
+],
+'project:twisted-12.1.0/twisted/words/test/test_tap.py':[
+16,
+17,
+],
+}

pom.xml

@@ -98,6 +98,7 @@
     <sslr.version>1.23</sslr.version>
     <protobuf.version>3.21.7</protobuf.version>
     <woodstox.version>6.2.7</woodstox.version>
+    <gson.version>2.8.9</gson.version>
 
     <!-- Advertise minimal required JRE version -->
     <jre.min.version>11</jre.min.version>
@@ -147,6 +148,12 @@
         <artifactId>sonar-regex-parsing</artifactId>
         <version>${sonar-analyzer-commons.version}</version>
       </dependency>
+
+      <dependency>
+        <groupId>com.google.code.gson</groupId>
+        <artifactId>gson</artifactId>
+        <version>${gson.version}</version>
+      </dependency>
       <!-- used by StaxParser, CoberturaParser and TestSuiteParser -->
       <dependency>
         <groupId>org.codehaus.staxmate</groupId>

python-checks/pom.xml

@@ -26,6 +26,10 @@
       <groupId>commons-io</groupId>
       <artifactId>commons-io</artifactId>
     </dependency>
+    <dependency>
+      <groupId>com.google.code.gson</groupId>
+      <artifactId>gson</artifactId>
+    </dependency>
 
     <!-- test dependencies -->
     <dependency>

python-checks/src/main/java/org/sonar/python/checks/CheckList.java

@@ -358,7 +358,8 @@ public static Iterable<Class> getChecks() {
       DjangoModelFormFieldsCheck.class,
       DjangoReceiverDecoratorCheck.class,
       DjangoModelStringFieldCheck.class,
-      DjangoModelStrMethodCheck.class
+      DjangoModelStrMethodCheck.class,
+      HardcodedCredentialsCallCheck.class
     )));
   }
 

python-checks/src/main/java/org/sonar/python/checks/DbNoPasswordCheck.java

@@ -56,7 +56,6 @@ public class DbNoPasswordCheck extends PythonSubscriptionCheck {
     "mysql.connector.connect",
     "mysql.connector.connection.MySQLConnection",
     "pymysql.connect",
-    "pymysql.connections.Connection",
     "psycopg2.connect",
     "pgdb.connect",
     "pg.DB",

python-checks/src/main/java/org/sonar/python/checks/HardcodedCredentialsCallCheck.java

@@ -0,0 +1,185 @@
+/*
+ * SonarQube Python Plugin
+ * Copyright (C) 2011-2023 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.python.checks;
+
+import com.google.gson.Gson;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.function.Function;
+import java.util.function.Predicate;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import org.sonar.check.Rule;
+import org.sonar.plugins.python.api.PythonSubscriptionCheck;
+import org.sonar.plugins.python.api.SubscriptionContext;
+import org.sonar.plugins.python.api.symbols.Symbol;
+import org.sonar.plugins.python.api.tree.CallExpression;
+import org.sonar.plugins.python.api.tree.Expression;
+import org.sonar.plugins.python.api.tree.Name;
+import org.sonar.plugins.python.api.tree.QualifiedExpression;
+import org.sonar.plugins.python.api.tree.RegularArgument;
+import org.sonar.plugins.python.api.tree.StringLiteral;
+import org.sonar.plugins.python.api.tree.Tree;
+import org.sonar.python.tree.TreeUtils;
+
+@Rule(key = "S6437")
+public class HardcodedCredentialsCallCheck extends PythonSubscriptionCheck {
+
+  private static final String MESSAGE = "Revoke and change this password, as it is compromised.";
+  private final Map<String, CredentialMethod> methods;
+
+  public HardcodedCredentialsCallCheck() {
+    methods = new CredentialMethodsLoader().load();
+  }
+
+  @Override
+  public void initialize(Context context) {
+    context.registerSyntaxNodeConsumer(Tree.Kind.CALL_EXPR, this::processCallExpression);
+  }
+
+  private void processCallExpression(SubscriptionContext ctx) {
+    Optional.of(ctx.syntaxNode())
+      .filter(CallExpression.class::isInstance)
+      .map(CallExpression.class::cast)
+      .filter(this::callHasToBeChecked)
+      .ifPresent(call -> checkCallArguments(ctx, call));
+  }
+
+  private void checkCallArguments(SubscriptionContext ctx, CallExpression call) {
+    getMethod(call)
+      .ifPresent(method -> method.indices()
+        .forEach(argumentIndex -> {
+          var argumentName = method.args().get(argumentIndex);
+          var argument = TreeUtils.nthArgumentOrKeyword(argumentIndex, argumentName, call.arguments());
+          if (argument != null) {
+            checkArgument(ctx, argument);
+          }
+        }));
+  }
+
+  private static void checkArgument(SubscriptionContext ctx, RegularArgument argument) {
+    var argExp = argument.expression();
+    if (argExp.is(Tree.Kind.STRING_LITERAL)) {
+      Optional.of(argExp)
+        .filter(StringLiteral.class::isInstance)
+        .map(StringLiteral.class::cast)
+        .filter(HardcodedCredentialsCallCheck::isNotEmpty)
+        .ifPresent(string -> ctx.addIssue(argument, MESSAGE));
+    } else if (argExp.is(Tree.Kind.NAME)) {
+      findAssignment((Name) argExp, 0)
+        .filter(StringLiteral.class::isInstance)
+        .map(StringLiteral.class::cast)
+        .filter(HardcodedCredentialsCallCheck::isNotEmpty)
+        .ifPresent(assignedValue -> ctx.addIssue(argument, MESSAGE).secondary(assignedValue, MESSAGE));
+    }
+  }
+
+  private static boolean isNotEmpty(StringLiteral stringLiteral) {
+    return Optional.of(stringLiteral)
+      .map(StringLiteral::trimmedQuotesValue)
+      .filter(Predicate.not(String::isEmpty))
+      .isPresent();
+  }
+
+  private static Optional<Tree> findAssignment(Name name, int depth) {
+    if (depth > 99) {
+      return Optional.empty();
+    }
+    return Optional.of(name)
+      .map(Expressions::singleAssignedValue)
+      .map(v -> findValue(v, depth));
+  }
+
+  private static Tree findValue(Expression assignedValue, int depth) {
+    if (assignedValue.is(Tree.Kind.NAME)) {
+      return findAssignment((Name) assignedValue, depth + 1).orElse(null);
+    } else if (assignedValue.is(Tree.Kind.CALL_EXPR)) {
+      return Optional.of(assignedValue)
+        .filter(CallExpression.class::isInstance)
+        .map(CallExpression.class::cast)
+        .map(CallExpression::callee)
+        .filter(QualifiedExpression.class::isInstance)
+        .map(QualifiedExpression.class::cast)
+        .map(QualifiedExpression::qualifier)
+        .map(v -> findValue(v, depth + 1))
+        .orElse(assignedValue);
+    }
+    return assignedValue;
+  }
+
+  private Boolean callHasToBeChecked(CallExpression call) {
+    return Optional.of(call)
+      .map(CallExpression::calleeSymbol)
+      .map(Symbol::fullyQualifiedName)
+      .map(methods::containsKey)
+      .orElse(false);
+  }
+
+  private Optional<CredentialMethod> getMethod(CallExpression call) {
+    return Optional.of(call)
+      .map(CallExpression::calleeSymbol)
+      .map(Symbol::fullyQualifiedName)
+      .map(methods::get);
+  }
+
+  public static class CredentialMethod {
+    private String name;
+    private List<String> args;
+    private List<Integer> indices;
+
+    public String name() {
+      return name;
+    }
+
+    public List<String> args() {
+      return args;
+    }
+
+    public List<Integer> indices() {
+      return indices;
+    }
+  }
+
+  private static class CredentialMethodsLoader {
+    private static final String METHODS_RESOURCE_PATH = "/org/sonar/python/checks/hardcoded_credentials_call_check_meta.json";
+    private final Gson gson;
+
+    private CredentialMethodsLoader() {
+      gson = new Gson();
+    }
+
+    private Map<String, CredentialMethod> load() {
+      try (var is = HardcodedCredentialsCallCheck.class.getResourceAsStream(METHODS_RESOURCE_PATH)) {
+        return Optional.ofNullable(is)
+          .map(InputStreamReader::new)
+          .map(r -> gson.fromJson(r, CredentialMethod[].class))
+          .stream()
+          .flatMap(Stream::of)
+          .collect(Collectors.toMap(CredentialMethod::name, Function.identity()));
+      } catch (IOException e) {
+        throw new IllegalStateException("Unable to read methods metadata from " + METHODS_RESOURCE_PATH, e);
+      }
+    }
+  }
+
+}