Create S6783: Infura API keys should not be disclosed (#278)

Author: loris-s-sonarsource

sonar-text-plugin/pom.xml

@@ -116,7 +116,7 @@
             <configuration>
               <rules>
                 <requireFilesSize>
-                  <maxsize>3150000</maxsize>
+                  <maxsize>3250000</maxsize>
                   <minsize>2950000</minsize>
                   <files>
                     <file>${project.build.directory}/${project.build.finalName}.jar</file>

sonar-text-plugin/src/main/java/org/sonar/plugins/secrets/SecretsRulesDefinition.java

@@ -47,6 +47,7 @@
 import org.sonar.plugins.secrets.checks.GrafanaCheck;
 import org.sonar.plugins.secrets.checks.HashicorpCheck;
 import org.sonar.plugins.secrets.checks.IbmApiKeyCheck;
+import org.sonar.plugins.secrets.checks.InfuraApiKeyCheck;
 import org.sonar.plugins.secrets.checks.JFrogCheck;
 import org.sonar.plugins.secrets.checks.MailgunCheck;
 import org.sonar.plugins.secrets.checks.MicrosoftTeamsWebhookUrlCheck;
@@ -124,6 +125,7 @@ public static List<Class<?>> checks() {
       GrafanaCheck.class,
       HashicorpCheck.class,
       IbmApiKeyCheck.class,
+      InfuraApiKeyCheck.class,
       JFrogCheck.class,
       MailgunCheck.class,
       MicrosoftTeamsWebhookUrlCheck.class,
@@ -156,8 +158,8 @@ public static List<Class<?>> checks() {
       TypeformCheck.class,
       WakaTimeCheck.class,
       WeChatCheck.class,
-      ZuploCheck.class,
       YandexCheck.class,
-      ZapierWebhookUrlCheck.class);
+      ZapierWebhookUrlCheck.class,
+      ZuploCheck.class);
   }
 }

sonar-text-plugin/src/main/java/org/sonar/plugins/secrets/SecretsSpecificationFilesDefinition.java

@@ -52,6 +52,7 @@ public static Set<String> existingSecretSpecifications() {
       "grafana.yaml",
       "hashicorp.yaml",
       "ibm.yaml",
+      "infura.yaml",
       "mailgun.yaml",
       "mongodb.yaml",
       "ms-teams.yaml",

sonar-text-plugin/src/main/java/org/sonar/plugins/secrets/checks/InfuraApiKeyCheck.java

@@ -0,0 +1,27 @@
+/*
+ * SonarQube Text Plugin
+ * Copyright (C) 2021-2023 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.plugins.secrets.checks;
+
+import org.sonar.check.Rule;
+import org.sonar.plugins.secrets.api.SpecificationBasedCheck;
+
+@Rule(key = "S6783")
+public class InfuraApiKeyCheck extends SpecificationBasedCheck {
+}

sonar-text-plugin/src/main/resources/org/sonar/l10n/secrets/rules/secrets/S6783.html

@@ -0,0 +1,49 @@
+<p>Secret leaks often occur when a sensitive piece of authentication data is stored with the source code of an application. Considering the source
+code is intended to be deployed across multiple assets, including source code repositories or application hosting servers, the secrets might get
+exposed to an unintended audience.</p>
+<h2>Why is this an issue?</h2>
+<p>In most cases, trust boundaries are violated when a secret is exposed in a source code repository or an uncontrolled deployment environment.
+Unintended people who don’t need to know the secret might get access to it. They might then be able to use it to gain unwanted access to associated
+services or resources.</p>
+<p>The trust issue can be more or less severe depending on the people’s role and entitlement.</p>
+<h3>What is the potential impact?</h3>
+<p>Below are some real-world scenarios that illustrate some impacts of an attacker exploiting the secret.</p>
+<h4>Disclosure of blockchain data</h4>
+<p>The leaked key can be used to query APIs of blockchain services and access sensitive information stored in the service metadata. This may include
+user identities and other sensitive data.<br> Such disclosure compromises user privacy and confidentiality.</p>
+<h4>Breach of trust in non-repudiation and disruption of the audit trail</h4>
+<p>When such a secret is compromised, malicious actors might have the possibility to send malicious event objects, causing discrepancies in the audit
+trail. This can make it difficult to trace and verify the sequence of events, impacting the ability to investigate and identify unauthorized or
+fraudulent activity.</p>
+<p>All in all, this can lead to problems in proving the validity of transactions or actions performed, potentially leading to disputes and legal
+complications.</p>
+<h4>Financial loss</h4>
+<p>Since this secret is used to process transaction-related operations, financial loss may also occur if transaction-related objects are corrupted or
+the account is tampered with.<br> This can range from indirect losses to direct unauthorized transfers of funds that can lead to bankruptcy or
+impoverishment of individuals.</p>
+<h2>How to fix it</h2>
+<p><strong>Revoke the secret</strong></p>
+<p>Revoke any leaked secrets and remove them from the application source code.</p>
+<p>Before revoking the secret, ensure that no other applications or processes are using it. Other usages of the secret will also be impacted when the
+secret is revoked.</p>
+<p><strong>Use a secret vault</strong></p>
+<p>A secret vault should be used to generate and store the new secret. This will ensure the secret’s security and prevent any further unexpected
+disclosure.</p>
+<p>Depending on the development platform and the leaked secret type, multiple solutions are currently available.</p>
+<h3>Code examples</h3>
+<h4>Noncompliant code example</h4>
+<pre data-diff-id="1" data-diff-type="noncompliant">
+props.set("infura_api_key", "https://mainnet.infura.io/v3/f6fc4aa25abb16e901876269d01f2ec5")
+</pre>
+<h4>Compliant solution</h4>
+<pre data-diff-id="1" data-diff-type="compliant">
+props.set("infura_api_key", System.getenv("INFURA_API_KEY"))
+</pre>
+<h2>Resources</h2>
+<h3>Standards</h3>
+<ul>
+  <li> MITRE - <a href="https://cwe.mitre.org/data/definitions/798">CWE-798 - Use of Hard-coded Credentials</a> </li>
+  <li> MITRE - <a href="https://cwe.mitre.org/data/definitions/259">CWE-259 - Use of Hard-coded Password</a> </li>
+  <li> SANS - <a href="https://www.sans.org/top25-software-errors/#cat3">TOP 25 Most Dangerous Software Errors</a> </li>
+</ul>
+

sonar-text-plugin/src/main/resources/org/sonar/l10n/secrets/rules/secrets/S6783.json

@@ -0,0 +1,49 @@
+{
+  "title": "Infura API keys should not be disclosed",
+  "type": "VULNERABILITY",
+  "code": {
+    "impacts": {
+      "SECURITY": "HIGH"
+    },
+    "attribute": "TRUSTWORTHY"
+  },
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "30min"
+  },
+  "tags": [
+    "cwe"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-6783",
+  "sqKey": "S6783",
+  "scope": "All",
+  "securityStandards": {
+    "CWE": [
+      798,
+      259
+    ],
+    "OWASP": [
+      "A3"
+    ],
+    "CERT": [
+      "MSC03-J."
+    ],
+    "OWASP Top 10 2021": [
+      "A7"
+    ],
+    "PCI DSS 3.2": [
+      "6.5.10"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ],
+    "ASVS 4.0": [
+      "2.10.4",
+      "3.5.2",
+      "6.4.1"
+    ]
+  },
+  "quickfix": "unknown"
+}

sonar-text-plugin/src/main/resources/org/sonar/l10n/secrets/rules/secrets/Sonar_way_profile.json

@@ -59,6 +59,7 @@
     "S6771",
     "S6773",
     "S6777",
-    "S6782"
+    "S6782",
+    "S6783"
   ]
 }

sonar-text-plugin/src/main/resources/org/sonar/plugins/secrets/configuration/infura.yaml

@@ -0,0 +1,50 @@
+provider:
+  metadata:
+    name: Infura Api Key
+    category: Blockchain API
+    message: Make sure this Infura API key gets revoked, changed, and removed from the code.
+  detection:
+    pre:
+      include:
+        content:
+          - "infura.io/v3"
+    post:
+      patternNot:
+        - "(\\w)\\1{7,}"
+
+  rules:
+    - rspecKey: S6783
+      id: infura-api-keys
+      metadata:
+        name: Infura Api Keys
+      detection:
+        matching:
+          pattern: "\\.infura\\.io/v3/([\\w]{32})"
+      examples:
+        - text: |
+            # Noncompliant code example
+            props.set("infura_api_key", "https://mainnet.infura.io/v3/f6fc4aa25abb16e901876269d01f2ec5")
+          containsSecret: true
+          match: f6fc4aa25abb16e901876269d01f2ec5
+        - text: |
+            # Compliant solution
+            props.set("infura_api_key", System.getenv("INFURA_API_KEY"))
+          containsSecret: false
+        - text: |
+            const NETWORKS = {
+                '1': 'https://mainnet.infura.io/v3/ac08c9ada68044d38f55d4cb4749d54a',
+                '2': 'wss://mainnet.infura.io/ws/v3/ac08c9ada68044d38f55d4cb4749d54a',
+            }
+          containsSecret: true
+          match: ac08c9ada68044d38f55d4cb4749d54a
+        - text: |
+            const NETWORKS = {
+                '1': 'https://mainnet.infura.io/v3/your-api-key',
+            }
+          containsSecret: false
+        - text: |
+            const NETWORKS = {
+                '1': 'https://mainnet.infura.io/v3/{API_KEY}',
+            }
+          containsSecret: false
+

sonar-text-plugin/src/test/java/org/sonar/plugins/secrets/checks/InfuraApiKeyCheckTest.java

@@ -0,0 +1,28 @@
+/*
+ * SonarQube Text Plugin
+ * Copyright (C) 2021-2023 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.plugins.secrets.checks;
+
+import org.sonar.plugins.secrets.utils.AbstractRuleExampleTest;
+
+class InfuraApiKeyCheckTest extends AbstractRuleExampleTest {
+  InfuraApiKeyCheckTest() {
+    super(new InfuraApiKeyCheck());
+  }
+}