Skip to content

Commit 66d7052

Browse files
run rules-api update (#198)
1 parent ca4973a commit 66d7052

File tree

4 files changed

+54
-22
lines changed

4 files changed

+54
-22
lines changed
Lines changed: 46 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,25 +1,51 @@
1+
<p>Secret leaks often occur when a sensitive piece of authentication data is stored with the source code of an application. Considering the source
2+
code is intended to be deployed across multiple assets, including source code repositories or application hosting servers, the secrets might get
3+
exposed to an unintended audience.</p>
14
<h2>Why is this an issue?</h2>
2-
<p>Azure Storage Account Keys are similar to the root password, allowing full access to Azure Storage Accounts.</p>
3-
<p>If the application interacts with Azure Cloud Storage services, access keys should be secured and not be disclosed.</p>
4-
<h2>Recommended Secure Coding Practices</h2>
5-
<p>Only administrators should have access to storage account keys. To authorize an application to access an Azure Storage, it’s recommended to create
6-
a service principal and assign it the required privileges only. <a
7-
href="https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-msi?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json#authenticate-with-the-azure-identity-library">Azure
8-
Identity SDK</a> provides several options such as <em>DefaultAzureCredential</em> that can be used to retrieve secrets from, for instance, environment
9-
variables.</p>
10-
<p>Storage account keys should not be stored with the application code or saved anywhere in plain text accessible to others. Consider using an <a
11-
href="https://azure.microsoft.com/en-us/services/key-vault/">Azure Key Vault</a> to store and manage keys.</p>
12-
<p>When credentials are disclosed in the application code, consider them as compromised and rotate them immediately.</p>
5+
<p>In most cases, trust boundaries are violated when a secret is exposed in a source code repository or an uncontrolled deployment environment.
6+
Unintended people who don’t need to know the secret might get access to it. They might then be able to use it to gain unwanted access to associated
7+
services or resources.</p>
8+
<p>The trust issue can be more or less severe depending on the people’s role and entitlement.</p>
9+
<h3>What is the potential impact?</h3>
10+
<p>Azure Storage Account Keys are used to authenticate and authorize access to Azure Storage resources, such as blobs, queues, tables, and files.
11+
These keys are used to authenticate requests made against the storage account.</p>
12+
<p>If an Azure Storage Account Key is leaked to an unintended audience, it can pose a significant security risk to your Azure Storage account.</p>
13+
<p>An attacker with access to your storage account key can potentially access and modify all the data stored in your storage account. They can also
14+
create new resources, delete existing ones, and perform other actions that can compromise the integrity and confidentiality of your data.</p>
15+
<p>In addition, an attacker with access to your storage account key can also incur charges on your account by creating and using resources, which can
16+
result in unexpected billing charges.</p>
17+
<h2>How to fix it</h2>
18+
<p><strong>Revoke the secret</strong></p>
19+
<p>Revoke any leaked secrets and remove them from the application source code.</p>
20+
<p>Before revoking the secret, ensure that no other applications or processes is using it. Other usages of the secret will also be impacted when the
21+
secret is revoked.</p>
22+
<p><strong>Analyze recent secret use</strong></p>
23+
<p>When available, analyze authentication logs to identify any unintended or malicious use of the secret since its disclosure date. Doing this will
24+
allow determining if an attacker took advantage of the leaked secret and to what extent.</p>
25+
<p>This operation should be part of a global incident response process.</p>
26+
<p><strong>Use a secret vault</strong></p>
27+
<p>A secret vault should be used to generate and store the new secret. This will ensure the secret’s security and prevent any further unexpected
28+
disclosure.</p>
29+
<p>Depending on the development platform and the leaked secret type, multiple solutions are currently available.</p>
30+
<h3>Code examples</h3>
31+
<h4>Noncompliant code example</h4>
32+
<pre data-diff-id="1" data-diff-type="noncompliant">
33+
props.set("storage_key", "4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg==")
34+
</pre>
35+
<h4>Compliant solution</h4>
36+
<pre data-diff-id="1" data-diff-type="compliant">
37+
props.set("storage_key", System.getenv("STORAGE_KEY"))
38+
</pre>
1339
<h2>Resources</h2>
40+
<h3>Standards</h3>
1441
<ul>
15-
<li> <a href="https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/">OWASP Top 10 2021 Category A7</a> - Identification and
16-
Authentication Failures </li>
17-
<li> <a href="https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal">docs.microsoft.com</a> - Manage
18-
storage account access keys </li>
19-
<li> <a href="https://www.owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure">OWASP Top 10 2017 Category A3</a> - Sensitive Data
20-
Exposure </li>
21-
<li> <a href="https://cwe.mitre.org/data/definitions/798">MITRE, CWE-798</a> - Use of Hard-coded Credentials </li>
22-
<li> <a href="https://cwe.mitre.org/data/definitions/259">MITRE, CWE-259</a> - Use of Hard-coded Password </li>
23-
<li> <a href="https://www.sans.org/top25-software-errors/#cat3">SANS Top 25</a> - Porous Defenses </li>
42+
<li> MITRE - <a href="https://cwe.mitre.org/data/definitions/798">CWE-798 - Use of Hard-coded Credentials</a> </li>
43+
<li> MITRE - <a href="https://cwe.mitre.org/data/definitions/259">CWE-259 - Use of Hard-coded Password</a> </li>
44+
<li> SANS - <a href="https://www.sans.org/top25-software-errors/#cat3">TOP 25 Most Dangerous Software Errors</a> </li>
45+
</ul>
46+
<h3>Documentation</h3>
47+
<ul>
48+
<li> Microsoft Documentation - <a href="https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal">Manage
49+
storage account access keys</a> </li>
2450
</ul>
2551

sonar-text-plugin/src/main/resources/org/sonar/l10n/text/rules/text/S6389.json

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,12 @@
11
{
22
"title": "Using bidirectional characters is security-sensitive",
33
"type": "SECURITY_HOTSPOT",
4+
"code": {
5+
"impacts": {
6+
"SECURITY": "MEDIUM"
7+
},
8+
"attribute": "CLEAR"
9+
},
410
"status": "ready",
511
"remediation": {
612
"func": "Constant\/Issue",

sonarpedia-secrets/sonarpedia.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
"languages": [
44
"SECRETS"
55
],
6-
"latest-update": "2023-08-07T09:33:29.463115100Z",
6+
"latest-update": "2023-08-17T08:01:09.848962100Z",
77
"options": {
88
"no-language-in-filenames": true,
99
"preserve-filenames": true

sonarpedia-text/sonarpedia.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
"languages": [
44
"TEXT"
55
],
6-
"latest-update": "2023-05-12T06:10:47.094097868Z",
6+
"latest-update": "2023-08-17T08:01:43.309196300Z",
77
"options": {
88
"no-language-in-filenames": true,
99
"preserve-filenames": true

0 commit comments

Comments
 (0)