Skip to content

Commit d4e7298

Browse files
[APPSEC-966] Fix FP on env.str(...) (#298)
1 parent 472ba63 commit d4e7298

File tree

1 file changed

+80
-7
lines changed
  • sonar-text-plugin/src/main/resources/org/sonar/plugins/secrets/configuration

1 file changed

+80
-7
lines changed

sonar-text-plugin/src/main/resources/org/sonar/plugins/secrets/configuration/django.yaml

Lines changed: 80 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ provider:
2222
containsSecret: true
2323
match: django-insecure-r&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos3_9^
2424
25-
- id: settings.py-secret-key
25+
- id: settings.py-secret-key-string
2626
rspecKey: S6687
2727
metadata:
2828
name: Django secret keys should not be disclosed
@@ -32,7 +32,8 @@ provider:
3232
paths:
3333
- "**/settings.py"
3434
matching:
35-
pattern: "\\bSECRET_KEY(?:_FALLBACKS)?\\s*=\\s*(?:os\\.getenv\\(\\s*['\"][^'\"]+['\"]\\s*,\\s*)?['\"]([^'\"]+)"
35+
# Only detects secrets presented directly as a string.
36+
pattern: "\\bSECRET_KEY(?:_FALLBACKS)?\\s*=\\s*['\"]([^'\"\\r\\n]+)"
3637
context:
3738
patternAround: "(?i)\\bdjango"
3839
post:
@@ -44,10 +45,10 @@ provider:
4445
# noncompliant example
4546
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
4647
# SECURITY WARNING: keep the secret key used in production secret!
47-
SECRET_KEY = 'r&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos3_9^'
48+
SECRET_KEY = 's&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos1_9^'
4849
fileName: settings.py
4950
containsSecret: true
50-
match: r&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos3_9^
51+
match: s&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos1_9^
5152
- text: |
5253
# compliant example
5354
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
@@ -60,7 +61,13 @@ provider:
6061
# SECURITY WARNING: keep the secret key used in production secret!
6162
SECRET_KEY = os.getenv("SECRET_KEY")
6263
fileName: settings.py
63-
containsSecret: false
64+
containsSecret: false
65+
- text: |
66+
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
67+
# SECURITY WARNING: keep the secret key used in production secret!
68+
SECRET_KEY = os.getenv("SECRET_KEY", "s&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos2_9^")
69+
fileName: settings.py
70+
containsSecret: false
6471
- text: |
6572
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
6673
# SECURITY WARNING: keep the secret key used in production secret!
@@ -70,10 +77,76 @@ provider:
7077
- text: |
7178
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
7279
# SECURITY WARNING: keep the secret key used in production secret!
73-
SECRET_KEY = os.getenv("PASS","r&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos3_9^")
80+
SECRET_KEY = env.str("SECRET_KEY", "s&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos3_9^")
81+
fileName: settings.py
82+
containsSecret: false
83+
84+
- id: settings.py-secret-key-env-default
85+
rspecKey: S6687
86+
metadata:
87+
name: Django secret keys should not be disclosed
88+
detection:
89+
pre:
90+
include:
91+
paths:
92+
- "**/settings.py"
93+
matching:
94+
# Only detects secrets presented as a default value to os.environ(), environs.Env() or environs.Env.str()
95+
pattern: "\\bSECRET_KEY(?:_FALLBACKS)?\\s*=\\s*(?:os\\.getenv|env(?:\\.str)?)\\(\\s*['\"][^'\"\\r\\n]+['\"]\\s*,\\s*(?:default\\s*=\\s*)?['\"]([^'\"\\r\\n]+)"
96+
context:
97+
patternAround: "(?i)\\bdjango"
98+
post:
99+
patternNot:
100+
- "(\\w)\\1{4,}"
101+
- "(?i)(ex|s)ample"
102+
examples:
103+
- text: |
104+
# noncompliant example
105+
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
106+
# SECURITY WARNING: keep the secret key used in production secret!
107+
SECRET_KEY = 'd&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos1_9^'
108+
fileName: settings.py
109+
containsSecret: false
110+
- text: |
111+
# compliant example
112+
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
113+
# SECURITY WARNING: keep the secret key used in production secret!
114+
SECRET_KEY = os.environ['SECRET_KEY']
115+
fileName: settings.py
116+
containsSecret: false
117+
- text: |
118+
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
119+
# SECURITY WARNING: keep the secret key used in production secret!
120+
SECRET_KEY = os.getenv("SECRET_KEY")
121+
fileName: settings.py
122+
containsSecret: false
123+
- text: |
124+
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
125+
# SECURITY WARNING: keep the secret key used in production secret!
126+
SECRET_KEY = os.getenv("SECRET_KEY", "d&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos2_9^")
74127
fileName: settings.py
75128
containsSecret: true
76-
match: r&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos3_9^
129+
match: d&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos2_9^
130+
- text: |
131+
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
132+
# SECURITY WARNING: keep the secret key used in production secret!
133+
SECRET_KEY = env("SECRET_KEY")
134+
fileName: settings.py
135+
containsSecret: false
136+
- text: |
137+
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
138+
# SECURITY WARNING: keep the secret key used in production secret!
139+
SECRET_KEY = env("SECRET_KEY", default="d&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos3_9^")
140+
fileName: settings.py
141+
containsSecret: true
142+
match: d&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos3_9^
143+
- text: |
144+
# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
145+
# SECURITY WARNING: keep the secret key used in production secret!
146+
SECRET_KEY = env.str("SECRET_KEY", "d&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos4_9^")
147+
fileName: settings.py
148+
containsSecret: true
149+
match: d&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos4_9^
77150
78151
- id: env-secret-key
79152
rspecKey: S6687

0 commit comments

Comments
 (0)