Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create rule S7149: Doppler auth tokens should not be disclosed #4483

Merged
merged 2 commits into from
Nov 12, 2024
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Update RSPEC
hendrik-buchwald-sonarsource committed Nov 11, 2024
commit 9823dc820e2ff13e6ae56551ee6194d2b90c5dea
2 changes: 1 addition & 1 deletion rules/S7149/secrets/metadata.json
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"title": "SECRET_TYPE should not be disclosed",
"title": "Doppler auth tokens should not be disclosed",
"type": "VULNERABILITY",
"code": {
"impacts": {
26 changes: 5 additions & 21 deletions rules/S7149/secrets/rule.adoc
Original file line number Diff line number Diff line change
@@ -7,21 +7,12 @@ include::../../../shared_content/secrets/rationale.adoc[]

=== What is the potential impact?

// Optional: Give a general description of the secret and what it's used for.

Below are some real-world scenarios that illustrate some impacts of an attacker
exploiting the secret.

// Set value that can be used to refer to the type of secret in, for example:
// "An attacker can use this {secret_type} to ..."
:secret_type: secret

// Where possible, use predefined content for common impacts. This content can
// be found in the folder "shared_content/secrets/impact".
// When using predefined content, search for any required variables to be set and include them in this file.
// Not adding them will not trigger warnings.
include::../../../shared_content/secrets/impact/data_compromise.adoc[]

//include::../../../shared_content/secrets/impact/some_impact.adoc[]
include::../../../shared_content/secrets/impact/financial_loss.adoc[]

== How to fix it

@@ -31,20 +22,13 @@ include::../../../shared_content/secrets/fix/vault.adoc[]

=== Code examples

:example_secret: example_secret_value
:example_name: java-property-name
:example_env: ENV_VAR_NAME
:example_secret: dp.ct.bAqhcVzrhy5cRHkOlNTc0Ve6w5NUDCpcutm8vGE9myi
:example_name: doppler-auth-token
:example_env: DOPPLER_AUTH_TOKEN

include::../../../shared_content/secrets/examples.adoc[]

//=== How does this work?

//=== Pitfalls

//=== Going the extra mile

== Resources

include::../../../shared_content/secrets/resources/standards.adoc[]

//=== Benchmarks