diff --git a/rules/python/third_parties/algolia.yml b/rules/python/third_parties/algolia.yml new file mode 100644 index 00000000..598b9391 --- /dev/null +++ b/rules/python/third_parties/algolia.yml @@ -0,0 +1,67 @@ +imports: + - python_shared_lang_datatype + - python_shared_lang_import2 +patterns: + - pattern: | + $.$($<...>$$<...>) + filters: + - variable: INDEX + detection: python_third_parties_algolia_index + scope: cursor + - variable: METHOD + values: + - save_object + - save_objects + - update_object + - update_objects + - partial_update_object + - partial_update_objects + - replace_all_objects + - variable: DATA_TYPE + detection: python_shared_lang_datatype + scope: result +auxiliary: + - id: python_third_parties_algolia_index + patterns: + - pattern: $.init_index($<...>) + filters: + - variable: SEARCH_CLIENT + detection: python_third_parties_algolia_search_client + scope: cursor + - id: python_third_parties_algolia_search_client + patterns: + - pattern: $.create($<...>) + filters: + - variable: SEARCH_CLIENT + detection: python_shared_lang_import2 + scope: cursor + filters: + - variable: MODULE1 + values: [algoliasearch] + - variable: MODULE2 + values: [search_client] + - variable: NAME + values: [SearchClient] +languages: + - python +severity: medium +skip_data_types: + - Unique Identifier +metadata: + description: Leakage of sensitive data to Algolia + remediation_message: | + ## Description + + Leaking sensitive data to third-party data tools like Algolia is a common cause of data leaks and can lead to data breaches. + + ## Remediations + + - **Do** ensure all sensitive data is removed when sending data to third-party services like Algolia. + + ## References + - [Algolia docs](https://www.algolia.com/doc/) + cwe_id: + - 201 + associated_recipe: Algolia + id: python_third_parties_algolia + documentation_url: https://docs.bearer.com/reference/rules/python_third_parties_algolia diff --git a/tests/python/third_parties/algolia/test.js b/tests/python/third_parties/algolia/test.js new file mode 100644 index 00000000..bc9e6a1f --- /dev/null +++ b/tests/python/third_parties/algolia/test.js @@ -0,0 +1,20 @@ +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) + +describe(ruleId, () => { + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + test("algolia", () => { + const testCase = "main.py" + + const results = invoke(testCase) + + expect(results).toEqual({ + Missing: [], + Extra: [] + }) + }) +}) \ No newline at end of file diff --git a/tests/python/third_parties/algolia/testdata/main.py b/tests/python/third_parties/algolia/testdata/main.py new file mode 100644 index 00000000..720917d4 --- /dev/null +++ b/tests/python/third_parties/algolia/testdata/main.py @@ -0,0 +1,35 @@ +# Use bearer:expected python_third_parties_algolia to flag expected findings +from algoliasearch.search_client import SearchClient + +client = SearchClient.create('YourApplicationID', 'YourWriteAPIKey') +index = client.init_index('your_index_name') + +# bearer:expected python_third_parties_algolia +index.save_object({ + 'firstname': user.firstname, + 'lastname': user.lastname, + 'objectID': user.uuid +}) +# bearer:expected python_third_parties_algolia +res = index.save_objects([{'firstname': user.firstname, 'lastname': user.lastname, 'objectID': user.uuid}]) + +# bearer:expected python_third_parties_algolia +index.partial_update_object({"objectID": user.uuid, "email": user.email}) +# bearer:expected python_third_parties_algolia +index.partial_update_objects([ + {'objectID': user1.uuid, 'firstname': user1.firstname}, + {'objectID': user1.uuid, 'firstname': user2.firstname} +]) + +# bearer:expected python_third_parties_algolia +index.replace_all_objects( + [{'firstname': user.firstname, 'lastname': user.lastname, 'objectID': user.uuid}], + { 'safe': True } +) + +# ok +index.save_object({ + 'firstname': 'Mish', + 'lastname': 'Bear', + 'objectID': 'mish001' +}) \ No newline at end of file