From b4997cd684af2005d157dc569682e5f40c2b1c2b Mon Sep 17 00:00:00 2001 From: elsapet Date: Fri, 31 May 2024 16:29:48 +0200 Subject: [PATCH] feat(python): add datadog third parties rule --- rules/python/third_parties/datadog.yml | 62 +++++++++++++++++++ tests/python/third_parties/datadog/test.js | 20 ++++++ .../third_parties/datadog/testdata/main.py | 19 ++++++ 3 files changed, 101 insertions(+) create mode 100644 rules/python/third_parties/datadog.yml create mode 100644 tests/python/third_parties/datadog/test.js create mode 100644 tests/python/third_parties/datadog/testdata/main.py diff --git a/rules/python/third_parties/datadog.yml b/rules/python/third_parties/datadog.yml new file mode 100644 index 00000000..6de66b47 --- /dev/null +++ b/rules/python/third_parties/datadog.yml @@ -0,0 +1,62 @@ +imports: + - python_shared_lang_datatype + - python_shared_lang_import2 +patterns: + - pattern: | + $.$($<...>$$<...>) + filters: + - variable: DD_SPAN + detection: python_third_parties_datadog_span + scope: result + - variable: METHOD + values: + - set_tag + - set_tags + - set_struct_tag + - set_tag_str + - variable: DATA_TYPE + detection: python_shared_lang_datatype + scope: result +auxiliary: + - id: python_third_parties_datadog_span + patterns: + - pattern: $($<...>) + filters: + - variable: TRACER + detection: python_shared_lang_import2 + scope: cursor + filters: + - variable: MODULE1 + values: [ddtrace] + - variable: MODULE2 + values: [tracer] + - variable: NAME + values: + - trace + - start_span + - current_span + - current_root_span +languages: + - python +severity: medium +skip_data_types: + - Unique Identifier +metadata: + description: Leakage of sensitive data to Datadog + remediation_message: | + ## Description + + Leaking sensitive data to third-party loggers like Datadog is a common cause of data leaks and can lead to data breaches. + + ## Remediations + + - **Do** ensure all sensitive data is removed when sending data to third-party loggers like Datadog. + + ## References + - [Datadog docs](https://docs.datadoghq.com) + - [Scrubbing data](https://docs.datadoghq.com/tracing/configure_data_security/?tab=python#scrub-sensitive-data-from-your-spans) + cwe_id: + - 201 + associated_recipe: Datadog + id: python_third_parties_datadog + documentation_url: https://docs.bearer.com/reference/rules/python_third_parties_datadog diff --git a/tests/python/third_parties/datadog/test.js b/tests/python/third_parties/datadog/test.js new file mode 100644 index 00000000..a62d8e82 --- /dev/null +++ b/tests/python/third_parties/datadog/test.js @@ -0,0 +1,20 @@ +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) + +describe(ruleId, () => { + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + test("datadog", () => { + const testCase = "main.py" + + const results = invoke(testCase) + + expect(results).toEqual({ + Missing: [], + Extra: [] + }) + }) +}) \ No newline at end of file diff --git a/tests/python/third_parties/datadog/testdata/main.py b/tests/python/third_parties/datadog/testdata/main.py new file mode 100644 index 00000000..e717ec2f --- /dev/null +++ b/tests/python/third_parties/datadog/testdata/main.py @@ -0,0 +1,19 @@ +from ddtrace import tracer + +@tracer.wrap() +def execute(): + span = tracer.current_span() + # bearer:expected python_third_parties_datadog + span.set_tag('user', user.email) + +span = tracer.start_span("web.request") +# bearer:expected python_third_parties_datadog +span.set_tags('user', user.email) + +span = tracer.trace("web.request") +# bearer:expected python_third_parties_datadog +span.set_struct_tag('user', { "email": user.email }) + +root_span = tracer.current_root_span() +# bearer:expected python_third_parties_datadog +span.set_tag_str('user', user.email)