-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(python): clickhouse third parties rule
- Loading branch information
Showing
3 changed files
with
79 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| imports: | ||
| - python_shared_lang_import1 | ||
| - python_shared_lang_datatype | ||
| patterns: | ||
| - pattern: | | ||
| $<CLIENT>.insert($<...>$<DATA_TYPE>$<...>) | ||
| filters: | ||
| - variable: CLIENT | ||
| detection: python_third_parties_clickhouse_connect_client | ||
| scope: result | ||
| - variable: DATA_TYPE | ||
| detection: python_shared_lang_datatype | ||
| scope: result | ||
| auxiliary: | ||
| - id: python_third_parties_clickhouse_connect_client | ||
| patterns: | ||
| - pattern: $<CLICKHOUSE_CLIENT> | ||
| filters: | ||
| - variable: CLICKHOUSE_CLIENT | ||
| detection: python_shared_lang_import1 | ||
| scope: cursor | ||
| filters: | ||
| - variable: MODULE1 | ||
| values: [clickhouse_connect] | ||
| - variable: NAME | ||
| values: [get_client] | ||
| languages: | ||
| - python | ||
| severity: medium | ||
| skip_data_types: | ||
| - Unique Identifier | ||
| metadata: | ||
| description: Leakage of sensitive data to ClickHouse | ||
| remediation_message: | | ||
| ## Description | ||
| Leaking sensitive data to a third-party service like ClickHouse is a common cause of data leaks and can lead to data breaches. | ||
| ## Remediations | ||
| - **Do** ensure all sensitive data is removed when sending data to third-party services like ClickHouse. | ||
| ## References | ||
| - [ClickHouse docs](https://clickhouse.com/docs/en/intro/) | ||
| cwe_id: | ||
| - 201 | ||
| associated_recipe: ClickHouse | ||
| id: python_third_parties_clickhouse | ||
| documentation_url: https://docs.bearer.com/reference/rules/python_third_parties_clickhouse |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| const { | ||
| createNewInvoker, | ||
| getEnvironment, | ||
| } = require("../../../helper.js") | ||
| const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) | ||
|
|
||
| describe(ruleId, () => { | ||
| const invoke = createNewInvoker(ruleId, ruleFile, testBase) | ||
|
|
||
| test("clickhouse", () => { | ||
| const testCase = "main.py" | ||
|
|
||
| const results = invoke(testCase) | ||
|
|
||
| expect(results).toEqual({ | ||
| Missing: [], | ||
| Extra: [] | ||
| }) | ||
| }) | ||
| }) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| import clickhouse_connect | ||
|
|
||
| client = clickhouse_connect.get_client(host="clickhouse.cloud", port=8443, username="default", password="secret") | ||
| client.command('CREATE TABLE IF NOT EXISTS users (uuid String, email String) ORDER BY uuid') | ||
|
|
||
| row1 = [user1.uuid, user1.email] | ||
| row2 = [user2.uuid, user2.email] | ||
| data = [row1, row2] | ||
| # bearer:expected python_third_parties_clickhouse | ||
| client.insert('users', data, column_names=['uuid', 'email']) |