diff --git a/rules/python/third_parties/clickhouse.yml b/rules/python/third_parties/clickhouse.yml new file mode 100644 index 00000000..c4bba820 --- /dev/null +++ b/rules/python/third_parties/clickhouse.yml @@ -0,0 +1,49 @@ +imports: + - python_shared_lang_import1 + - python_shared_lang_datatype +patterns: + - pattern: | + $.insert($<...>$$<...>) + filters: + - variable: CLIENT + detection: python_third_parties_clickhouse_connect_client + scope: result + - variable: DATA_TYPE + detection: python_shared_lang_datatype + scope: result +auxiliary: + - id: python_third_parties_clickhouse_connect_client + patterns: + - pattern: $ + filters: + - variable: CLICKHOUSE_CLIENT + detection: python_shared_lang_import1 + scope: cursor + filters: + - variable: MODULE1 + values: [clickhouse_connect] + - variable: NAME + values: [get_client] +languages: + - python +severity: medium +skip_data_types: + - Unique Identifier +metadata: + description: Leakage of sensitive data to ClickHouse + remediation_message: | + ## Description + + Leaking sensitive data to a third-party service like ClickHouse is a common cause of data leaks and can lead to data breaches. + + ## Remediations + + - **Do** ensure all sensitive data is removed when sending data to third-party services like ClickHouse. + + ## References + - [ClickHouse docs](https://clickhouse.com/docs/en/intro/) + cwe_id: + - 201 + associated_recipe: ClickHouse + id: python_third_parties_clickhouse + documentation_url: https://docs.bearer.com/reference/rules/python_third_parties_clickhouse diff --git a/tests/python/third_parties/clickhouse/test.js b/tests/python/third_parties/clickhouse/test.js new file mode 100644 index 00000000..4cbe7eeb --- /dev/null +++ b/tests/python/third_parties/clickhouse/test.js @@ -0,0 +1,20 @@ +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) + +describe(ruleId, () => { + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + test("clickhouse", () => { + const testCase = "main.py" + + const results = invoke(testCase) + + expect(results).toEqual({ + Missing: [], + Extra: [] + }) + }) +}) \ No newline at end of file diff --git a/tests/python/third_parties/clickhouse/testdata/main.py b/tests/python/third_parties/clickhouse/testdata/main.py new file mode 100644 index 00000000..cede441c --- /dev/null +++ b/tests/python/third_parties/clickhouse/testdata/main.py @@ -0,0 +1,10 @@ +import clickhouse_connect + +client = clickhouse_connect.get_client(host="clickhouse.cloud", port=8443, username="default", password="secret") +client.command('CREATE TABLE IF NOT EXISTS users (uuid String, email String) ORDER BY uuid') + +row1 = [user1.uuid, user1.email] +row2 = [user2.uuid, user2.email] +data = [row1, row2] +# bearer:expected python_third_parties_clickhouse +client.insert('users', data, column_names=['uuid', 'email'])