-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(java): empty database password rule (#208)
- Loading branch information
Showing
3 changed files
with
67 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| patterns: | ||
| - pattern: | | ||
| $<SQL_DRIVER_MANAGER>.getConnection($<_>, $<_>, $<EMPTY_STRING>) | ||
| filters: | ||
| - variable: SQL_DRIVER_MANAGER | ||
| regex: \A(java\.sql\.)?DriverManager\z | ||
| - variable: EMPTY_STRING | ||
| string_regex: \A\z | ||
| languages: | ||
| - java | ||
| severity: warning | ||
| metadata: | ||
| description: "Empty database password detected." | ||
| remediation_message: | | ||
| ## Description | ||
| A database with an empty password is a security risk as its data is unprotected. | ||
| Database servers should be configured with appropriate authentication and restrictions, and their passwords should be stored and accessed securely - for example, through a Key Management Service (KMS). | ||
| ## Remediations | ||
| ❌ Do not configure database servers with empty passwords | ||
| ✅ Always ensure secure password management practices | ||
| ## Resources | ||
| - [OWASP hardcoded passwords](https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password) | ||
| cwe_id: | ||
| - 306 | ||
| id: java_lang_empty_database_password | ||
| documentation_url: https://docs.bearer.com/reference/rules/java_lang_empty_database_password |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| const { | ||
| createNewInvoker, | ||
| getEnvironment, | ||
| } = require("../../../helper.js") | ||
| const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) | ||
|
|
||
| describe(ruleId, () => { | ||
| const invoke = createNewInvoker(ruleId, ruleFile, testBase) | ||
|
|
||
| test("empty_database_password", () => { | ||
| const testCase = "main.java" | ||
|
|
||
| const results = invoke(testCase) | ||
|
|
||
| expect(results.Missing).toEqual([]) | ||
| expect(results.Extra).toEqual([]) | ||
| }) | ||
| }) |
17 changes: 17 additions & 0 deletions
17
tests/java/lang/empty_database_password/testdata/main.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| // Use bearer:expected java_lang_empty_database_password to flag expected findings | ||
| import java.sql.Connection; | ||
| import java.sql.DriverManager; | ||
|
|
||
| public class Foo | ||
| { | ||
| public static void bad() { | ||
| String url = "jdbc:mysql://localhost:3306/foo"; | ||
| // bearer:expected java_lang_empty_database_password | ||
| Connection conn = DriverManager.getConnection(url, "root", ""); | ||
| } | ||
|
|
||
| public static void ok() { | ||
| String url = "jdbc:mysql://localhost:3306/bar"; | ||
| Connection conn = DriverManager.getConnection(url, "admin", "admin"); | ||
| } | ||
| } |