feat(python): add initial rules

.envrc.example

@@ -1,2 +1,3 @@
-export BEARER_VERSION=canary-amd64 # latest is the default
-export BEARER_WORKSPACE="/Users/cfabianski/GitHub/Bearer/bearer"
+export BEARER_VERSION=latest
+export BEARER_WORKSPACE=$PWD/../bearer
+export BEARER_PYTHON_ENABLED=true

.github/workflows/canary.yml

@@ -41,6 +41,8 @@ jobs:
         run: tar -czvf release/javascript.tar.gz --directory ./rules javascript
       - name: Archive Java
         run: tar -czvf release/java.tar.gz --directory ./rules java
+      - name: Archive Python
+        run: tar -czvf release/python.tar.gz --directory ./rules python
       - name: Create a GitHub release
         uses: ncipollo/release-action@v1
         with:

.github/workflows/canary_integration_tests.yml

@@ -29,6 +29,7 @@ jobs:
             "ruby/third_parties",
             "java/lang",
             "java/spring",
+            "python/lang",
           ]
     steps:
       - uses: actions/checkout@v3

.github/workflows/integration_tests.yml

@@ -36,6 +36,7 @@ jobs:
             "ruby/third_parties",
             "java/lang",
             "java/spring",
+            "python/lang",
           ]
     steps:
       - uses: actions/checkout@v3

.github/workflows/release.yml

@@ -40,6 +40,8 @@ jobs:
         run: tar -czvf release/javascript.tar.gz --directory ./rules javascript
       - name: Archive Java
         run: tar -czvf release/java.tar.gz --directory ./rules java
+      - name: Archive Python
+        run: tar -czvf release/python.tar.gz --directory ./rules python
       - name: Create a GitHub release
         uses: ncipollo/release-action@v1
         with:

rules/python/lang/logger.yml

@@ -0,0 +1,43 @@
+patterns:
+  - pattern: logging.$<METHOD>($<DATA_TYPE>)
+    filters:
+      - variable: METHOD
+        values:
+          - debug
+          - warning
+          - info
+          - error
+      - variable: DATA_TYPE
+        detection: datatype
+languages:
+  - python
+skip_data_types:
+  - "Unique Identifier"
+metadata:
+  description: "Sensitive data in a logger message detected."
+  remediation_message: |
+    ## Description
+
+    Leaking sensitive data to loggers is a common cause of data leaks and can lead to data breaches. This rule looks for instances of sensitive data sent to loggers.
+
+    ## Remediations
+
+    ❌ Avoid using sensitive data in logger messages:
+
+    ```python
+    logger.info(f"User is: '{user.email}'")
+    ```
+
+    ✅ If you need to identify a user, ensure to use their unique identifier instead of their personal identifiable information:
+
+    ```python
+    logger.info(f"User is: '{user.uuid}'")
+    ```
+
+    ## Resources
+    - [OWASP logging cheat sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html)
+  cwe_id:
+    - 209
+    - 532
+  id: python_lang_logger
+  documentation_url: https://docs.bearer.com/reference/rules/python_lang_logger

rules/python/lang/weak_hash_md5.yml

@@ -0,0 +1,59 @@
+patterns:
+  - pattern: hashlib.md5($<OPTIONAL_DATA_TYPE>)
+    filters:
+      - either:
+          - variable: OPTIONAL_DATA_TYPE
+            detection: datatype
+            scope: result
+          - not:
+              variable: OPTIONAL_DATA_TYPE
+              detection: datatype
+              scope: result
+  - pattern: $<MD5_INIT>.update($<OPTIONAL_DATA_TYPE>)
+    filters:
+      - variable: MD5_INIT
+        detection: python_lang_weak_hash_md5_init
+        scope: cursor
+      - either:
+          - variable: OPTIONAL_DATA_TYPE
+            detection: datatype
+            scope: result
+          - not:
+              variable: OPTIONAL_DATA_TYPE
+              detection: datatype
+              scope: result
+auxiliary:
+  - id: python_lang_weak_hash_md5_init
+    patterns:
+      - hashlib.md5()
+languages:
+  - python
+skip_data_types:
+  - "Unique Identifier"
+  - "Passwords" # see python_lang_weak_password_encryption_md5
+metadata:
+  description: "Weak hashing library (MD5) detected."
+  remediation_message: |
+    ## Description
+
+    A weak hashing library can lead to data breaches and greater security risk.
+
+    ## Remediations
+    According to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.
+
+    ❌ Avoid libraries and algorithms with known weaknesses:
+
+    ```python
+    hashlib.md5('password').digest()
+    ```
+
+    ✅ Instead, we recommend using sha256:
+
+    ```python
+    hashlib.sha256('password').digest()
+    ```
+  cwe_id:
+    - 331
+    - 328
+  id: python_lang_weak_hash_md5
+  documentation_url: https://docs.bearer.com/reference/rules/python_lang_weak_hash_md5

rules/python/lang/weak_hash_sha1.yml

@@ -0,0 +1,59 @@
+patterns:
+  - pattern: hashlib.sha1($<OPTIONAL_DATA_TYPE>)
+    filters:
+      - either:
+          - variable: OPTIONAL_DATA_TYPE
+            detection: datatype
+            scope: result
+          - not:
+              variable: OPTIONAL_DATA_TYPE
+              detection: datatype
+              scope: result
+  - pattern: $<SHA1_INIT>.update($<OPTIONAL_DATA_TYPE>)
+    filters:
+      - variable: SHA1_INIT
+        detection: python_lang_weak_hash_sha1_init
+        scope: cursor
+      - either:
+          - variable: OPTIONAL_DATA_TYPE
+            detection: datatype
+            scope: result
+          - not:
+              variable: OPTIONAL_DATA_TYPE
+              detection: datatype
+              scope: result
+auxiliary:
+  - id: python_lang_weak_hash_sha1_init
+    patterns:
+      - hashlib.sha1()
+languages:
+  - python
+skip_data_types:
+  - "Unique Identifier"
+  - "Passwords" # see python_lang_weak_password_encryption_sha1
+metadata:
+  description: "Weak hashing library (SHA1) detected."
+  remediation_message: |
+    ## Description
+
+    A weak hashing library can lead to data breaches and greater security risk.
+
+    ## Remediations
+    According to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.
+
+    ❌ Avoid libraries and algorithms with known weaknesses:
+
+    ```python
+    hashlib.sha1('password').digest()
+    ```
+
+    ✅ Instead, we recommend using sha256:
+
+    ```python
+    hashlib.sha256('password').digest()
+    ```
+  cwe_id:
+    - 331
+    - 328
+  id: python_lang_weak_hash_sha1
+  documentation_url: https://docs.bearer.com/reference/rules/python_lang_weak_hash_sha1

rules/python/lang/weak_password_encryption_md5.yml

@@ -0,0 +1,58 @@
+patterns:
+  - pattern: hashlib.md5($<OPTIONAL_DATA_TYPE>)
+    filters:
+      - either:
+          - variable: OPTIONAL_DATA_TYPE
+            detection: datatype
+            scope: result
+          - not:
+              variable: OPTIONAL_DATA_TYPE
+              detection: datatype
+              scope: result
+  - pattern: $<MD5_INIT>.update($<OPTIONAL_DATA_TYPE>)
+    filters:
+      - variable: MD5_INIT
+        detection: python_lang_weak_hash_md5_init
+        scope: cursor
+      - either:
+          - variable: OPTIONAL_DATA_TYPE
+            detection: datatype
+            scope: result
+          - not:
+              variable: OPTIONAL_DATA_TYPE
+              detection: datatype
+              scope: result
+auxiliary:
+  - id: python_lang_weak_hash_md5_init
+    patterns:
+      - hashlib.md5()
+languages:
+  - python
+only_data_types:
+  - "Passwords"
+metadata:
+  description: "Weak encryption algorithm (MD5) used for password detected."
+  remediation_message: |
+    ## Description
+
+    A weak hashing library can lead to data breaches and greater security risk.
+
+    ## Remediations
+    According to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), MD5 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.
+
+    ❌ Do not use encryption for passwords, wherever possible:
+
+    ```python
+    hashlib.md5(user.password).digest()
+    ```
+
+    ✅ Instead, we recommend using sha256:
+
+    ```python
+    hashlib.sha256(user.password).digest()
+    ```
+  cwe_id:
+    - 331
+    - 328
+  id: python_lang_weak_password_encryption_md5
+  documentation_url: https://docs.bearer.com/reference/rules/python_lang_weak_password_encryption_md5

rules/python/lang/weak_password_encryption_sha1.yml

@@ -0,0 +1,58 @@
+patterns:
+  - pattern: hashlib.sha1($<OPTIONAL_DATA_TYPE>)
+    filters:
+      - either:
+          - variable: OPTIONAL_DATA_TYPE
+            detection: datatype
+            scope: result
+          - not:
+              variable: OPTIONAL_DATA_TYPE
+              detection: datatype
+              scope: result
+  - pattern: $<SHA1_INIT>.update($<OPTIONAL_DATA_TYPE>)
+    filters:
+      - variable: SHA1_INIT
+        detection: python_lang_weak_hash_sha1_init
+        scope: cursor
+      - either:
+          - variable: OPTIONAL_DATA_TYPE
+            detection: datatype
+            scope: result
+          - not:
+              variable: OPTIONAL_DATA_TYPE
+              detection: datatype
+              scope: result
+auxiliary:
+  - id: python_lang_weak_hash_sha1_init
+    patterns:
+      - hashlib.sha1()
+languages:
+  - python
+only_data_types:
+  - "Passwords"
+metadata:
+  description: "Weak encryption algorithm (SHA1) used for password detected."
+  remediation_message: |
+    ## Description
+
+    A weak hashing library can lead to data breaches and greater security risk.
+
+    ## Remediations
+    According to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption), sha1 and its predecessors are considered weak hash algorithms and therefore shouldn't be used.
+
+    ❌ Do not use encryption for passwords, wherever possible:
+
+    ```python
+    hashlib.sha1(user.password).digest()
+    ```
+
+    ✅ Instead, we recommend using sha256:
+
+    ```python
+    hashlib.sha256(user.password).digest()
+    ```
+  cwe_id:
+    - 331
+    - 328
+  id: python_lang_weak_password_encryption_sha1
+  documentation_url: https://docs.bearer.com/reference/rules/python_lang_weak_password_encryption_sha1

scripts/invoke.sh

@@ -16,7 +16,7 @@ cp -R $test_location $tmp_location
 
 if [ -n "$BEARER_WORKSPACE" ]; then
   cd $BEARER_WORKSPACE
-  go run ./cmd/bearer/main.go scan $tmp_location \
+  BEARER_PYTHON_ENABLED=true go run ./cmd/bearer/main.go scan $tmp_location \
     --only-rule=$rule_id \
     --quiet \
     --disable-default-rules=true \
@@ -27,13 +27,20 @@ if [ -n "$BEARER_WORKSPACE" ]; then
     --exit-code=0 \
 
 else
-  docker run --platform linux/amd64 --rm -v /tmp/bearer-scan:/tmp/bearer-scan -v $rule_loc:/tmp/rules bearer/bearer:$BEARER_VERSION scan $tmp_location \
-    --only-rule=$rule_id \
-    --disable-default-rules=true \
-    --external-rule-dir=/tmp/rules \
-    --format=json \
-    --quiet \
-    --disable-version-check \
-    --exit-code=0 \
+  docker run \
+    --platform linux/amd64 \
+    --rm \
+    -v /tmp/bearer-scan:/tmp/bearer-scan \
+    -v $rule_loc:/tmp/rules \
+    -e BEARER_PYTHON_ENABLED=true \
+    bearer/bearer:$BEARER_VERSION \
+      scan $tmp_location \
+      --only-rule=$rule_id \
+      --disable-default-rules=true \
+      --external-rule-dir=/tmp/rules \
+      --format=json \
+      --quiet \
+      --disable-version-check \
+      --exit-code=0 \
 
 fi