From b53244db40a78efa5fbde3a71582bfa90838431f Mon Sep 17 00:00:00 2001 From: elsapet Date: Fri, 31 May 2024 12:29:10 +0200 Subject: [PATCH 1/2] feat(python): add airbrake third parties rule --- rules/python/third_parties/airbrake.yml | 67 +++++++++++++++++++ tests/python/third_parties/airbrake/test.js | 20 ++++++ .../third_parties/airbrake/testdata/main.py | 12 ++++ 3 files changed, 99 insertions(+) create mode 100644 rules/python/third_parties/airbrake.yml create mode 100644 tests/python/third_parties/airbrake/test.js create mode 100644 tests/python/third_parties/airbrake/testdata/main.py diff --git a/rules/python/third_parties/airbrake.yml b/rules/python/third_parties/airbrake.yml new file mode 100644 index 00000000..95e27467 --- /dev/null +++ b/rules/python/third_parties/airbrake.yml @@ -0,0 +1,67 @@ +imports: + - python_shared_lang_datatype + - python_shared_lang_import1 +patterns: + - pattern: $.$($<...>$$<...>) + filters: + - variable: NOTIFIER + detection: python_third_parties_airbrake_notifier + scope: cursor + - variable: METHOD + values: + - notify + - notify_sync + - variable: DATA_TYPE + detection: python_shared_lang_datatype + scope: result + - pattern: $[$<...>][$<...>] = $<...>$$<...> + filters: + - variable: NOTICE + detection: python_third_parties_airbrake_build_notice + scope: cursor + - variable: DATA_TYPE + detection: python_shared_lang_datatype + scope: result +auxiliary: + - id: python_third_parties_airbrake_notifier + patterns: + - pattern: $($<...>) + filters: + - variable: NOTIFIER + detection: python_shared_lang_import1 + scope: cursor + filters: + - variable: MODULE1 + values: [pybrake] + - variable: NAME + values: [Notifier] + - id: python_third_parties_airbrake_build_notice + patterns: + - pattern: $.build_notice($<...>) + filters: + - variable: NOTIFIER + detection: python_third_parties_airbrake_notifier + scope: cursor +languages: + - python +severity: medium +skip_data_types: + - Unique Identifier +metadata: + description: Leakage of sensitive data to Airbrake + remediation_message: | + ## Description + + Leaking sensitive data to third-party loggers like Airbrake is a common cause of data leaks and can lead to data breaches. + + ## Remediations + + - **Do** ensure all sensitive data is removed when logging errors or events to Airbrake + + ## References + - [Airbrake Docs](https://docs.airbrake.io/docs/platforms/python/) + cwe_id: + - 201 + associated_recipe: Airbrake + id: python_third_parties_airbrake + documentation_url: https://docs.bearer.com/reference/rules/python_third_parties_airbrake diff --git a/tests/python/third_parties/airbrake/test.js b/tests/python/third_parties/airbrake/test.js new file mode 100644 index 00000000..7a2ee373 --- /dev/null +++ b/tests/python/third_parties/airbrake/test.js @@ -0,0 +1,20 @@ +const { + createNewInvoker, + getEnvironment, +} = require("../../../helper.js") +const { ruleId, ruleFile, testBase } = getEnvironment(__dirname) + +describe(ruleId, () => { + const invoke = createNewInvoker(ruleId, ruleFile, testBase) + + test("airbrake", () => { + const testCase = "main.py" + + const results = invoke(testCase) + + expect(results).toEqual({ + Missing: [], + Extra: [] + }) + }) +}) \ No newline at end of file diff --git a/tests/python/third_parties/airbrake/testdata/main.py b/tests/python/third_parties/airbrake/testdata/main.py new file mode 100644 index 00000000..72457e55 --- /dev/null +++ b/tests/python/third_parties/airbrake/testdata/main.py @@ -0,0 +1,12 @@ +import pybrake + +notifier = pybrake.Notifier() + +# bearer:expected python_third_parties_airbrake +notifier.notify(user.email) +# bearer:expected python_third_parties_airbrake +notice = notifier.notify_sync(user.email) + +notice = notifier.build_notice() +# bearer:expected python_third_parties_airbrake +notice['params']['my_param'] = user.email From 3e4afc47f54a0760bb8978be03db37168bd51939 Mon Sep 17 00:00:00 2001 From: elsapet Date: Mon, 3 Jun 2024 12:25:22 +0200 Subject: [PATCH 2/2] fix: add safe case --- tests/python/third_parties/airbrake/testdata/main.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/python/third_parties/airbrake/testdata/main.py b/tests/python/third_parties/airbrake/testdata/main.py index 72457e55..f7816a38 100644 --- a/tests/python/third_parties/airbrake/testdata/main.py +++ b/tests/python/third_parties/airbrake/testdata/main.py @@ -10,3 +10,7 @@ notice = notifier.build_notice() # bearer:expected python_third_parties_airbrake notice['params']['my_param'] = user.email + +# ok +notice['params']['my_param'] = user.uuid +notice['params']['my_param'] = "some safe param"