python.boto3.security.hardcoded-token.hardcoded-token
Verifed by r2c
Community Favorite
semgrepAuthor
99,223
Download Count*
License
A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
Run Locally
Run in CI
Defintion
rules:
- id: hardcoded-token
message: A hard-coded credential was detected. It is not recommended to store
credentials in source-code, as this risks secrets being leaked and used by
either an internal or external malicious adversary. It is recommended to
use environment variables to securely provide credentials or retrieve
credentials from a secure vault or HSM (Hardware Security Module).
metadata:
cwe:
- "CWE-798: Use of Hard-coded Credentials"
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
- https://bento.dev/checks/boto3/hardcoded-access-token/
- https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/
owasp:
- A07:2021 - Identification and Authentication Failures
category: security
technology:
- boto3
- secrets
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: HIGH
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Hard-coded Secrets
languages:
- python
severity: WARNING
mode: taint
pattern-sources:
- pattern: |
"..."
pattern-sinks:
- patterns:
- pattern-either:
- pattern: $W(...,$TOKEN="$VALUE",...)
- pattern: $BOTO. ... .$W(...,$TOKEN="$VALUE",...)
- metavariable-regex:
metavariable: $TOKEN
regex: (aws_session_token|aws_access_key_id|aws_secret_access_key)
- metavariable-pattern:
language: generic
metavariable: $VALUE
patterns:
- pattern-either:
- pattern-regex: ^AKI
- pattern-regex: ^[A-Za-z0-9/+=]+$
- metavariable-analysis:
metavariable: $VALUE
analyzer: entropy
Examples
hardcoded-token.py
import boto3
from boto3 import client
# ruleid:hardcoded-token
client("s3", aws_secret_access_key="jWnyxxxxxxxxxxxxxxxxX7ZQxxxxxxxxxxxxxxxx")
# ruleid:hardcoded-token
boto3.sessions.Session(aws_secret_access_key="jWnyxxxxxxxxxxxxxxxxX7ZQxxxxxxxxxxxxxxxx")
s = boto3.sessions
# ruleid:hardcoded-token
s.Session(aws_access_key_id="AKIAxxxxxxxxxxxxxxxx")
uhoh_key = "AKIAxxxxxxxxxxxxxxxx"
ok_secret = os.environ.get("SECRET_ACCESS_KEY")
# ruleid:hardcoded-token
s3 = boto3.resource(
"s3",
aws_access_key_id=uhoh_key,
aws_secret_access_key=ok_secret,
region_name="sfo2",
endpoint_url="https://sfo2.digitaloceanspaces.com",
)
ok_key = os.environ.get("ACCESS_KEY_ID")
uhoh_secret = "jWnyxxxxxxxxxxxxxxxxX7ZQxxxxxxxxxxxxxxxx"
# ruleid:hardcoded-token
s3 = boto3.resource(
"s3",
aws_access_key_id=ok_key,
aws_secret_access_key=uhoh_secret,
region_name="sfo2",
endpoint_url="https://sfo2.digitaloceanspaces.com",
)
ok_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# ok:hardcoded-token
s3 = boto3.resource(
"s3",
aws_access_key_id=ok_key,
aws_secret_access_key=ok_secret,
region_name="sfo2",
endpoint_url="https://sfo2.digitaloceanspaces.com",
)
ok_token = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# ok:hardcoded-token
s3 = boto3.resource(
"s3",
aws_access_key_id=ok_key,
aws_secret_access_key=ok_secret,
aws_session_token=ok_token,
region_name="sfo2",
endpoint_url="https://sfo2.digitaloceanspaces.com",
)
# ok:hardcoded-token
s3 = client("s3", aws_access_key_id="this-is-not-a-key")
# ok:hardcoded-token
s3 = boto3.resource(
"s3",
aws_access_key_id="XXXXXXXX",
aws_secret_access_key="----------------",
region_name="us-east-1",
)
# ok:hardcoded-token
s3 = boto3.resource(
"s3",
aws_access_key_id="<your token here>",
aws_secret_access_key="<your secret here>",
region_name="us-east-1",
)
# ok:hardcoded-token
key = os.environ.get("ACCESS_KEY_ID")
secret = os.environ.get("SECRET_ACCESS_KEY")
s3 = boto3.resource(
"s3",
aws_access_key_id=key,
aws_secret_access_key=secret,
region_name="sfo2",
endpoint_url="https://sfo2.digitaloceanspaces.com",
)
Short Link: https://sg.run/LwQ6