python.boto3.security.hardcoded-token.hardcoded-token

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
99,223
Download Count*

A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).

Run Locally

Run in CI

Defintion

rules:
  - id: hardcoded-token
    message: A hard-coded credential was detected. It is not recommended  to store
      credentials in source-code, as this risks secrets being leaked and used by
      either an internal or external malicious adversary.  It is recommended to
      use environment variables to  securely provide credentials or retrieve
      credentials from  a secure vault or HSM (Hardware Security Module).
    metadata:
      cwe:
        - "CWE-798: Use of Hard-coded Credentials"
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html
        - https://bento.dev/checks/boto3/hardcoded-access-token/
        - https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/
      owasp:
        - A07:2021 - Identification and Authentication Failures
      category: security
      technology:
        - boto3
        - secrets
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: HIGH
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - python
    severity: WARNING
    mode: taint
    pattern-sources:
      - pattern: |
          "..."
    pattern-sinks:
      - patterns:
          - pattern-either:
              - pattern: $W(...,$TOKEN="$VALUE",...)
              - pattern: $BOTO. ... .$W(...,$TOKEN="$VALUE",...)
          - metavariable-regex:
              metavariable: $TOKEN
              regex: (aws_session_token|aws_access_key_id|aws_secret_access_key)
          - metavariable-pattern:
              language: generic
              metavariable: $VALUE
              patterns:
                - pattern-either:
                    - pattern-regex: ^AKI
                    - pattern-regex: ^[A-Za-z0-9/+=]+$
          - metavariable-analysis:
              metavariable: $VALUE
              analyzer: entropy

Examples

hardcoded-token.py

import boto3
from boto3 import client

# ruleid:hardcoded-token
client("s3", aws_secret_access_key="jWnyxxxxxxxxxxxxxxxxX7ZQxxxxxxxxxxxxxxxx")

# ruleid:hardcoded-token
boto3.sessions.Session(aws_secret_access_key="jWnyxxxxxxxxxxxxxxxxX7ZQxxxxxxxxxxxxxxxx")

s = boto3.sessions
# ruleid:hardcoded-token
s.Session(aws_access_key_id="AKIAxxxxxxxxxxxxxxxx")

uhoh_key = "AKIAxxxxxxxxxxxxxxxx"
ok_secret = os.environ.get("SECRET_ACCESS_KEY")
# ruleid:hardcoded-token
s3 = boto3.resource(
    "s3",
    aws_access_key_id=uhoh_key,
    aws_secret_access_key=ok_secret,
    region_name="sfo2",
    endpoint_url="https://sfo2.digitaloceanspaces.com",
)

ok_key = os.environ.get("ACCESS_KEY_ID")

uhoh_secret = "jWnyxxxxxxxxxxxxxxxxX7ZQxxxxxxxxxxxxxxxx"
# ruleid:hardcoded-token
s3 = boto3.resource(
    "s3",
    aws_access_key_id=ok_key,
    aws_secret_access_key=uhoh_secret,
    region_name="sfo2",
    endpoint_url="https://sfo2.digitaloceanspaces.com",
)

ok_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# ok:hardcoded-token
s3 = boto3.resource(
    "s3",
    aws_access_key_id=ok_key,
    aws_secret_access_key=ok_secret,
    region_name="sfo2",
    endpoint_url="https://sfo2.digitaloceanspaces.com",
)

ok_token = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# ok:hardcoded-token
s3 = boto3.resource(
    "s3",
    aws_access_key_id=ok_key,
    aws_secret_access_key=ok_secret,
    aws_session_token=ok_token,
    region_name="sfo2",
    endpoint_url="https://sfo2.digitaloceanspaces.com",
)

# ok:hardcoded-token
s3 = client("s3", aws_access_key_id="this-is-not-a-key")

# ok:hardcoded-token
s3 = boto3.resource(
    "s3",
    aws_access_key_id="XXXXXXXX",
    aws_secret_access_key="----------------",
    region_name="us-east-1",
)

# ok:hardcoded-token
s3 = boto3.resource(
    "s3",
    aws_access_key_id="<your token here>",
    aws_secret_access_key="<your secret here>",
    region_name="us-east-1",
)

# ok:hardcoded-token
key = os.environ.get("ACCESS_KEY_ID")
secret = os.environ.get("SECRET_ACCESS_KEY")
s3 = boto3.resource(
    "s3",
    aws_access_key_id=key,
    aws_secret_access_key=secret,
    region_name="sfo2",
    endpoint_url="https://sfo2.digitaloceanspaces.com",
)