ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase
semgrepAuthor
unknown
Download Count*
License
Found the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file.
Run Locally
Run in CI
Defintion
rules:
- id: hardcoded-secret-rsa-passphrase
message: Found the use of an hardcoded passphrase for RSA. The passphrase can be
easily discovered, and therefore should not be stored in source-code. It
is recommended to remove the passphrase from source-code, and use system
environment variables or a restricted configuration file.
languages:
- ruby
severity: WARNING
metadata:
technology:
- ruby
- secrets
category: security
references:
- https://cwe.mitre.org/data/definitions/522.html
cwe:
- "CWE-798: Use of Hard-coded Credentials"
owasp:
- A07:2021 - Identification and Authentication Failures
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Hard-coded Secrets
patterns:
- pattern-either:
- pattern: OpenSSL::PKey::RSA.new(..., '...')
- pattern: OpenSSL::PKey::RSA.new(...).to_pem(..., '...')
- pattern: OpenSSL::PKey::RSA.new(...).export(..., '...')
- patterns:
- pattern-inside: |
$OPENSSL = OpenSSL::PKey::RSA.new(...)
...
- pattern-either:
- pattern: |
$OPENSSL.export(...,'...')
- pattern: |
$OPENSSL.to_pem(...,'...')
- patterns:
- pattern-either:
- patterns:
- pattern-inside: |
$ASSIGN = '...'
...
- pattern: OpenSSL::PKey::RSA.new(..., $ASSIGN)
- patterns:
- pattern-inside: |
def $METHOD1(...)
...
$ASSIGN = '...'
...
end
...
def $METHOD2(...)
...
end
- pattern: OpenSSL::PKey::RSA.new(..., $ASSIGN)
- patterns:
- pattern-inside: |
$ASSIGN = '...'
...
def $METHOD(...)
$OPENSSL = OpenSSL::PKey::RSA.new(...)
...
end
...
- pattern-either:
- pattern: $OPENSSL.export(...,$ASSIGN)
- pattern: $OPENSSL.to_pem(...,$ASSIGN)
- patterns:
- pattern-inside: |
def $METHOD1(...)
...
$OPENSSL = OpenSSL::PKey::RSA.new(...)
...
$ASSIGN = '...'
...
end
...
- pattern-either:
- pattern: $OPENSSL.export(...,$ASSIGN)
- pattern: $OPENSSL.to_pem(...,$ASSIGN)
- patterns:
- pattern-inside: |
def $METHOD1(...)
...
$ASSIGN = '...'
...
end
...
def $METHOD2(...)
...
$OPENSSL = OpenSSL::PKey::RSA.new(...)
...
end
...
- pattern-either:
- pattern: $OPENSSL.export(...,$ASSIGN)
- pattern: $OPENSSL.to_pem(...,$ASSIGN)
Examples
hardcoded-secret-rsa-passphrase.rb
module Test
require 'openssl'
class Test
$pass = 'super secret'
def initialize(key = nil, iv = nil)
@pass1 = 'my secure pass phrase goes here'
@keypem = 'foo.pem'
#ruleid: hardcoded-secret-rsa-passphrase
OpenSSL::PKey::RSA.new(1024).to_pem(cipher, "secret")
bad
bad1
bad2
bad3
ok
end
def bad
key_pem = File.read @keypem
#ruleid: hardcoded-secret-rsa-passphrase
key = OpenSSL::PKey::RSA.new key_pem, $pass
end
def bad1
key_pem = File.read @keypem
#ruleid: hardcoded-secret-rsa-passphrase
key = OpenSSL::PKey::RSA.new key_pem, @pass1
$bad0 = 'secret'
end
def bad2
key_pem = File.read @keypem
#ruleid: hardcoded-secret-rsa-passphrase
key = OpenSSL::PKey::RSA.new key_pem, 'secret'
#ruleid: hardcoded-secret-rsa-passphrase
key = OpenSSL::PKey::RSA.new key_pem, $bad0
end
def bad3
ca_key = OpenSSL::PKey::RSA.new 2048
pass_phrase = 'my secure pass phrase goes here'
cipher = OpenSSL::Cipher.new 'AES-256-CBC'
#ruleid: hardcoded-secret-rsa-passphrase
ca_key.export(cipher, pass_phrase)
open 'tmp/ca_key.pem', 'w', 0644 do |io|
#ruleid: hardcoded-secret-rsa-passphrase
io.write ca_key.export(cipher, pass_phrase)
#ruleid: hardcoded-secret-rsa-passphrase
io.write ca_key.export(cipher, $pass)
#ruleid: hardcoded-secret-rsa-passphrase
io.write ca_key.export(cipher, @pass1)
end
end
def ok
key_pem = File.read @keypem
#ok: hardcoded-secret-rsa-passphrase
key = OpenSSL::PKey::RSA.new key_pem, ENV['SECRET']
end
end
end
Short Link: https://sg.run/xPEe