trailofbits.yaml.ansible.rpm-key-unencrypted-url.rpm-key-unencrypted-url

profile photo of trailofbitstrailofbits
Author
unknown
Download Count*
CC BY-NC-SA 4.0
License

Found RPM key download with unencrypted URL (e.g. HTTP, FTP, etc.)

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: rpm-key-unencrypted-url
    message: Found RPM key download with unencrypted URL (e.g. HTTP, FTP, etc.)
    languages:
      - yaml
    severity: WARNING
    metadata:
      category: security
      cwe: "CWE-319: Cleartext Transmission of Sensitive Information"
      subcategory:
        - audit
      technology:
        - ansible
        - rpm
      confidence: HIGH
      likelihood: HIGH
      impact: HIGH
      references:
        - https://docs.ansible.com/ansible/latest/collections/ansible/builtin/rpm_key_module.html#parameter-key
      license: AGPL-3.0 license
      vulnerability_class:
        - Mishandled Sensitive Information
    patterns:
      - pattern-inside: |
          $RPMKEY:
            ...
      - metavariable-pattern:
          metavariable: $RPMKEY
          pattern-either:
            - pattern: rpm_key
            - pattern: ansible.builtin.rpm_key
      - pattern: "$KEY: '$VALUE'"
      - metavariable-pattern:
          metavariable: $KEY
          pattern-either:
            - pattern: key
      - metavariable-regex:
          metavariable: $VALUE
          regex: (?i)^(http|ftp)://.*

Examples

rpm-key-unencrypted-url.test.yaml

---
- name: Semgrep tests
  hosts: all
  tasks:
    - name: Positive test
      ansible.builtin.rpm_key:
        state: present
        # ruleid: rpm-key-unencrypted-url
        key: http://example.com/RPM-GPG-KEY.dag.txt
    - name: Negative test (rpm-key-unencrypted-url and rpm-key-validate-certs-disabled)
      ansible.builtin.rpm_key:
        state: present
        # ok: rpm-key-unencrypted-url
        key: https://example.com/RPM-GPG-KEY.dag.txt