From 0d783b9f2523c809a442721dd4b50c7f505b4358 Mon Sep 17 00:00:00 2001 From: Amidamaru Date: Sun, 12 Nov 2023 22:54:52 +0700 Subject: [PATCH 1/2] feat: add logger reveal secrets --- .grit/patterns/logger_cred_disclosure.md | 60 ++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 .grit/patterns/logger_cred_disclosure.md diff --git a/.grit/patterns/logger_cred_disclosure.md b/.grit/patterns/logger_cred_disclosure.md new file mode 100644 index 0000000..f858b25 --- /dev/null +++ b/.grit/patterns/logger_cred_disclosure.md @@ -0,0 +1,60 @@ +--- +title: Detected a python logger call with a potential hardcoded secret +--- + +This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information. + +```grit +engine marzano(0.1) +language python + +pattern logger_declaration() { + `$logger = logging.getLogger($logger_name)` +} + +pattern logger_function() { + or { + `debug`, + `info`, + `warn`, + `warning`, + `error`, + `exception`, + `critical`, + } +} + +pattern logger_call() { + $logger_func where { + $logger_func <: logger_function(), + $logger_func <: is_imported_from(source = `logging`), + } +} + +logger_statement($logger, $logger_func, $format_string, $sensitive_var) as $log_call where { + $log_call <: `$logger.$logger_func($format_string, $sensitive_var, ...)` => . where { + $logger <: logger_declaration(), + $logger_func <: logger_call(), + $format_string <: r"(?i).*(api.key|secret|credential|token|password).*%s.*", + $sensitive_var <: identifier() + } +} => `$logger.$logger_func($format_string.replace($sensitive_var, ""), ...)` +``` + +## Remove sensitive information from logger + +```python +def call_api(api_key): + try: + some_api_call(api_key) + except: + logger.error("api call using api key %s failed.", api_key) # exposed api key, remove it from the format string. +``` + +```python +def call_api(api_key): + try: + some_api_call(api_key) + except: + logger.error("api call using api key failed.") +``` From 39a690749c4439e245b4391da6d0be35dbc4e774 Mon Sep 17 00:00:00 2001 From: Amidamaru Date: Mon, 13 Nov 2023 14:22:49 +0700 Subject: [PATCH 2/2] fix: wip --- .grit/patterns/logger_cred_disclosure.md | 37 +++++++++++++----------- 1 file changed, 20 insertions(+), 17 deletions(-) diff --git a/.grit/patterns/logger_cred_disclosure.md b/.grit/patterns/logger_cred_disclosure.md index f858b25..6bae5b3 100644 --- a/.grit/patterns/logger_cred_disclosure.md +++ b/.grit/patterns/logger_cred_disclosure.md @@ -8,11 +8,7 @@ This may lead to secret credentials being exposed. Make sure that the logger is engine marzano(0.1) language python -pattern logger_declaration() { - `$logger = logging.getLogger($logger_name)` -} - -pattern logger_function() { +pattern logger_level_function() { or { `debug`, `info`, @@ -24,26 +20,33 @@ pattern logger_function() { } } -pattern logger_call() { - $logger_func where { - $logger_func <: logger_function(), - $logger_func <: is_imported_from(source = `logging`), - } +pattern logger_fn() { + `getLogger` } -logger_statement($logger, $logger_func, $format_string, $sensitive_var) as $log_call where { - $log_call <: `$logger.$logger_func($format_string, $sensitive_var, ...)` => . where { - $logger <: logger_declaration(), - $logger_func <: logger_call(), +logger_statement($format_string, $sensitive_var) as $log_call where { + $log_call <: after `$var = logging.$func($string)` => . where { + $func <: logger_fn(), + $func <: ensure_import_from(source = `logging`), + }, + $var.$log_level($format_string) where { + $log_level <: logger_level_function(), $format_string <: r"(?i).*(api.key|secret|credential|token|password).*%s.*", - $sensitive_var <: identifier() - } -} => `$logger.$logger_func($format_string.replace($sensitive_var, ""), ...)` + $sensitive_var <: identifier(), + }, +} => `$var.$log_level($format_string.replace($sensitive_var, ""))` ``` ## Remove sensitive information from logger ```python +import logging + +logger = logging.getLogger("some_app") + +def some_api_call(foo): + return + def call_api(api_key): try: some_api_call(api_key)