clear-api-token

Try in Playground
python-launchdarklySecurityError

0

credentials

No CWE or CVE

Check if you hardcode credentials for connecting to LaunchDarkly

Ast Rule: function call


clear-api-token

How to write a rule
function visit(node, filename, code) {
  
  // If filename starts or ends with test_ or _test, do not do anything
  if(filename.includes("_test.py") || filename.startsWith("test_")) {
    return;
  }
  // If the analyzer did not get the arguments or if there is no argument, exit
  if(!node.arguments || !node.context || !node.arguments.values || node.arguments.values.length  === 0) {
    return;
  }
  
  if(node.moduleOrObject){
    return;
  }
  

  if(!node.functionName || node.functionName.value !== "Config"){
    return;
  }
  
  // Get the list of argument
  const arguments = node.arguments.values;
  const nbArguments = node.arguments.values.length;

  node.context.imports.forEach(i => {
    if (i.pkg) {
    }
  });
  
  // Do we use the package we are looking for?
  const useConfigImport = node.context.imports.filter(i => i.pkg && i.pkg.value === "ldclient.config" && i.elements && i.elements.map(e => e.name.value).includes("Config")).length > 0;
  if (!useConfigImport){
    return;
  }
  
  const argumentsValues = node.arguments.values.map(a => a.value && a.value);
  
  if(argumentsValues && argumentsValues.length > 0){
    const firstArgument = argumentsValues[0];
    if (!firstArgument) {
      return;
    }

    if(firstArgument.value.startsWith("\"") || firstArgument.value.startsWith("f\"")) {
       
      // build the error
      const error = buildError(firstArgument.start.line, firstArgument.start.col, 
                               firstArgument.end.line, firstArgument.end.col, 
                               "hardcoded credential", "CRITICAL", "SECURITY");

      // report an error with a fix
      addError(error);
  	}
  }
}
  

hardcoded-credentials.py

Expected test result: has error

import ldclient
from ldclient.config import Config

ldclient.set_config(Config("YOUR_SDK_KEY"))
client = ldclient.get()
Add comment

Log in to add a comment


    Be the first one to leave a comment!

Codiga Logo
Codiga Hub
  • Rulesets
  • Explore
  • Cookbooks
  • Playground
soc-2 icon

We are SOC-2 Compliance Certified

G2 high performer medal

Codiga – All rights reserved 2022.