coderabbitai
diff --git a/‎rules/python/security/python-neo4j-hardcoded-secret-auth-python.yml
Lines changed: 104 additions & 0 deletions b/‎rules/python/security/python-neo4j-hardcoded-secret-auth-python.yml
Lines changed: 104 additions & 0 deletions
@@ -0,0 +1,104 @@
+id: python-neo4j-hardcoded-secret-auth-python
+language: python
+severity: warning
+message: >-
+  A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).
+note: >-
+  [CWE-798]: Use of Hard-coded Credentials
+  [A07:2021]: Identification and Authentication Failures
+  [REFERENCES]
+    - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+
+rule:
+  kind: call
+  any:
+    - all:
+        - has:
+            nthChild: 1
+            kind: identifier
+            value: function
+            any:
+              - regex: ^(kerberos_auth|bearer_auth)$
+              - pattern: $ALIAS1
+                inside:
+                  stopBy: end
+                  follows:
+                    stopBy: end
+                    kind: import_from_statement
+                    all:
+                      - has:
+                          kind: dotted_name
+                          field: module_name
+                          regex: ^neo4j$
+                      - has:
+                          kind: aliased_import
+                          all:
+                            - has:
+                                kind: dotted_name
+                                field: name
+                                regex: ^(kerberos_auth|bearer_auth)$
+                            - has:
+                                kind: identifier
+                                field: alias
+                                pattern: $ALIAS1
+        - has:
+            kind: argument_list
+            nthChild: 2
+            has:
+              kind: string
+              nthChild: 1
+              all:
+                - has:
+                    kind: string_start
+                    nthChild: 1
+                - has:
+                    kind: string_content
+                    nthChild: 2
+                - has:
+                    kind: string_end
+                    nthChild: 3
+    - all:
+        - has:
+            nthChild: 1
+            kind: identifier
+            value: function
+            any:
+              - regex: ^(custom_auth|basic_auth)$
+              - pattern: $ALIAS2
+                inside:
+                  stopBy: end
+                  follows:
+                    stopBy: end
+                    kind: import_from_statement
+                    all:
+                      - has:
+                          kind: dotted_name
+                          field: module_name
+                          regex: ^neo4j$
+                      - has:
+                          kind: aliased_import
+                          all:
+                            - has:
+                                kind: dotted_name
+                                field: name
+                                regex: ^(custom_auth|basic_auth)$
+                            - has:
+                                kind: identifier
+                                field: alias
+                                pattern: $ALIAS2
+        - has:
+            kind: argument_list
+            nthChild: 2
+            has:
+              kind: string
+              nthChild: 2
+              all:
+                - has:
+                    kind: string_start
+                    nthChild: 1
+                - has:
+                    kind: string_content
+                    nthChild: 2
+                - has:
+                    kind: string_end
+                    nthChild: 3