regal
regal copied to clipboard
Rule: hard-coded credentials
It would be useful to have a linter rule that checked the most common places where some form of credentials are normally used, and make at least some effort to determine whether they are hard-coded in the policy. We can't easily track dynamic constructs in the AST, so if you do something silly like:
{
"aws_secret_key": foo[_].baz[3]
}
We're not gonna follow that reference even if it points to a hard-coded value, but if you do:
{
"aws_secret_key": "foobar"
}
or
secret := "foobar"
{
"aws_secret_key": secret
}
We probably can.
Which places should we look at? A few I can think of would be the Authorization
header of http.send
requests, or the private key used in the JWT signing built-ins, the AWS signature built-in. There are probably some more — if you know of any, please let me know!
EOPA additonally provides many extra built-in functions that often requires credentials (SQL, MongoDB, DynamoDB). These would not need to be accounted for here in a first implementation, but would be good to include later when we have a system to define capabilities.