Create rule S6771: Postman tokens should not be disclosed (#3074)

You can preview this rule [here](https://sonarsource.github.io/rspec/#/rspec/S6771/secrets) (updated a few minutes after each push). ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) --------- Co-authored-by: sebastien-andrivet-sonarsource <[email protected]> Co-authored-by: sebastien-andrivet-sonarsource <[email protected]>
SonarSource · Sep 20, 2023 · 42b25db · 42b25db
1 parent 7fbb1cf
commit 42b25db
Show file tree

Hide file tree

Showing 3 changed files with 169 additions and 0 deletions.
diff --git a/rules/S6771/metadata.json b/rules/S6771/metadata.json
@@ -0,0 +1,2 @@
+{
+}
diff --git a/rules/S6771/secrets/metadata.json b/rules/S6771/secrets/metadata.json
@@ -0,0 +1,59 @@
+{
+    "title": "Postman tokens should not be disclosed",
+    "type": "VULNERABILITY",
+    "code": {
+      "impacts": {
+        "SECURITY": "HIGH"
+      },
+      "attribute": "TRUSTWORTHY"
+    },
+    "status": "ready",
+    "remediation": {
+      "func": "Constant\/Issue",
+      "constantCost": "30min"
+    },
+    "tags": [
+      "cwe",
+      "cert"
+    ],
+    "extra": {
+      "replacementRules": [
+
+      ]
+    },
+    "defaultSeverity": "Blocker",
+    "ruleSpecification": "RSPEC-6771",
+    "sqKey": "S6771",
+    "scope": "All",
+    "securityStandards": {
+      "CWE": [
+        798,
+        259
+      ],
+      "OWASP": [
+        "A3"
+      ],
+      "CERT": [
+        "MSC03-J."
+      ],
+      "OWASP Top 10 2021": [
+        "A7"
+      ],
+      "PCI DSS 3.2": [
+        "6.5.10"
+      ],
+      "PCI DSS 4.0": [
+        "6.2.4"
+      ],
+      "ASVS 4.0": [
+        "2.10.4",
+        "3.5.2",
+        "6.4.1"
+      ]
+    },
+    "defaultQualityProfiles": [
+      "Sonar way"
+    ],
+    "quickfix": "unknown"
+  }
+
diff --git a/rules/S6771/secrets/rule.adoc b/rules/S6771/secrets/rule.adoc
@@ -0,0 +1,108 @@
+Postman is an API development and testing platform that allows developers to design, build, and test APIs. Postman tokens are used for authentication and authorization purposes when making API requests. 
+
+include::../../../shared_content/secrets/description.adoc[]
+
+== Why is this an issue?
+
+include::../../../shared_content/secrets/rationale.adoc[]
+
+=== What is the potential impact?
+
+If a Postman token is leaked or compromised, it can lead to several security issues and risks. Here are some potential consequences:
+
+==== Unauthorized access
+
+An attacker who gains access to a leaked token can use it to impersonate the legitimate user or application associated with the token. This can result in unauthorized access to sensitive data or functionality within the API.
+
+
+==== Data breaches
+
+If the leaked token provides access to sensitive data, an attacker can use it to retrieve or manipulate that data. This can lead to data breaches that compromise the confidentiality and integrity of the information. Depending on the type of data that is compromised, it could lead to privacy violations, identity theft, financial loss, or other
+negative outcomes.
+
+In most cases, a company suffering a sensitive data compromise will face a
+reputational loss when the security issue is publicly disclosed.
+
+==== API abuse
+
+With a leaked token, an attacker can abuse the API by making unauthorized requests, consuming excessive resources, or performing malicious actions. This can disrupt the API's regular operation, impact performance, or even cause denial-of-service (DoS) attacks.
+
+====  Privilege escalation
+
+Depending on the permissions and scope associated with the token, an attacker may be able to escalate their privileges within the API. They can gain access to additional resources or perform actions that they are not authorized to do.
+
+include::../../../shared_content/secrets/impact/non_repudiation.adoc[]
+
+==== Reputation damage
+
+If a token is leaked and used for malicious purposes, it can damage the reputation of the API provider. Users may lose trust in the security of the API, leading to a loss of business and credibility.
+
+== How to fix it
+
+include::../../../shared_content/secrets/fix/revoke.adoc[]
+
+include::../../../shared_content/secrets/fix/recent_use.adoc[]
+
+include::../../../shared_content/secrets/fix/vault.adoc[]
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,javascript,diff-id=1,diff-type=noncompliant]
+----
+const axios = require('axios');
+
+const apiKey = 'PMAK-6502e63761882f002a69f0cb-6d9bc58cd0cc60ff5547f81cf2ca141bb9'; // Noncompliant
+const options = {
+    method: 'get',
+    url: 'https://api.getpostman.com/me',
+    headers: {
+        'Content-Type': 'application/json',
+        'X-API-Key': apiKey
+    }
+};
+
+(async() => { await axios(options); })();
+----
+
+==== Compliant solution
+
+[source,javascript,diff-id=1,diff-type=compliant]
+----
+const axios = require('axios');
+
+const apiKey = process.env.POSTMAN_API_KEY;
+const options = {
+    method: 'get',
+    url: 'https://api.getpostman.com/me',
+    headers: {
+        'Content-Type': 'application/json',
+        'X-API-Key': apiKey
+    }
+};
+
+(async() => { await axios(options); })();
+
+----
+
+
+//=== How does this work?
+
+//=== Pitfalls
+
+//=== Going the extra mile
+
+== Resources
+
+=== Documentation
+
+https://www.postman.com/postman/workspace/postman-public-workspace/documentation/12959542-c8142d51-e97c-46b6-bd77-52bb66712c9a[Postman API]
+
+=== Articles & blog posts
+
+https://blog.postman.com/how-to-get-started-with-the-postman-api/[How to Get Started with the Postman API]
+
+include::../../../shared_content/secrets/resources/standards.adoc[]
+
+//=== Benchmarks