From 8ceaab02f4c73b51e3001d11e5a011b28877fb98 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 27 Jun 2024 14:13:02 +0200 Subject: [PATCH] Create rule S6987: Docker swarm tokens should not be disclosed (APPSEC-1800) (#3988) --- rules/S6987/metadata.json | 2 + rules/S6987/secrets/metadata.json | 64 +++++++++++++++++++++++++++++++ rules/S6987/secrets/rule.adoc | 62 ++++++++++++++++++++++++++++++ 3 files changed, 128 insertions(+) create mode 100644 rules/S6987/metadata.json create mode 100644 rules/S6987/secrets/metadata.json create mode 100644 rules/S6987/secrets/rule.adoc diff --git a/rules/S6987/metadata.json b/rules/S6987/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S6987/metadata.json @@ -0,0 +1,2 @@ +{ +} diff --git a/rules/S6987/secrets/metadata.json b/rules/S6987/secrets/metadata.json new file mode 100644 index 00000000000..1c02002c8dc --- /dev/null +++ b/rules/S6987/secrets/metadata.json @@ -0,0 +1,64 @@ +{ + "title": "Docker swarm tokens should not be disclosed", + "type": "VULNERABILITY", + "code": { + "impacts": { + "SECURITY": "HIGH" + }, + "attribute": "TRUSTWORTHY" + }, + "status": "ready", + "remediation": { + "func": "Constant\/Issue", + "constantCost": "30min" + }, + "tags": [ + "cwe", + "cert" + ], + "extra": { + "replacementRules": [ + + ], + "legacyKeys": [ + + ] + }, + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-6290", + "sqKey": "S6290", + "scope": "All", + "securityStandards": { + "CWE": [ + 798, + 259 + ], + "OWASP": [ + "A3" + ], + "CERT": [ + "MSC03-J." + ], + "OWASP Top 10 2021": [ + "A7" + ], + "PCI DSS 3.2": [ + "6.5.10" + ], + "PCI DSS 4.0": [ + "6.2.4" + ], + "ASVS 4.0": [ + "2.10.4", + "3.5.2", + "6.4.1" + ], + "STIG ASD 2023-06-08": [ + "V-222642" + ] + }, + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown" +} diff --git a/rules/S6987/secrets/rule.adoc b/rules/S6987/secrets/rule.adoc new file mode 100644 index 00000000000..341112889f9 --- /dev/null +++ b/rules/S6987/secrets/rule.adoc @@ -0,0 +1,62 @@ +include::../../../shared_content/secrets/description.adoc[] + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +If an attacker gains access to a Docker swarm token, they might be able to add new workers or managers to the swarm. + +=== What is the potential impact? + +An attacker with control over a manager or worker node might be able to access sensitive information pushed to those malicious nodes. If the compromised token allows joining a +manager node to the swarm, this one could compromise other legitimate nodes by pushing +malicious tasks to them. + +include::../../../shared_content/secrets/impact/data_compromise.adoc[] + +:service_name: Docker Swarm + +include::../../../shared_content/secrets/impact/infrastructure_takeover.adoc[] + + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code examples + +==== Noncompliant code example + +[source,java,diff-id=1,diff-type=noncompliant] +---- +SwarmJoin swarmJoin = new SwarmJoin(); + +swarmJoin.getRemoteAddrs().add("103.214.142.16:2377"); +swarmJoin.setJoinToken("SWMTKN-1-0o98pf607edyse6ncy7j3z5tjz5ehz6wdmmlevttk55nkgpyh1-pq3hfd1utmhpjnd5hvom0z6va"); +---- + +==== Compliant solution + +[source,java,diff-id=1,diff-type=compliant] +---- +SwarmJoin swarmJoin = new SwarmJoin(); + +swarmJoin.getRemoteAddrs().add("103.214.142.16:2377"); +swarmJoin.setJoinToken(System.getenv("JOIN_TOKEN")); +---- + +//=== How does this work? + +//=== Pitfalls + +//=== Going the extra mile + +== Resources + +=== Documentation + +Docker Documentation - https://docs.docker.com/reference/cli/docker/swarm/join-token/[docker swarm join-token] + +include::../../../shared_content/secrets/resources/standards.adoc[]