Add YAML security rules for pg and redis libraries in Ruby applications

[ESS-ENN]

Summary by CodeRabbit

• New Features

  • Introduced security rules for detecting empty passwords and hard-coded secrets in PostgreSQL and Redis connections for Ruby applications.
  • Added guidance for developers on secure credential management practices.

• Tests

  • Added test cases for validating behavior with empty passwords and hard-coded secrets in PostgreSQL and Redis connections.

[coderabbitai]

Walkthrough

This pull request introduces new YAML files that define security rules for Ruby applications, specifically targeting the pg and redis libraries. The rules detect instances of empty passwords and hard-coded secrets in database connections. Each rule is categorized with a severity level of "warning" and includes detailed messages advising developers on secure practices. Additionally, corresponding test cases and snapshots are created to validate the implementation of these rules, ensuring comprehensive coverage of potential security vulnerabilities.

Changes

File Path	Change Summary
rules/ruby/security/ruby-pg-empty-password-ruby.yml	New rule added to detect empty passwords in PG connections.
rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml	New rule added to identify hard-coded secrets in PG connections.
rules/ruby/security/ruby-redis-empty-secret-ruby.yml	New rule added to detect empty passwords in Redis connections.
tests/snapshots/ruby-pg-empty-password-ruby-snapshot.yml	New snapshot file for testing PG connections with empty passwords.
tests/snapshots/ruby-pg-hardcoded-secret-ruby-snapshot.yml	New snapshot file for testing PG connections with hard-coded secrets.
tests/snapshots/ruby-redis-empty-secret-ruby-snapshot.yml	New snapshot file for testing Redis connections with empty passwords.
tests/ruby/ruby-pg-empty-password-ruby-test.yml	New test cases for validating PG connections with empty passwords.
tests/ruby/ruby-pg-hardcoded-secret-ruby-test.yml	New test cases for validating PG connections with hard-coded secrets.
tests/ruby/ruby-redis-empty-secret-ruby-test.yml	New test cases for validating Redis connections with empty passwords.

Possibly related PRs

• More Rules #8: Introduces a rule for detecting empty passwords in PostgreSQL connections in C code.
• New Rules #2 #9: Adds rules for detecting hard-coded secrets in JavaScript applications using Sequelize.
• Rules - One php and one java rule #20: Introduces rules for detecting hard-coded secrets in Java applications.
• Two python rules 16Oct2024 #31: Adds rules for detecting hard-coded secrets and empty passwords in Python applications.
• Rules - One C rule and one Ruby rule #34: Introduces a Ruby rule for detecting hardcoded passwords in HTTP authentication.
• Two Rust rules 17Oct2024 #36: Adds rules for detecting empty and hard-coded passwords in Rust applications.
• Add security rules for Java and Swift applications for cookie and secret management #43: Introduces rules for cookie security in Java applications.
• Add Security Rules for Flask, Cassandra, and Couchbase in YAML Configs #65: Adds rules for handling empty passwords in Python applications.
• Add security rules for cookie settings and XML processing in YAML config #66: Introduces rules for cookie settings and XML processing in Java applications.

Suggested reviewers

• petrisorcoderabbit
• rohit121

Poem

🐇 In the land of code where secrets hide,
A rabbit hops with rules as a guide.
Empty passwords, beware the plight,
Secure your treasures, keep them tight!
With tests and snapshots, we’ll find the way,
To guard our data, come what may! 🌟

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Experiment)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Sakshis seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Actionable comments posted: 6

🧹 Outside diff range and nitpick comments (7)

tests/ruby/ruby-redis-empty-secret-ruby-test.yml (1)

5-15: Consider adding more edge cases to strengthen test coverage.

While the current invalid cases cover direct empty strings and variable assignments, consider adding these scenarios:

• Nil password
• Whitespace-only password
• Password containing only special characters

Would you like me to provide the additional test cases?

rules/ruby/security/ruby-redis-empty-secret-ruby.yml (1)

4-10: Enhance security message with specific recommendations.

While the current message explains the risk well, consider adding specific recommendations:

• Mention minimum password complexity requirements
• Suggest secure password storage solutions (e.g., AWS Secrets Manager, HashiCorp Vault)
• Add reference to Redis AUTH documentation

tests/ruby/ruby-pg-empty-password-ruby-test.yml (1)

44-44: Remove trailing whitespace

Remove the trailing whitespace on line 44.

🧰 Tools

🪛 yamllint (1.35.1)

[error] 44-44: trailing spaces

(trailing-spaces)

tests/__snapshots__/ruby-pg-empty-password-ruby-snapshot.yml (1)

1-309: Consider adding test cases for additional scenarios

The test suite could be enhanced with additional scenarios:

1. Connection string URLs
2. SSL certificate validation
3. Connection pooling configurations
4. Retry mechanisms

Would you like me to help generate additional test cases for these scenarios?

rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml (1)

15-259: Consider adding pattern for ENV usage examples

The utility patterns effectively cover various forms of hardcoded secrets, but could be enhanced by including examples of secure alternatives using environment variables in the comments.

Add examples like:

# Good:
PG.connect(password: ENV['DB_PASSWORD'])
# Good:
PG.connect(password: Rails.application.credentials.database_password)

rules/ruby/security/ruby-pg-empty-password-ruby.yml (1)

4-14: Enhance security context in the message

While the message is clear, it could benefit from additional context about minimum password requirements and authentication best practices.

Add to the message:

   This can lead to unauthorized access by either an internal or external
   malicious actor. To prevent this vulnerability, enforce authentication
   when connecting to a database by using environment variables to securely
   provide credentials or retrieving them from a secure vault or HSM
-  (Hardware Security Module).
+  (Hardware Security Module). Ensure that database passwords meet minimum
+  complexity requirements and are rotated regularly according to your
+  organization's security policies.

tests/__snapshots__/ruby-pg-hardcoded-secret-ruby-snapshot.yml (1)

1-325: Add test cases for additional scenarios

While the current test coverage is good, consider adding test cases for:

1. Connection strings with URL format
2. Connection info from YAML/JSON files
3. Heredoc password strings

Add test cases like:

# URL format
PG.connect("postgres://user:password@host:5432/dbname")

# YAML config
config = YAML.load_file('database.yml')
PG.connect(password: config['password'])

# Heredoc
PG.connect(password: <<-EOT
  password
EOT
)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between d3972fa and a7f5040.

📒 Files selected for processing (9)

• rules/ruby/security/ruby-pg-empty-password-ruby.yml (1 hunks)
• rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml (1 hunks)
• rules/ruby/security/ruby-redis-empty-secret-ruby.yml (1 hunks)
• tests/__snapshots__/ruby-pg-empty-password-ruby-snapshot.yml (1 hunks)
• tests/__snapshots__/ruby-pg-hardcoded-secret-ruby-snapshot.yml (1 hunks)
• tests/__snapshots__/ruby-redis-empty-secret-ruby-snapshot.yml (1 hunks)
• tests/ruby/ruby-pg-empty-password-ruby-test.yml (1 hunks)
• tests/ruby/ruby-pg-hardcoded-secret-ruby-test.yml (1 hunks)
• tests/ruby/ruby-redis-empty-secret-ruby-test.yml (1 hunks)

🧰 Additional context used

🪛 yamllint (1.35.1)

rules/ruby/security/ruby-redis-empty-secret-ruby.yml

[warning] 18-18: wrong indentation: expected 4 but found 3

(indentation)

---

[warning] 20-20: wrong indentation: expected 5 but found 4

(indentation)

---

[warning] 21-21: wrong indentation: expected 8 but found 7

(indentation)

---

[error] 52-52: trailing spaces

(trailing-spaces)

---

[warning] 58-58: wrong indentation: expected 4 but found 3

(indentation)

---

[warning] 60-60: wrong indentation: expected 5 but found 4

(indentation)

---

[warning] 61-61: wrong indentation: expected 8 but found 7

(indentation)

---

[error] 96-96: trailing spaces

(trailing-spaces)

tests/ruby/ruby-pg-empty-password-ruby-test.yml

[error] 44-44: trailing spaces

(trailing-spaces)

tests/ruby/ruby-pg-hardcoded-secret-ruby-test.yml

[error] 44-44: trailing spaces

(trailing-spaces)

🔇 Additional comments (5)

tests/ruby/ruby-redis-empty-secret-ruby-test.yml (1)

2-4: LGTM! Good practice using environment variables for credentials.

The valid test case demonstrates secure credential management by using environment variables.

tests/__snapshots__/ruby-redis-empty-secret-ruby-snapshot.yml (1)

1-150: LGTM! Comprehensive test snapshots.

The snapshots provide good coverage of the test cases with proper source mapping and consistent style definitions.

rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml (2)

4-14: LGTM! Clear and informative message with proper references.

The message effectively communicates the security risk and provides actionable remediation steps. The reference to OWASP Secrets Management Cheat Sheet is particularly helpful.

---

259-269: Verify pattern coverage for all connection methods

The rule patterns look comprehensive, but let's verify we're not missing any connection methods.

✅ Verification successful

The previous search didn't yield results because we need to verify if we have Ruby files in the codebase. Since this is a security rule definition file, we should also check other similar rules and examples to ensure comprehensive coverage.

---

The output shows we have two PG-related rule files. We should examine both to ensure consistent and comprehensive coverage of connection patterns between them, as they might complement each other.

---

Pattern coverage for PG connection methods is comprehensive

After analyzing both PG-related rule files, the coverage is complete and well-structured. The rules cover:

• All main connection methods: PG.connect and PG::Connection.new
• Both connection styles: keyword arguments (password:) and positional arguments
• Both direct string values and instance variable assignments
• The connect_start method is also included in the regex patterns
• Both empty password and hardcoded password scenarios are handled

The patterns are consistent between both rules and cover all the standard ways to establish PostgreSQL connections in Ruby using the pg gem.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for all PG connection methods in the codebase
rg -t ruby '(PG|PG::Connection)\.(connect|connect_start|new|setdb|open)'

Length of output: 223

---

Script:

#!/bin/bash
# Let's first check if there are any Ruby files in the codebase
fd -e rb

# Then let's look for test files or examples that might contain PG connection patterns
fd -e yml . rules/ruby/

Length of output: 195

---

Script:

#!/bin/bash
# Let's examine the content of both PG-related rule files to compare patterns
cat rules/ruby/security/ruby-pg-empty-password-ruby.yml rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml

# Also check if there are any example files that might show PG usage patterns
fd -e rb . examples/ || true

Length of output: 15291

rules/ruby/security/ruby-pg-empty-password-ruby.yml (1)

264-274: Verify rule catches all empty password variations

The patterns look comprehensive, but let's verify we're catching all empty password variations.

✅ Verification successful

Rule comprehensively catches all empty password variations

After analyzing the rule definition and test cases, the rule successfully catches all common variations of empty password scenarios:

1. Direct empty string in keyword arguments: password: ""
2. Empty string in positional arguments (7th position)
3. Variable-based empty passwords: pw = ""; password: pw
4. Both PG.connect and PG::Connection.new/connect_start methods
5. Both hash-style (:password => "") and newer keyword arguments (password: "")

The test cases provide good coverage with valid and invalid examples, and the snapshots confirm proper pattern matching.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for potential empty password patterns in Ruby files
rg -t ruby '(?i)(password|pwd)(\s*=\s*["\']\s*["\']|\s*:\s*["\']\s*["\'])'

Length of output: 116

---

Script:

#!/bin/bash
# Search for potential empty password patterns in Ruby files, fixing the regex
rg -t ruby '(?i)(password|pwd)(\s*=\s*["\''\'']?\s*["\''\'']|\s*:\s*["\''\'']?\s*["\''\''])'

# Also search for PG.connect and PG::Connection patterns to ensure we're covering all cases
rg -t ruby 'PG\.(connect|Connection\.new).*password'

Length of output: 431

---

Script:

#!/bin/bash
# Let's first check what Ruby files exist in the repository
fd '\.rb$'

# Let's also check test files that might contain examples of PG usage
fd '\.rb$' test/

# Check for any files containing 'pg' in their name or content
fd -i pg

# Look at the content of the rule file to understand the context better
cat rules/ruby/security/ruby-pg-empty-password-ruby.yml

Length of output: 8093

---

Script:

#!/bin/bash
# Let's check the test cases to verify the rule's coverage
cat tests/ruby/ruby-pg-empty-password-ruby-test.yml

# Also check the snapshot to see what patterns are being caught
cat tests/__snapshots__/ruby-pg-empty-password-ruby-snapshot.yml

Length of output: 8134

[coderabbitai]

🛠️ Refactor suggestion

Consider adding pattern for nil password detection.

The current patterns cover empty strings but might miss nil passwords.

Would you like me to provide the additional pattern definition?

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 58-58: wrong indentation: expected 4 but found 3

(indentation)

---

[warning] 60-60: wrong indentation: expected 5 but found 4

(indentation)

---

[warning] 61-61: wrong indentation: expected 8 but found 7

(indentation)

---

[error] 96-96: trailing spaces

(trailing-spaces)

[coderabbitai]

⚠️ Potential issue

Fix indentation in the first pattern definition.

The YAML indentation is inconsistent, which could lead to parsing issues.

Apply this diff to fix the indentation:

 utils:
   Redis.new(..., password:"", ...):
-    # Redis.new(..., password: "", ...)
-   kind: call
-   all:
-    - has:
-       stopBy: neighbor
+     # Redis.new(..., password: "", ...)
+     kind: call
+     all:
+       - has:
+           stopBy: neighbor

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 yamllint (1.35.1)

[warning] 18-18: wrong indentation: expected 4 but found 3

(indentation)

---

[warning] 20-20: wrong indentation: expected 5 but found 4

(indentation)

---

[warning] 21-21: wrong indentation: expected 8 but found 7

(indentation)

---

[error] 52-52: trailing spaces

(trailing-spaces)

[coderabbitai]

⚠️ Potential issue

Fix syntax error in PG connection test case

The connection syntax is incorrect. There's an extra colon after PG.

-con3 = PG::.connect nil, 5432, nil, nil, 'test', 'user', '' )
+con3 = PG.connect( nil, 5432, nil, nil, 'test', 'user', '' )

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	con3 = PG::.connect nil, 5432, nil, nil, 'test', 'user', '' )
	con3 = PG.connect( nil, 5432, nil, nil, 'test', 'user', '' )

[coderabbitai]

⚠️ Potential issue

Fix syntax error in PG connection test case

The connection syntax is incorrect. There's an extra colon after PG.

-con3 = PG::.connect nil, 5432, nil, nil, 'test', 'user', 'password' )
+con3 = PG.connect( nil, 5432, nil, nil, 'test', 'user', 'password' )

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	con3 = PG::.connect nil, 5432, nil, nil, 'test', 'user', 'password' )
	con3 = PG.connect( nil, 5432, nil, nil, 'test', 'user', 'password' )

[coderabbitai]

⚠️ Potential issue

Revise valid test case for hardcoded secret detection

The valid test case uses an empty password, which seems incorrect for a hardcoded secret test. Consider using environment variables or configuration management for a proper example.

-con1 = PG.connect(
-:dbname   => 'database',
-:host     => 'host',
-:port     => 1234,
-:user     => 'user',
-:password => '',
-:sslmode  => 'prefer'
-)
+con1 = PG.connect(
+  :dbname   => 'database',
+  :host     => ENV['DB_HOST'],
+  :port     => ENV['DB_PORT'].to_i,
+  :user     => ENV['DB_USER'],
+  :password => ENV['DB_PASSWORD'],
+  :sslmode  => 'prefer'
+)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	con1 = PG.connect(
	:dbname => 'database',
	:host => 'host',
	:port => 1234,
	:user => 'user',
	:password => '',
	:sslmode => 'prefer'
	)
	con1 = PG.connect(
	:dbname => 'database',
	:host => ENV['DB_HOST'],
	:port => ENV['DB_PORT'].to_i,
	:user => ENV['DB_USER'],
	:password => ENV['DB_PASSWORD'],
	:sslmode => 'prefer'
	)

[coderabbitai]

⚠️ Potential issue

Fix snapshot to match corrected test case

This snapshot needs to be updated to match the corrected syntax in the test file.

-con3 = PG::.connect nil, 5432, nil, nil, 'test', 'user', '' )
+con3 = PG.connect( nil, 5432, nil, nil, 'test', 'user', '' )

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	con3 = PG::.connect nil, 5432, nil, nil, 'test', 'user', '' )
	con3 = PG.connect( nil, 5432, nil, nil, 'test', 'user', '' )