Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: catch username password inside urls #169

Merged
Merged
Show file tree
Hide file tree
Changes from 13 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions secrets/rules/authenticated_url.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
package secrets

import (
"regexp"

"github.com/zricethezav/gitleaks/v8/config"
)

func AuthenticatedURL() *config.Rule {
regex, _ := regexp.Compile(`:\/\/(.+:.+)?@`)
rule := config.Rule{
Description: "Identify username:password inside URLS",
RuleID: "username-password-secret",
hagarfisher marked this conversation as resolved.
Show resolved Hide resolved
Regex: regex,
Keywords: []string{},
SecretGroup: 1,
}

return &rule
}
2 changes: 2 additions & 0 deletions secrets/secrets.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (

"github.com/checkmarx/2ms/plugins"
"github.com/checkmarx/2ms/reporting"
internalRules "github.com/checkmarx/2ms/secrets/rules"
"github.com/rs/zerolog/log"
"github.com/spf13/cobra"
"github.com/zricethezav/gitleaks/v8/cmd/generate/config/rules"
Expand Down Expand Up @@ -368,6 +369,7 @@ func loadAllRules() ([]Rule, error) {
allRules = append(allRules, Rule{Rule: *rules.YandexAWSAccessToken(), Tags: []string{TagAccessToken}})
allRules = append(allRules, Rule{Rule: *rules.YandexAccessToken(), Tags: []string{TagAccessToken}})
allRules = append(allRules, Rule{Rule: *rules.ZendeskSecretKey(), Tags: []string{TagSecretKey}})
allRules = append(allRules, Rule{Rule: *internalRules.AuthenticatedURL(), Tags: []string{TagSensitiveUrl}})

return allRules, nil
}
Expand Down
75 changes: 75 additions & 0 deletions secrets/secrets_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,86 @@ package secrets

import (
"fmt"
"sync"
"testing"

"github.com/checkmarx/2ms/plugins"
"github.com/checkmarx/2ms/reporting"
"github.com/zricethezav/gitleaks/v8/config"
)

func TestSecrets(t *testing.T) {
secrets := []struct {
Content string
Name string
ShouldFind bool
}{
hagarfisher marked this conversation as resolved.
Show resolved Hide resolved
{
Content: "",
Name: "empty",
ShouldFind: false,
},
{
Content: "mongodb+srv://radar:mytoken@io.dbb.mongodb.net/?retryWrites=true&w=majority",
Name: "Authenticated URL",
ShouldFind: true,
},
hagarfisher marked this conversation as resolved.
Show resolved Hide resolved
{
Content: "--output=https://elastic:bF21iC0bfTVXo3qhpJqTGs78@c22f5bc9787c4c268d3b069ad866bdc2.eu-central-1.aws.cloud.es.io:9243/tfs",
Name: "Authenticated URL",
ShouldFind: true,
},
{
Content: "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",
Name: "GitHub Personal Access Token",
ShouldFind: true,
},
{
Content: "AKCp8jRRiQSAbghbuZmHKZcaKGEqbAASGH2SAb3rxXJQsSq9dGga8gFXe6aHpcRmzuHxN6oaT",
Name: "JFROG Secret without keyword",
ShouldFind: false,
},
{
Content: "--set imagePullSecretJfrog.password=AKCp8kqqfQbYifrbyvqusjyk6N3QKprXTv9B8HTitLbJzXT1kW7dDticXTsJpCrbqtizAwK4D \\",
Name: "JFROG Secret with keyword (real example)",
ShouldFind: true,
},
{
Content: "--docker-password=AKCp8kqX8yeKBTqgm2XExHsp8yVdJn6SAgQmS1nJMfMDmzxEqX74rUGhedaWu7Eovid3VsMwb",
Name: "JFROG Secret as kubectl argument",
ShouldFind: true,
},
}

detector, err := Init([]string{}, []string{})
if err != nil {
t.Fatal(err)
}

for _, secret := range secrets {
name := secret.Name
if name == "" {
name = secret.Content
}
t.Run(name, func(t *testing.T) {
fmt.Printf("Start test %s", name)
secretsChan := make(chan reporting.Secret, 1)
wg := &sync.WaitGroup{}
wg.Add(1)
detector.Detect(plugins.Item{Content: secret.Content}, secretsChan, wg, nil)
close(secretsChan)

s := <-secretsChan
if s.Value == "" && secret.ShouldFind {
t.Errorf("secret \"%s\" not found", secret.Name)
}
if s.Value != "" && !secret.ShouldFind {
t.Errorf("should not find")
}
})
}

}
func TestLoadAllRules(t *testing.T) {
rules, _ := loadAllRules()

Expand Down