From fb1e5b5861b4b5479d1647701feb1f6cd844e415 Mon Sep 17 00:00:00 2001
From: Mark Boyd <mark.boyd@gsa.gov>
Date: Tue, 5 Dec 2023 17:39:40 -0500
Subject: [PATCH 1/2] add exceptions for generic credential rules for
 Elasticsearch/Opensearch field mappings

---
 local.toml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/local.toml b/local.toml
index b9592fc..f5948a1 100644
--- a/local.toml
+++ b/local.toml
@@ -79,7 +79,7 @@ useDefault = true
 [[rules]]
 	id = "generic-credential"
 	description = "Generic Credential"
-	regex = '''(?im)(dbpasswd|dbname|dbhost|api_key|apikey|secret|key|api|password|guid|hostname|pw|auth)(.{0,20})(['"](\S{4,120})['"]|[(\\]\s*$)'''
+	regex = '''(?im)(.*)(dbpasswd|dbname|dbhost|api_key|apikey|secret|key|api|password|guid|hostname|pw|auth)(.{0,20})(['"](\S{4,120})['"]|[(\\]\s*$)'''
 	tags = ["key", "API", "generic"]
 	# ignore leaks with specific identifiers like slack and aws as these should be detected
 	# by more granular rules
@@ -87,7 +87,10 @@ useDefault = true
 		regexes = [
 			'''xox[baprs]-([0-9a-zA-Z]{10,48})''',
 			'''(?i)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]''',
-			'''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
+			'''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}''',
+			'''\"type\":\"keyword\"''',
+			'''\"key\":''',
+			'''\"name\":\".*hostname\"'''
 		]
 		paths = [
 			'''(vendor.github|Godeps._workspace)''',

From 9e5245450f287e52aa0dd2ffbccd7ee3cab3655e Mon Sep 17 00:00:00 2001
From: Mark Boyd <mark.boyd@gsa.gov>
Date: Wed, 6 Dec 2023 14:46:16 -0500
Subject: [PATCH 2/2] add more tests for expected behavior

---
 caulked.bats     |  2 +-
 development.bats | 64 +++++++++++++++++++++++++++++++++++++++++++++++-
 local.toml       | 15 +++++++++---
 3 files changed, 76 insertions(+), 5 deletions(-)

diff --git a/caulked.bats b/caulked.bats
index bf4966b..84c37f7 100644
--- a/caulked.bats
+++ b/caulked.bats
@@ -22,7 +22,7 @@ load test_helper
 @test "leak prevention allows plain text, check 'git config --global -l' on failure" {
     run addFileWithNoSecrets
     [ ${status} -eq 0 ]
-    echo ${lines[7]} | grep -q "no leaks found"
+    assert_output --partial "no leaks found"
 }
 
 @test "leak prevention catches unstaged aws secrets in test repo" {
diff --git a/development.bats b/development.bats
index 6e0bcf3..a7ff6c3 100644
--- a/development.bats
+++ b/development.bats
@@ -135,6 +135,7 @@ module "iam_cert_provision_user" {
 END
     run testCommit $REPO_PATH
     assert_failure
+    assert_output --partial 'generic-username'
 }
 
 # Testing for 40 base64 results in too many false positives,
@@ -272,4 +273,65 @@ END
 @test "it catches yaml with Slack webhook" {
     run yamlTest "slack-webhook-url: https://hooks.slack.com/services/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"
     [ ${status} -eq 1 ]
-}
\ No newline at end of file
+}
+
+@test "it allows a username as a templated ERB field" {
+  cat > $REPO_PATH/username.erb <<END
+    username': '<%= p('cloudfoundry.user'
+END
+    run testCommit $REPO_PATH
+    assert_success
+}
+
+@test "it allows a password as a templated ERB field" {
+  cat > $REPO_PATH/username.erb <<END
+    password': '<%= p('password
+END
+    run testCommit $REPO_PATH
+    assert_success
+}
+
+@test "it fails a generic password" {
+  cat > $REPO_PATH/password.yaml <<END
+    "password": "password"
+END
+    run testCommit $REPO_PATH
+    assert_failure
+    assert_output --partial 'generic-credential'
+}
+
+@test "it allows hostname as a JSON property value" {
+  cat > $REPO_PATH/foo.json <<END
+    {
+        "name": "rtr.hostname"
+    }
+END
+    run testCommit $REPO_PATH
+    assert_success
+}
+
+@test "it fails a generic hostname" {
+  cat > $REPO_PATH/config.yml <<END
+    hostname: "host-1"
+END
+    run testCommit $REPO_PATH
+    assert_failure
+    assert_output --partial 'generic-credential'
+}
+
+@test "it allows keyword as a JSON property value" {
+  cat > $REPO_PATH/test.json <<END
+    { "type": "keyword" }
+END
+    run testCommit $REPO_PATH
+    assert_success
+}
+
+@test "it fails JSON with keyword as property value but including another generic credential" {
+  cat > $REPO_PATH/test.json <<END
+    { "type": "keyword", "password": "password" }
+END
+    run testCommit $REPO_PATH
+    assert_failure
+    assert_output --partial 'generic-credential'
+}
diff --git a/local.toml b/local.toml
index 1a6bc5e..fdbd599 100644
--- a/local.toml
+++ b/local.toml
@@ -71,7 +71,12 @@ useDefault = true
 		description = "A username in a terraform file and programs is not a leak"
 		regexes = [
 			'''\w+?username\w+=''',
-			'''\"type\":''',
+			# ignore username properties set in templates. for example:
+			#  	username': '<%= p('cloudfoundry.user'
+			'''(username)[\'\"]{0,1}[:=]\s{0,1}[\'\"]{0,1}\<\%\=\s{0,1}p\('''
+		]
+		stopwords = [
+			"user_agent"
 		]
 		paths = [
 			'''\.(tf|rb|go|py|js)$'''
@@ -89,9 +94,13 @@ useDefault = true
 			'''xox[baprs]-([0-9a-zA-Z]{10,48})''',
 			'''(?i)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]''',
 			'''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}''',
+			# ignore JSON property values including "keyword", such as { "type": "keyword" }
 			'''\"type\":\"keyword\"''',
-			'''\"key\":''',
-			'''\"name\":\".*hostname\"'''
+			# ignore JSON property values including "hostname", like { "name": "rtr.hostname" }
+			'''\"name\":\".*hostname\"''',
+			# ignore password properties set in ERB templates. for example:
+			# 	'password': '<%= p('cloudfoundry.password'
+			'''(password)[\'\"]{0,1}[:=]\s{0,1}[\'\"]{0,1}\<\%\=\s{0,1}p\('''
 		]
 		paths = [
 			'''(vendor.github|Godeps._workspace)''',