Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add exceptions for generic credential rulefor Elasticsearch/Opensea… #86

Merged
merged 3 commits into from
Dec 7, 2023
Merged

add exceptions for generic credential rulefor Elasticsearch/Opensea… #86

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fb1e5b5
add exceptions for generic credential rules for Elasticsearch/Opensea…
markdboyd Dec 5, 2023
8de0469
Merge branch 'main' into add-generic-credential-exceptions
markdboyd Dec 6, 2023
9e52454
add more tests for expected behavior
markdboyd Dec 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion caulked.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ load test_helper
@test "leak prevention allows plain text, check 'git config --global -l' on failure" {
run addFileWithNoSecrets
[ ${status} -eq 0 ]
echo ${lines[7]} | grep -q "no leaks found"
assert_output --partial "no leaks found"
}

@test "leak prevention catches unstaged aws secrets in test repo" {
Expand Down
64 changes: 63 additions & 1 deletion development.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,7 @@ module "iam_cert_provision_user" {
END
run testCommit $REPO_PATH
assert_failure
assert_output --partial 'generic-username'
}

# Testing for 40 base64 results in too many false positives,
Expand Down Expand Up @@ -272,4 +273,65 @@ END
@test "it catches yaml with Slack webhook" {
run yamlTest "slack-webhook-url: https://hooks.slack.com/services/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"
[ ${status} -eq 1 ]
}
}

@test "it allows a username as a templated ERB field" {
cat > $REPO_PATH/username.erb <<END
username': '<%= p('cloudfoundry.user'
END
run testCommit $REPO_PATH
assert_success
}

@test "it allows a password as a templated ERB field" {
cat > $REPO_PATH/username.erb <<END
password': '<%= p('password
END
run testCommit $REPO_PATH
assert_success
}

@test "it fails a generic password" {
cat > $REPO_PATH/password.yaml <<END
"password": "password"
END
run testCommit $REPO_PATH
assert_failure
assert_output --partial 'generic-credential'
}

@test "it allows hostname as a JSON property value" {
cat > $REPO_PATH/foo.json <<END
{
"name": "rtr.hostname"
}
END
run testCommit $REPO_PATH
assert_success
}

@test "it fails a generic hostname" {
cat > $REPO_PATH/config.yml <<END
hostname: "host-1"
END
run testCommit $REPO_PATH
assert_failure
assert_output --partial 'generic-credential'
}

@test "it allows keyword as a JSON property value" {
cat > $REPO_PATH/test.json <<END
{ "type": "keyword" }
END
run testCommit $REPO_PATH
assert_success
}

@test "it fails JSON with keyword as property value but including another generic credential" {
cat > $REPO_PATH/test.json <<END
{ "type": "keyword", "password": "password" }
END
run testCommit $REPO_PATH
assert_failure
assert_output --partial 'generic-credential'
}
18 changes: 15 additions & 3 deletions local.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,12 @@ useDefault = true
description = "A username in a terraform file and programs is not a leak"
regexes = [
'''\w+?username\w+=''',
'''\"type\":''',
# ignore username properties set in templates. for example:
# username': '<%= p('cloudfoundry.user'
'''(username)[\'\"]{0,1}[:=]\s{0,1}[\'\"]{0,1}\<\%\=\s{0,1}p\('''
]
stopwords = [
"user_agent"
]
paths = [
'''\.(tf|rb|go|py|js)$'''
Expand All @@ -80,15 +85,22 @@ useDefault = true
[[rules]]
id = "generic-credential"
description = "Generic Credential"
regex = '''(?im)(dbpasswd|dbname|dbhost|api_key|apikey|secret|key|api|password|guid|hostname|pw|auth)(.{0,20})(['"](\S{4,120})['"]|[(\\]\s*$)'''
regex = '''(?im)(.*)(dbpasswd|dbname|dbhost|api_key|apikey|secret|key|api|password|guid|hostname|pw|auth)(.{0,20})(['"](\S{4,120})['"]|[(\\]\s*$)'''
tags = ["key", "API", "generic"]
# ignore leaks with specific identifiers like slack and aws as these should be detected
# by more granular rules
[rules.allowlist]
regexes = [
'''xox[baprs]-([0-9a-zA-Z]{10,48})''',
'''(?i)(.{0,20})?['"][0-9a-f]{32}-us[0-9]{1,2}['"]''',
'''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}'''
'''(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}''',
# ignore JSON property values including "keyword", such as { "type": "keyword" }
'''\"type\":\"keyword\"''',
# ignore JSON property values including "hostname", like { "name": "rtr.hostname" }
'''\"name\":\".*hostname\"''',
# ignore password properties set in ERB templates. for example:
# 'password': '<%= p('cloudfoundry.password'
'''(password)[\'\"]{0,1}[:=]\s{0,1}[\'\"]{0,1}\<\%\=\s{0,1}p\('''
]
paths = [
'''(vendor.github|Godeps._workspace)''',
Expand Down