Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password with hardcoded value is not detected (.yaml file) #80

Closed
gabriel-cx opened this issue May 30, 2023 · 6 comments · Fixed by #181
Closed

Password with hardcoded value is not detected (.yaml file) #80

gabriel-cx opened this issue May 30, 2023 · 6 comments · Fixed by #181
Assignees
@baruchiro
Labels
enhancement New feature or request

Comments

@gabriel-cx
Copy link

Steps to reproduce

running the command: ./2ms repository --path "<file_to_scan>"
where <file_to_scan> is this file.

Expected result

2ms finds a hardcoded secret at line 8

Actual result

image
@baruchiro baruchiro added the enhancement New feature or request label May 30, 2023
@baruchiro
Copy link
Contributor

I think my bigger concern here is that feature like this is based on heuristics, and can give a lot of False Positives.

For example, the field may be:

password: "YOUR_PASSWORD_HERE"

@gabriel-cx
Copy link
Author

I see your point. In KICS, we trigger a vulnerability result on this cases.

I tried gitleaks and the same file have as result: no leaks found.

@baruchiro
Copy link
Contributor

We will support it and the user will be able to disable it.

Need to research about ignoring patterns like password: "${{env_var}}".

@jossef
Copy link
Member

jossef commented Jun 21, 2023

can be done as part of #98
suggesting to close

@baruchiro
Copy link
Contributor

baruchiro commented Sep 4, 2023
edited
Loading

Examples:

var userID = $sessionStorage['userID'] ? $sessionStorage[' userID '] : 'HardcodedUserIDinplaintext';
var headers =  { authorization : "Basic " + btoa(unescape(encodeURIComponent(userID + ":" + 'HardcodedPasswordinplaintext'))),…………………};
{
  username: 'HardcodedUsernameinplaintext',
  password: ' HardcodedPasswordinplaintext ',
}
document.getElementById('userName').value = " HardcodedUsernameinplaintext ";
document.getElementById('password').value = " HardcodedPasswordinplaintext ";
M_DB_USER= HardcodedUsernameinplaintext
M_DB_PASSWORD= HardcodedPasswordinplaintext
private static final String CIPHER_KEY = "HardcodedCipherKey in Numeric";
"... \"access-key\": \"AKIAWIPE......\", ..."

(Waiting for gitleaks/gitleaks#1267)

<password>something_here</password>
<element password="something" />

(Waiting for gitleaks/gitleaks#1265)

@jossef jossef mentioned this issue Sep 10, 2023
Closed
@baruchiro
Copy link
Contributor

you can run 2MS with adding --regex "password[:>=] *\"?.*[ <\"]" to the CLI command.
It will catch multiple hard-coded passwords fields.
Just as a very quick solution.
Of course, with more example we will be more accurate.

This is the whole config: 😂

regex:
  - password[:>=] *"?.*[ <"]

and they will find these:

results:
  73ca2669271427b1e4b7ee88701166ed49b82233:
  - id: 73ca2669271427b1e4b7ee88701166ed49b82233
    source: project/10k-most-common.txt
    ruleid: custom-regex-1
    startline: 1
    endline: 1
    startcolumn: 3
    endcolumn: 26
    value: password>something_here<
  76dab5351fa6c906c96f80d03868e8a5a143f021:
  - id: 76dab5351fa6c906c96f80d03868e8a5a143f021
    source: project/10k-most-common.txt
    ruleid: custom-regex-1
    startline: 0
    endline: 0
    startcolumn: 1
    endcolumn: 30
    value: 'password: "YOUR_PASSWORD_HERE"'
  b7eee319f6c69bcaccbdf49cf58c3d1da9a019cf:
  - id: b7eee319f6c69bcaccbdf49cf58c3d1da9a019cf
    source: project/10k-most-common.txt
    ruleid: custom-regex-1
    startline: 2
    endline: 2
    startcolumn: 11
    endcolumn: 31
    value: 'password="something" '

@baruchiro baruchiro mentioned this issue Sep 12, 2023
Merged
baruchiro pushed a commit that referenced this issue Sep 12, 2023
feat: add special rules with hardcoded-password rule (#181)
69e9383 
- add hardcoded-password rule
- feat: add special (non-default) rules with hardcoded-password rule

Fix #80
Close #174
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@baruchiro baruchiro

Labels
enhancement New feature or request
Projects
2ms
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add special rules with hardcoded-password rule Checkmarx/2ms
3 participants
@jossef @baruchiro @gabriel-cx