Skip to content

Commit

Permalink
Cloudant Detector (Yelp#207)
Browse files Browse the repository at this point in the history 
adding cloudant to base plugins (Yelp#220)
  • Loading branch information
@edwarj2 @justineyster
edwarj2 authored and justineyster committed Sep 9, 2020
1 parent d77e0b1 commit 19ed452
Show file tree
Hide file tree
Showing 8 changed files with 171 additions and 51 deletions.
6 changes: 6 additions & 0 deletions detect_secrets/core/usage.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -522,6 +522,12 @@ class PluginOptions:
disable_help_text='Disable scanning for Box API credentials',
is_default=True,
),
PluginDescriptor(
classname='CloudantDetector',
disable_flag_text='--no-cloudant-scan',
disable_help_text='Disable scanning for Cloudant credentials',
is_default=True,
),
]

default_plugins_list = [
Expand Down
52 changes: 29 additions & 23 deletions detect_secrets/plugins/cloudant.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,41 +11,46 @@ class CloudantDetector(RegexBasedDetector):
secret_type = 'Cloudant Credentials'

# opt means optional
opt_quote = r'(?:"|\'|)'
opt_dashes = r'(?:--|)'
opt_dot = r'(?:\.|)'
dot = r'\.'
cl_account = r'[0-9a-z\-\_]*'
cl = r'(cloudant|cl|clou)'
opt_dash_undrscr = r'(?:_|-|)'
cl_account = r'[\w\-]+'
cl = r'(?:cloudant|cl|clou)'
opt_api = r'(?:api|)'
cl_key_or_pass = cl + opt_dash_undrscr + r'(?:key|pwd|pw|password|pass|token)'
opt_space = r'(?: |)'
assignment = r'(?:=|:|:=|=>)'
cl_secret = r'[0-9a-f]{64}'
cl_key_or_pass = opt_api + r'(?:key|pwd|pw|password|pass|token)'
cl_pw = r'([0-9a-f]{64})'
cl_api_key = r'([a-z]{24})'
colon = r'\:'
at = r'\@'
http = r'(?:http\:\/\/|https\:\/\/)'
http = r'(?:https?\:\/\/)'
cloudant_api_url = r'cloudant\.com'
denylist = [
RegexBasedDetector.assign_regex_generator(
prefix_regex=cl,
password_keyword_regex=cl_key_or_pass,
password_regex=cl_pw,
),
RegexBasedDetector.assign_regex_generator(
prefix_regex=cl,
password_keyword_regex=cl_key_or_pass,
password_regex=cl_api_key,
),
re.compile(
r'{cl_key_or_pass}{opt_space}{assignment}{opt_space}{opt_quote}{cl_secret}'.format(
cl_key_or_pass=cl_key_or_pass,
opt_quote=opt_quote,
r'{http}{cl_account}{colon}{cl_pw}{at}{cl_account}{dot}{cloudant_api_url}'.format(
http=http,
colon=colon,
cl_account=cl_account,
opt_dash_undrscr=opt_dash_undrscr,
opt_api=opt_api,
opt_space=opt_space,
assignment=assignment,
cl_secret=cl_secret,
), flags=re.IGNORECASE,
cl_pw=cl_pw,
at=at,
dot=dot,
cloudant_api_url=cloudant_api_url,
),
flags=re.IGNORECASE,
),
re.compile(
r'{http}{cl_account}{colon}{cl_secret}{at}{cl_account}{dot}{cloudant_api_url}'.format(
r'{http}{cl_account}{colon}{cl_api_key}{at}{cl_account}{dot}{cloudant_api_url}'.format(
http=http,
colon=colon,
cl_account=cl_account,
cl_secret=cl_secret,
cl_api_key=cl_api_key,
at=at,
dot=dot,
cloudant_api_url=cloudant_api_url,
Expand Down Expand Up @@ -93,6 +98,7 @@ def get_host(content):
return [
match
for line in content.splitlines()
for regex in regexes
for match in regex.findall(line)
]

Expand All @@ -103,7 +109,7 @@ def verify_cloudant_key(hostname, token, potential_secret=None):
request_url = 'https://{hostname}:' \
'{token}' \
'@{hostname}.' \
'cloudant.com/_api/v2'.format(
'cloudant.com'.format(
hostname=hostname,
token=token,
)
Expand Down
1 change: 1 addition & 0 deletions detect_secrets/plugins/common/initialize.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
from ..base import BasePlugin
from ..basic_auth import BasicAuthDetector # noqa: F401
from ..box import BoxDetector # noqa: F401
from ..cloudant import CloudantDetector # noqa: F401
from ..common.util import get_mapping_from_secret_type_to_class_name
from ..db2 import DB2Detector # noqa: F401
from ..gh import GHDetector # noqa: F401
Expand Down
1 change: 1 addition & 0 deletions detect_secrets/plugins/common/util.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
from ..base import BasePlugin
from ..basic_auth import BasicAuthDetector # noqa: F401
from ..box import BoxDetector # noqa: F401
from ..cloudant import CloudantDetector # noqa: F401
from ..db2 import DB2Detector # noqa: F401
from ..high_entropy_strings import Base64HighEntropyString # noqa: F401
from ..high_entropy_strings import HexHighEntropyString # noqa: F401
Expand Down
1 change: 1 addition & 0 deletions tests/core/usage_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ def test_consolidates_output_basic(self):
'PrivateKeyDetector': {},
'AWSKeyDetector': {},
'BoxDetector': {},
'CloudantDetector': {},
'IBMCloudIAMDetector': {},
'IBMCosHmacDetector': {},
'SlackDetector': {},
Expand Down
16 changes: 16 additions & 0 deletions tests/main_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,7 @@ def test_scan_string_basic_default(
ArtifactoryDetector: False
BasicAuthDetector : False
BoxDetector : False
CloudantDetector : False
DB2Detector : False
GHDetector : False
IBMCloudIAMDetector: False
Expand Down Expand Up @@ -362,6 +363,9 @@ def test_old_baseline_ignored_with_update_flag(
{
'name': 'BoxDetector',
},
{
'name': 'CloudantDetector',
},
{
'name': 'DB2Detector',
},
Expand Down Expand Up @@ -417,6 +421,9 @@ def test_old_baseline_ignored_with_update_flag(
{
'name': 'BoxDetector',
},
{
'name': 'CloudantDetector',
},
{
'name': 'DB2Detector',
},
Expand Down Expand Up @@ -529,6 +536,9 @@ def test_old_baseline_ignored_with_update_flag(
{
'name': 'BoxDetector',
},
{
'name': 'CloudantDetector',
},
{
'name': 'DB2Detector',
},
Expand Down Expand Up @@ -583,6 +593,9 @@ def test_old_baseline_ignored_with_update_flag(
{
'name': 'BoxDetector',
},
{
'name': 'CloudantDetector',
},
{
'name': 'DB2Detector',
},
Expand Down Expand Up @@ -736,6 +749,9 @@ def test_scan_with_default_plugin(self):
{
'name': 'BoxDetector',
},
{
'name': 'CloudantDetector',
},
{
'name': 'DB2Detector',
},
Expand Down
Loading

0 comments on commit 19ed452

Please sign in to comment.