fix(secret): add newline escaping for asymmetric private key (#2532)

aquasecurity · Jul 31, 2022 · 3cd88ab · 3cd88ab
1 parent ea91fb9
commit 3cd88ab
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 1 deletion.
diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go
@@ -149,7 +149,7 @@ var builtinRules = []Rule{
 		Category:        CategoryAsymmetricPrivateKey,
 		Title:           "Asymmetric Private Key",
 		Severity:        "HIGH",
-		Regex:           MustCompile(`(?i)-----\s*?BEGIN[ A-Z0-9_-]*?PRIVATE KEY( BLOCK)?\s*?-----[\s]*?(?P<secret>[A-Za-z0-9=+/\r\n]+)[\s]*?-----\s*?END[ A-Z0-9_-]*? PRIVATE KEY( BLOCK)?\s*?-----`),
+		Regex:           MustCompile(`(?i)-----\s*?BEGIN[ A-Z0-9_-]*?PRIVATE KEY( BLOCK)?\s*?-----[\s]*?(?P<secret>[A-Za-z0-9=+/\\\r\n]+)[\s]*?-----\s*?END[ A-Z0-9_-]*? PRIVATE KEY( BLOCK)?\s*?-----`),
 		SecretGroupName: "secret",
 		Keywords:        []string{"-----"},
 	},

diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go
@@ -431,6 +431,48 @@ func TestSecretScanner(t *testing.T) {
 			},
 		},
 	}
+	wantFindingAsymmetricPrivateKeyJson := types.SecretFinding{
+		RuleID:    "private-key",
+		Category:  secret.CategoryAsymmetricPrivateKey,
+		Title:     "Asymmetric Private Key",
+		Severity:  "HIGH",
+		StartLine: 1,
+		EndLine:   1,
+		Match:     "----BEGIN RSA PRIVATE KEY-----**************************************************************************************************************************-----END RSA PRIVATE",
+		Code: types.Code{
+			Lines: []types.Line{
+				{
+					Number:      1,
+					Content:     "{\"key\": \"-----BEGIN RSA PRIVATE KEY-----**************************************************************************************************************************-----END RSA PRIVATE KEY-----\\n\"}",
+					Highlighted: "{\"key\": \"-----BEGIN RSA PRIVATE KEY-----**************************************************************************************************************************-----END RSA PRIVATE KEY-----\\n\"}",
+					IsCause:     true,
+					FirstCause:  true,
+					LastCause:   true,
+				},
+			},
+		},
+	}
+	wantFindingAsymmetricPrivateKey := types.SecretFinding{
+		RuleID:    "private-key",
+		Category:  secret.CategoryAsymmetricPrivateKey,
+		Title:     "Asymmetric Private Key",
+		Severity:  "HIGH",
+		StartLine: 1,
+		EndLine:   1,
+		Match:     "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************-----END RSA PRIVATE",
+		Code: types.Code{
+			Lines: []types.Line{
+				{
+					Number:      1,
+					Content:     "-----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************-----END RSA PRIVATE KEY-----",
+					Highlighted: "-----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************-----END RSA PRIVATE KEY-----",
+					IsCause:     true,
+					FirstCause:  true,
+					LastCause:   true,
+				},
+			},
+		},
+	}
 
 	tests := []struct {
 		name          string
@@ -456,6 +498,22 @@ func TestSecretScanner(t *testing.T) {
 				Findings: []types.SecretFinding{wantFinding5, wantFinding9, wantFinding10},
 			},
 		},
+		{
+			name:          "find Asymmetric Private Key secrets",
+			inputFilePath: "testdata/asymmetric-private-secret.txt",
+			want: types.Secret{
+				FilePath: "testdata/asymmetric-private-secret.txt",
+				Findings: []types.SecretFinding{wantFindingAsymmetricPrivateKey},
+			},
+		},
+		{
+			name:          "find Asymmetric Private Key secrets json",
+			inputFilePath: "testdata/asymmetric-private-secret.json",
+			want: types.Secret{
+				FilePath: "testdata/asymmetric-private-secret.json",
+				Findings: []types.SecretFinding{wantFindingAsymmetricPrivateKeyJson},
+			},
+		},
 		{
 			name:          "include when keyword found",
 			configPath:    "testdata/config-happy-keywords.yaml",

diff --git a/pkg/fanal/secret/testdata/asymmetric-private-secret.json b/pkg/fanal/secret/testdata/asymmetric-private-secret.json
@@ -0,0 +1 @@
+{"key": "-----BEGIN RSA PRIVATE KEY-----\n7eUHc9npsdql24xsVK8huo9VKPu/mrDStv8JYRWP4cSUXWWBx5oGpPBP7uaMgQCx\nuks3gKrUL/3LFndE0egKslgGSkoyYb3iHP1X3IFsOtTQz6ZPmzc=\n-----END RSA PRIVATE KEY-----\n"}
diff --git a/pkg/fanal/secret/testdata/asymmetric-private-secret.txt b/pkg/fanal/secret/testdata/asymmetric-private-secret.txt
@@ -0,0 +1,5 @@
+-----BEGIN RSA PRIVATE KEY-----
+YObVAoGAGsWtK3K2Q4OSf6Z1az3AuDfo8xj9/UBuBQe1Op9RFTXps84foAqEgFwj
+7eUHc9npsdql24xsVK8huo9VKPu/mrDStv8JYRWP4cSUXWWBx5oGpPBP7uaMgQCx
+uks3gKrUL/3LFndE0egKslgGSkoyYb3iHP1X3IFsOtTQz6ZPmzc=
+-----END RSA PRIVATE KEY-----