Merge branch 'master' into StripeApiKeyAnalyzer

pastepwn/analyzers/__init__.py

@@ -29,6 +29,11 @@
 from .facebookaccesstokenanalyzer import FacebookAccessTokenAnalyzer
 from .base64analyzer import Base64Analyzer
 from .stripeapikeyanalyzer import StripeApiKeyAnalyzer
+from .awssecretkeyanalyzer import AWSSecretKeyAnalyzer
+from .awsaccesskeyanalyzer import AWSAccessKeyAnalyzer
+from .googleoauthkeyanalyzer import GoogleOAuthKeyAnalyzer
+from .slackwebhookanalyzer import SlackWebhookAnalyzer
+
 
 __all__ = (
     'AlwaysTrueAnalyzer',
@@ -59,5 +64,9 @@
     'EmailPasswordPairAnalyzer',
     'FacebookAccessTokenAnalyzer',
     'Base64Analyzer',
-    'StripeApiKeyAnalyzer'
+    'StripeApiKeyAnalyzer',
+    'AWSSecretKeyAnalyzer',
+    'AWSAccessKeyAnalyzer',
+    'GoogleOAuthKeyAnalyzer',
+    'SlackWebhookAnalyzer'
 )

pastepwn/analyzers/awsaccesskeyanalyzer.py

@@ -0,0 +1,16 @@
+# -*- coding: utf-8 -*-
+from .regexanalyzer import RegexAnalyzer
+
+
+class AWSAccessKeyAnalyzer(RegexAnalyzer):
+    """
+    Analyzer to match AWS Access Key via regex
+
+    Keys are 20 character alphanumeric /+=
+    """
+    name = "AWSAccessKeyAnalyzer"
+
+    def __init__(self, actions):
+        # https://people.eecs.berkeley.edu/~rohanpadhye/files/key_leaks-msr15.pdf
+        regex = r"\b(A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}\b"
+        super().__init__(actions, regex)

pastepwn/analyzers/awssecretkeyanalyzer.py

@@ -0,0 +1,15 @@
+# -*- coding: utf-8 -*-
+from .regexanalyzer import RegexAnalyzer
+
+
+class AWSSecretKeyAnalyzer(RegexAnalyzer):
+    """
+    Analyzer to match AWS Secret Key via regex
+
+    Keys are 40 character alphanumeric with a few symbols /+=
+    """
+    name = "AWSSecretKeyAnalyzer"
+
+    def __init__(self, actions):
+        regex = r"\b[A-Za-z0-9/+=]{40}\b"
+        super().__init__(actions, regex)

pastepwn/analyzers/googleoauthkeyanalyzer.py

@@ -0,0 +1,8 @@
+from .regexanalyzer import RegexAnalyzer
+
+
+class GoogleOAuthKeyAnalyzer(RegexAnalyzer):
+
+    def __init__(self, actions):
+        regex = r"[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com"
+        super().__init__(actions, regex)

pastepwn/analyzers/tests/awsaccesskeyanalyzer_test.py

@@ -0,0 +1,65 @@
+# -*- coding: utf-8 -*-
+import unittest
+from unittest import mock
+
+from pastepwn.analyzers.awsaccesskeyanalyzer import AWSAccessKeyAnalyzer
+
+
+class TestAWSAccessKeyAnalyzer(unittest.TestCase):
+    def setUp(self):
+        self.analyzer = AWSAccessKeyAnalyzer(None)
+        self.paste = mock.Mock()
+
+    def test_match_positive(self):
+        """Test if positives are recognized"""
+        # obtained by pastebin search
+        self.paste.body = "AKIAIX2GUZJMJFDZON4A"
+        self.assertTrue(self.analyzer.match(self.paste))
+
+        # obtained by pastebin search
+        self.paste.body = "AKIAJ5OVIVTO7XQ7UWOQ"
+        self.assertTrue(self.analyzer.match(self.paste))
+
+        # obtained by pastebin search
+        self.paste.body = "AKIAJM4DOPAAJWLUJ2PQ"
+        self.assertTrue(self.analyzer.match(self.paste))
+
+        # obtained by pastebin search
+        self.paste.body = "AKIAIKSA47YZNJAY2H6A"
+        self.assertTrue(self.analyzer.match(self.paste))
+
+        self.paste.body = "my super cool hash is AKIAJM4DOPAAJWLUJ2PQ and here's some more text"
+        self.assertTrue(self.analyzer.match(self.paste))
+
+        self.paste.body = "AWS Access Key ID [None]: AKIAIX2GUZJMJFDZON4A"
+        self.assertTrue(self.analyzer.match(self.paste))
+
+        # Newline-separated valid hashes
+        self.paste.body = "AKIAIKSA47YZNJAY2H6A\nAKIAJM4DOPAAJWLUJ2PQ"
+        self.assertTrue(self.analyzer.match(self.paste))
+
+    def test_match_negative(self):
+        """Test if negatives are not recognized"""
+        self.paste.body = ""
+        self.assertFalse(self.analyzer.match(self.paste))
+
+        self.paste.body = None
+        self.assertFalse(self.analyzer.match(self.paste))
+
+        # Invalid character '-'
+        self.paste.body = "AKIAIX2GUZJMJFD-ON4A"
+        self.assertFalse(self.analyzer.match(self.paste))
+
+        # Different prefix
+        self.paste.body = "AKIBIX2GUZJMJFDZON4A"
+        self.assertFalse(self.analyzer.match(self.paste))
+
+        # Invalid length
+        self.paste.body = "AKIAIX2GUZJMJFDZON4"
+        self.assertFalse(self.analyzer.match(self.paste))
+        self.paste.body = "AKIAIX2GUZJMJFDZON4AA"
+        self.assertFalse(self.analyzer.match(self.paste))
+
+
+if __name__ == '__main__':
+    unittest.main()

pastepwn/analyzers/tests/awssecretkeyanalyzer_test.py

@@ -0,0 +1,65 @@
+# -*- coding: utf-8 -*-
+import unittest
+from unittest import mock
+
+from pastepwn.analyzers.awssecretkeyanalyzer import AWSSecretKeyAnalyzer
+
+
+class TestAWSSecretKeyAnalyzer(unittest.TestCase):
+    def setUp(self):
+        self.analyzer = AWSSecretKeyAnalyzer(None)
+        self.paste = mock.Mock()
+
+    def test_match_positive(self):
+        """Test if positives are recognized"""
+        # obtained by pastebin search
+        self.paste.body = "HrNMIhjZDnvkH5YGJpwjq0Flmj8H+dvURedLRjsO"
+        self.assertTrue(self.analyzer.match(self.paste))
+
+        # obtained by pastebin search
+        self.paste.body = "ZGBMmoyRxdhMObx0EuANS9FiS2kG5FwDVLH2XY7y"
+        self.assertTrue(self.analyzer.match(self.paste))
+
+        # obtained by pastebin search
+        self.paste.body = "kYKQ24NoNtmga55G7OVeY/kPAZ7xONl6FfmuXArc"
+        self.assertTrue(self.analyzer.match(self.paste))
+
+        # obtained by pastebin search
+        self.paste.body = "9cf95dacd226dcf43da376cdb6cbba7035218921"
+        self.assertTrue(self.analyzer.match(self.paste))
+
+        self.paste.body = "my super cool hash is 9cf95dacd226dcf43da376cdb6cbba7035218921 and here's some more text"
+        self.assertTrue(self.analyzer.match(self.paste))
+
+        self.paste.body = "AWS Secret Access Key [None]: HrNMIhjZDnvkH5YGJpwjq0Flmj8H+dvURedLRjsO"
+        self.assertTrue(self.analyzer.match(self.paste))
+
+        # Newline-separated valid hashes
+        self.paste.body = "ZGBMmoyRxdhMObx0EuANS9FiS2kG5FwDVLH2XY7y\nHrNMIhjZDnvkH5YGJpwjq0Flmj8H+dvURedLRjsO"
+        self.assertTrue(self.analyzer.match(self.paste))
+
+    def test_match_negative(self):
+        """Test if negatives are not recognized"""
+        self.paste.body = ""
+        self.assertFalse(self.analyzer.match(self.paste))
+
+        self.paste.body = None
+        self.assertFalse(self.analyzer.match(self.paste))
+
+        # Invalid character '-'
+        self.paste.body = "9cf95dacd226dcf43da376cdb6cbb-7035218921"
+        self.assertFalse(self.analyzer.match(self.paste))
+
+        # MD5 Hash
+        self.paste.body = "9e107d9d372bb6826bd81d3542a419d6"
+        self.assertFalse(self.analyzer.match(self.paste))
+
+        # Invalid length
+        self.paste.body = "ZGBMmoyRxdhMObx0EuANS9FiS2kG5FwDVLH2XY7y1"
+        self.assertFalse(self.analyzer.match(self.paste))
+        self.paste.body = "ZGBMmoyRxdhMObx0EuANS9FiS2kG5FwDVLH2XY7"
+        self.assertFalse(self.analyzer.match(self.paste))
+
+
+if __name__ == '__main__':
+    unittest.main()

pastepwn/analyzers/tests/googleoauthkeyanalyzer_test.py

@@ -0,0 +1,57 @@
+import unittest
+from unittest import mock
+
+from pastepwn.analyzers.googleoauthkeyanalyzer import GoogleOAuthKeyAnalyzer
+
+
+class TestGoogleOAuthKeyAnalyzer(unittest.TestCase):
+
+    def setUp(self):
+        self.analyzer = GoogleOAuthKeyAnalyzer(None)
+        self.paste = mock.Mock()
+
+    def test_match_positive(self):
+        """Test if positives are recognized"""
+        # google key dump
+        self.paste.body = "6243-jhgcawesuycgaweiufyugfaiwyesfbaw.apps.googleusercontent.com"
+        self.assertTrue(self.analyzer.match(self.paste))
+
+        # google key dump
+        self.paste.body = "6243-IUFHERIUFHASOEIRUFGHDOZIFUGVDHSF.apps.googleusercontent.com"
+        self.assertTrue(self.analyzer.match(self.paste))
+
+        # google key dump
+        self.paste.body = "6243-18723612873612873621367128736128.apps.googleusercontent.com"
+        self.assertTrue(self.analyzer.match(self.paste))
+
+        # google key dump
+        self.paste.body = "1-jhgcawesuycgaweiufyugfaiwyesfbaw.apps.googleusercontent.com"
+        self.assertTrue(self.analyzer.match(self.paste))
+
+        # google key dump
+        self.paste.body = "6242345234234234234234234233-jhgcawesuycgaweiufyugfaiwyesfbaw.apps.googleusercontent.com"
+        self.assertTrue(self.analyzer.match(self.paste))
+
+    def test_match_negative(self):
+        """Test if negatives are not recognized"""
+        self.paste.body = ""
+        self.assertFalse(self.analyzer.match(self.paste))
+
+        self.paste.body = None
+        self.assertFalse(self.analyzer.match(self.paste))
+
+        # Invalid length
+        self.paste.body = "6243-jhgcawesuycgaweiufyugfaisfbaw.apps.googleusercontent.com"
+        self.assertFalse(self.analyzer.match(self.paste))
+
+        # Invalid numbers
+        self.paste.body = "-jhgcawesuycgaweiufyugfaiwyesfbaw.apps.googleusercontent.com"
+        self.assertFalse(self.analyzer.match(self.paste))
+
+        # Invalid domain
+        self.paste.body = "6243-jhgcawesuycgaweiufyugfaiwyesfbaw.apps.google.com"
+        self.assertFalse(self.analyzer.match(self.paste))
+
+
+if __name__ == '__main__':
+    unittest.main()