From 20fcf5009f647b44a2bbc808d2e4ab4032230ecb Mon Sep 17 00:00:00 2001
From: "Baruch Odem (Rothkoff)" <baruchiro@gmail.com>
Date: Thu, 9 Nov 2023 22:31:16 +0200
Subject: [PATCH] feat: Hashicorp Terraform fields for password (#1237)

* Hashicorp Terraform fields for password
Fixes #1236

* fix duplicate description

* set caseInsensitive
---
 cmd/generate/config/main.go            |  1 +
 cmd/generate/config/rules/hashicorp.go | 24 ++++++++++++++++++++++++
 config/gitleaks.toml                   |  8 ++++++++
 3 files changed, 33 insertions(+)

diff --git a/cmd/generate/config/main.go b/cmd/generate/config/main.go
index c57fba8b4..800909a52 100644
--- a/cmd/generate/config/main.go
+++ b/cmd/generate/config/main.go
@@ -87,6 +87,7 @@ func main() {
 	configRules = append(configRules, rules.GrafanaCloudApiToken())
 	configRules = append(configRules, rules.GrafanaServiceAccountToken())
 	configRules = append(configRules, rules.Hashicorp())
+	configRules = append(configRules, rules.HashicorpField())
 	configRules = append(configRules, rules.Heroku())
 	configRules = append(configRules, rules.HubSpot())
 	configRules = append(configRules, rules.HuggingFaceAccessToken())
diff --git a/cmd/generate/config/rules/hashicorp.go b/cmd/generate/config/rules/hashicorp.go
index ce883b4ac..fb78bdc55 100644
--- a/cmd/generate/config/rules/hashicorp.go
+++ b/cmd/generate/config/rules/hashicorp.go
@@ -1,6 +1,7 @@
 package rules
 
 import (
+	"fmt"
 	"regexp"
 
 	"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
@@ -22,3 +23,26 @@ func Hashicorp() *config.Rule {
 	}
 	return validate(r, tps, nil)
 }
+
+func HashicorpField() *config.Rule {
+	keywords := []string{"administrator_login_password", "password"}
+	// define rule
+	r := config.Rule{
+		Description: "HashiCorp Terraform password field",
+		RuleID:      "hashicorp-tf-password",
+		Regex:       generateSemiGenericRegex(keywords, fmt.Sprintf(`"%s"`, alphaNumericExtended("8,20")), true),
+		Keywords:    keywords,
+	}
+
+	tps := []string{
+		// Example from: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server.html
+		"administrator_login_password = " + `"thisIsDog11"`,
+		// https://registry.terraform.io/providers/petoju/mysql/latest/docs
+		"password       = " + `"rootpasswd"`,
+	}
+	fps := []string{
+		"administrator_login_password = var.db_password",
+		`password = "${aws_db_instance.default.password}"`,
+	}
+	return validate(r, tps, fps)
+}
diff --git a/config/gitleaks.toml b/config/gitleaks.toml
index 9bb077b1a..928cc219e 100644
--- a/config/gitleaks.toml
+++ b/config/gitleaks.toml
@@ -2107,6 +2107,14 @@ keywords = [
     "atlasv1",
 ]
 
+[[rules]]
+id = "hashicorp-tf-password"
+description = "HashiCorp Terraform password field"
+regex = '''(?i)(?:administrator_login_password|password)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}("[a-z0-9=_\-]{8,20}")(?:['|\"|\n|\r|\s|\x60|;]|$)'''
+keywords = [
+    "administrator_login_password","password",
+]
+
 [[rules]]
 id = "heroku-api-key"
 description = "Heroku API Key"