From 67977e3c60fdc9fe73f9c56233e9286b4141b06a Mon Sep 17 00:00:00 2001 From: Dimitri Vasdekis Date: Tue, 17 Jan 2023 05:05:46 +0000 Subject: [PATCH 1/8] Initial secret set --- cmd/generate/config/rules/azure.go | 511 +++++++++++++++++++++++++++++ 1 file changed, 511 insertions(+) create mode 100644 cmd/generate/config/rules/azure.go diff --git a/cmd/generate/config/rules/azure.go b/cmd/generate/config/rules/azure.go new file mode 100644 index 000000000..68b49b545 --- /dev/null +++ b/cmd/generate/config/rules/azure.go @@ -0,0 +1,511 @@ +package rules + +import ( + "github.com/zricethezav/gitleaks/v8/cmd/generate/secrets" + "github.com/zricethezav/gitleaks/v8/config" +) + +// Rules come from https://www.powershellgallery.com/packages/AzSK.AzureDevOps/0.9.8/Content/Framework%5CConfigurations%5CSVT%5CAzureDevOps%5CCredentialPatterns.xml +// Only rules with 'ContentSearchPatterns' have been used. + +func AzureBase64EncodedCertificate() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0020 - Found Azure base64 encoded certificate with private key in source file. Validate file contains secrets, remove, roll credential, and use approved store.", + RuleID: "azure-base64-encoded-certificate", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`MII[a-z0-9=_\-]{200}`), + Keywords: []string{"MII"}, + + } + + tps := []string{ + generateSampleSecret("azure-base64-encoded-certificate", + "MII" + secrets.NewSecret(alphaNumeric("200"))), + } + return validate(r, tps, nil) +} + +func AzureAppServiceDeploymentSecrets() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0030 - Found Azure app service deployment secrets in publish settings file. Validate file contains secrets, remove, roll credential, and use approved store.", + RuleID: "azure-app-service-deployment-secrets", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`MII[a-z0-9=_\-]{200}`), + Keywords: []string{"MII"}, + } + + // validate + tps := []string{ + generateSampleSecret("azure-app-service-deployment-secrets", + "MII" + secrets.NewSecret(alphaNumeric("200"))), + } + return validate(r, tps, nil) +} + +func AzureStorageCredential1() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0030 - Found Azure storage credential in source code file. Validate file contains secrets, remove, roll credential, and use approved store.", + RuleID: "azure-storage-credential-1", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`\n[ \t]{0,50}(//|/\*)[ \t]{0,10}[a-zA-Z0-9/+]{86}==`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-1", + "MII" + secrets.NewSecret(alphaNumeric("200"))), + } + return validate(r, tps, nil) +} + +func AzureStorageCredential2() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0030 - Found Azure storage credential in source code file. Validate file contains secrets, remove, roll credential, and use approved store.", + RuleID: "azure-storage-credential-2", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`\n[ \t]{0,50}(//|/\*)[ \t]{0,10}[a-zA-Z0-9/+]{43}=[^{@\d%]`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-2", + "MII" + secrets.NewSecret(alphaNumeric("200"))), + } + return validate(r, tps, nil) +} + +func AzureStorageCredential3() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0030 - Found Azure storage credential in source code file. Validate file contains secrets, remove, roll credential, and use approved store.", + RuleID: "azure-storage-credential-3", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`\n[^\r\n]{0,400}[>|'|=|"][a-zA-Z0-9/+]{86}==`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-3", + "MII" + secrets.NewSecret(alphaNumeric("200"))), + } + return validate(r, tps, nil) +} + +func AzureStorageCredential4() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0030 - Found Azure storage credential in source code file. Validate file contains secrets, remove, roll credential, and use approved store.", + RuleID: "azure-storage-credential-4", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`\n[^\r\n]{0,400}[>|'|=|"][a-zA-Z0-9/+]{43}=[^{@\d%]`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-4", + "MII" + secrets.NewSecret(alphaNumeric("200"))), + } + return validate(r, tps, nil) +} + + +func AzureStorageCredential5() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0030 - Found Azure storage credential in source code file. Validate file contains secrets, remove, roll credential, and use approved store.", + RuleID: "azure-storage-credential-5", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`\n[^\r\n]{0,800}((sig|SIG|sas|SAS|([pP]ass[wW]ord|PASSWORD))=|>)[a-zA-Z0-9%]{43,53}%3[dD][^{a-zA-Z0-9%]`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-5", + "MII" + secrets.NewSecret(alphaNumeric("200"))), + } + return validate(r, tps, nil) +} + + +func AzureStorageCredential6() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0030 - Found Azure storage credential in source code file. Validate file contains secrets, remove, roll credential, and use approved store.", + RuleID: "azure-storage-credential-6", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`\n.*(([uU]ser|USER) ?([iI]d|ID|[nN]ame|NAME)|[uU]id|UID)=.{2,128}?\s*?;\s*?(([pP]ass[wW]ord|PASSWORD)|([pP]wd|PWD))=[^'$%>@'";\[\{][^;"']{2,350}?(;|"|')`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-6", + "MII" + secrets.NewSecret(alphaNumeric("200"))), + } + return validate(r, tps, nil) +} + +func AzureStorageCredential7() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0030 - Found Azure storage credential in source code file. Validate file contains secrets, remove, roll credential, and use approved store.", + RuleID: "azure-storage-credential-7", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`AccountKey\s*=\s*MII[a-zA-Z0-9/+]{43,}?={0,2}`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-7", + "AccountKey = MII" + secrets.NewSecret(alphaNumeric("43"))), + } + return validate(r, tps, nil) +} + +func AzureStorageCredential8() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0100 - Found Azure storage credential in source code file. Validate file contains secrets, remove, roll credential, and use approved store.", + RuleID: "azure-storage-credential-8", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`<XstoreAccountInfo[ -~"\s\S\n\r\t]+accountSharedKey\s*=\s*"[^"]{30}[ -~"\s\S\n\r\t]+/>`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-8", + "AccountKey = MII" + secrets.NewSecret(alphaNumeric("43"))), + } + return validate(r, tps, nil) +} + +func AzureStorageCredential9() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0100 - Found Azure storage credential in source code file. Validate file contains secrets, remove, roll credential, and use approved store.", + RuleID: "azure-storage-credential-9", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`<ServiceBusAccountInfo[ -~"\s\S\n\r\t]+connectionString\s*=\s*"[^"]{30}[ -~"\s\S\n\r\t]+/>`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-9", + "AccountKey = MII" + secrets.NewSecret(alphaNumeric("43"))), + } + return validate(r, tps, nil) +} + +// CSCAN0050, CSCAN0060, CSCAN0070 - covered in PrivateKey.go + +// CSCAN0080 looks for 'Password' in XML file + +func AzurePassword1() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file. Validate file contains secrets, remove, roll credential, and use approved store.", + RuleID: "azure-password-1", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`AccountKey\s*=\s*MII[a-zA-Z0-9/+]{43,}?={0,2}`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-1", + "AccountKey = MII" + secrets.NewSecret(alphaNumeric("43"))), + } + return validate(r, tps, nil) +} + + +// +// ConfigFile +// CSCAN0090 +// \.(config|cscfg|conf|json|jsx?|txt|cpp|sql|dtsx|md|java|FF|template|settings|ini|BF|ste|isml|test|tsx?|resx|Azure|sample|backup|rd|hpp|psm1|cshtml|htm|bat|waz|yml|Beta|sh|m|php|py|xaml|keys|cmd|rds|loadtest|properties|vbs|ccf|user)$|(hubot|project.params) +// +// +// (decryptionKey|validationKey)="[a-zA-Z0-9]+" +// <add\skey="[^"]*([kK][eE][yY]([sS]|[0-9])?|([cC]redential|CREDENTIAL)[sS]?|([sS]ecret|SECRET)(s|S|[0-9])?|[pP]ass[wW]ord|PASSWORD|[tT]oken|TOKEN|([kK]ey|KEY)([pP]rimary|PRIMARY|[sS]econdary|SECONDARY|[oO]r[sS]as|SAS|[eE]ncrypted|ENCRYPTED))"\s*value\s*="[^"]+" +// <add\skey="[^"]+"\s*value="[^"]*([eE]ncrypted|ENCRYPTED).?([sS]ecret|SECRET)[^"]+"\s*/> +// ([cC]onnection[sS]tring|[cC]onn[sS]tring)[^=]*?=["'][^"']*?([pP]ass[wW]ord|PASSWORD)=[^\$\s;][^"'\s]*?(;|") +// [vV]alue\s?=\s?"((([A-Za-z0-9+/]){4}){1,200})==" +// \n[^\r\n]{0,400}(>|'|=|")[a-zA-Z0-9/+]{86}== +// \n[^\r\n]{0,400}(>|'|=|")[a-zA-Z0-9/+]{43}=[^{@] +// \n[^\r\n]{0,800}((sig|SIG|sas|SAS|([pP]ass[wW]ord|PASSWORD))=|>)[a-zA-Z0-9%]{43,53}%3[dD][^{a-zA-Z0-9%] +// \n.*(([uU]ser|USER) ?([iI]d|ID|[nN]ame|NAME)|[uU]id|UID)=.{2,128}?\s*?;\s*?(([pP]ass[wW]ord|PASSWORD)|([pP]wd|PWD))=[^'$%>@'";\[\{][^;"']{2,350}?(;|"|') +// <[cC]redential\sname="[^"]*([kK][eE][yY]([sS]|[0-9])?|[cC]redential(s)?|[sS]ecret(s|[0-9])?|[pP]ass[wW]ord|PASSWORD|[tT]oken|[kK]ey([pP]rimary|[sS]econdary|[oO]r[sS]as|[eE]ncrypted))"(\s*value\s*="[^"]+".*?/>|[^>\s]*>.*?</[cC]redential>) +// <[sS]etting\sname="[^"]*[pP]ass[wW]ord".*[\r\n]*\s*<[vV]alue>.+</[vV]alue> +// (?s)<SSIS:Parameter\n?\s*SSIS:Name="[pP]ass[wW]ord">.*?<SSIS:Property\n?\s*SSIS:Name="[vV]alue">[^><#$\[\{\(]+</SSIS:Property> +// <SSIS:Property\n?\s*SSIS:Name="[vV]alue">.*["'][pP]ass[wW]ord["']:["'][^"']+["'] +// +// +// +// Key Patterns ContentFilters +// +// key\s*=\s*"[^"]*AppKey[^"]*"\s+value\s*=\s*"[a-z]+" +// key\s*=\s*"(?<keygroup>[^"]*)"\s+value\s*=\s*"[^"]*\k<keygroup>" +// value\s*=\s*"(([a-z]+_[a-z]+)+"|[a-z]+( [a-z]+)+"|_+[a-z]+_+"|[a-z]+-[a-z]+-[a-z]+["-]|[a-z]+-[a-z]+"|[a-z]+\\[a-z]+"|\d+"|[^"]*ConnectionString") +// AccountKey\s*=\s*MII[a-zA-Z0-9/+]{43,}={0,2} +// Credentials?Type|ConnectionStringKey|notasecret|PartitionKey|notreal|insertkey|LookupKey|IgnoreKeys|SecretsService|SecretsTenantId|(Password|pwd|secret|credentials?)(Key|Location)|KeyManager|fake|vault +// value="(true|false|@\(api|ssh\-rsa 2048|invalid|to be|a shared secret|secreturi|clientsecret|Overr?idden by|someValue|SOME\-SIGNING\-KEY|TokenBroker|UNKNOWN|Client Secret of|Junk Credentials|Default\-|__BOOTSTRAPKEY_|CacheSecret|CatalogCert|CosmosCredentials|DeleteServiceCert|EmailCredentials|MetricsConnection|SangamCredentials|SubscriptionConnection|Enter_your_|My_Issuer|ScaleUnitXstoreSharedKey|private_powerapps|TestSecret|foo_|bar_|temp_|__WinfabricTestInfra|configured|SecretFor|Test|XSTORE_KEY|ServiceBusDiagnosticXstoreSharedKey|BoxApplicationKey|googleapps) +// (SecurityHashcode|_AppKey"|((credential|password|token)s?|(Account|access)Key=)"[\s\r\n]*/|username"\s*value="|\.dll|(Secret|Token|Key|Credential)s?(Encryption|From|(Signing)?Certificate|Options|Thumbprint|Contacts|String|UserId)|Key(1;value1|word|s?Path|Index|Id|Store|WillDoWithoutValidation|:NamePattern|Name"|Ref")|(Secret|Credential)s?(Name|Path)"|(StrongName|Chaos\s?Mon|Redis|Registry|Registery|User|Insights?|Instrumentation|Match\()Key|(Certificate|cert)(Issuer|Subject)|rollingdate|skuId|HKEY_|AddServicePrincipalCredentials|Password Resets|SecretStore|(0|x|\*){8,}) +// =(?<c>.)\k<c>{3,} +// (password|pwd)=<[a-z0-9]+> +// +// +// +// Found password, symmetric key or storage credential in source file. +// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan +// 3 +// Microsoft.Art.ContentSearch.SymmetricKeyValidator, Microsoft.Art.ContentSearch +// + + + + +// ScriptPassword +// CSCAN0110 +// (\.cmd|\.ps|\.ps1|\.psm1)$ +// +// \s-([pP]ass[wW]ord|PASSWORD)\s+("[^"\r\n]*"|'[^'\r\n]*') +// \s-([pP]ass[wW]ord|PASSWORD)\s+[^$\(\)\[\{<\-\r\n]+\s*(\r\n|\-) +// +// Found potential password in script file. +// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan +// 3 +// +// +// GeneralPassword +// CSCAN0111 +// \.(asax|ascx|aspx|bak|c|cmd|conf|cpp|cs|dart|dsql|hpp|html|idl|iis|ini|ja|java|jsx?|md|mef|omi|php|pl|pm|ps1|psm1|py|rb|resx|sh|shf|sql|svc|test|trx|tsx?|txt|vbs|xml)$ +// +// [a-zA-Z_\s](([pP]ass[wW]ord)PASSWORD|([cC]lient|CLIENT|[aA]pp|APP)_?([sS]ecret|SECRET))\s{0,3}=\s{0,3}['"][^\s"']{2,200}?['"][;\s] +// +// +// +// FalsePositiveCases +// +// ['"](yes|no|true|false)['"] +// placeholder +// ['"](?<c>.)\k<c>{3,} +// \s\+\s +// ['"][%\$#@].*[%\$#@]?['"] +// ['"]\$?[\{\(\[\<].*[\}\)\]\>]['"] +// ['"]\$\d['"] +// ['"]\s?([^\s'"]+?\s)+([^\s'"]+?)?['"] +// ['"]\s+['"] +// ['"]\\0['"] +// \{\d\} +// -1 +// vault|param|attribute|any|['"]\"['"]|foo|bar|fake|example|here|invalid|\*\*\* +// +// +// +// Found potential password in script file. +// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan +// 3 +// +// +// ExternalApiSecret +// CSCAN0120 +// \.cs$|\.cpp$|\.c$ +// +// private\sconst\sstring\s[aA]ccessTokenSecret\s=\s".*"; +// private\sconst\sstring\s[aA]ccessToken\s=\s".*"; +// private\sconst\sstring\s[cC]onsumerSecret\s=\s".*"; +// private\sconst\sstring\s[cC]onsumerKey\s=\s".*"; +// FacebookClient\([pP]ageAccessToken\); +// [pP]ageAccessToken\s=\s".*"; +// private\sstring\s[tT]wilioAccountSid\s=\s".*"; +// private\sstring\s[tT]wilioAuthToken\s=\s".*"; +// +// Found potential external API secret in source file. +// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan +// 3 +// +// +// MonitoringAgent +// CSCAN0130 +// AgentConfig\.xml$ +// +// Account moniker\s?=.*key\s?=.* +// +// +// +// Auto Key Patterns ContentFilters +// +// autoKey +// %s +// +// +// +// Found storage credential in MonitoringAgent config file. +// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan +// 3 +// +// +// DefaultPassword +// CSCAN0140 +// \.(cs|xml|config|json|tsx?|cfg|txt|ps1|bat|cscfg|rdg|linq|publishsettings|cmd|psm1|aspx|asmx|vbs|added_cluster|clean|pubxml|ccf|ini|svd|sql|c|xslt|csv|FF|ExtendedTests|settings|cshtml|template|trd|argfile|scala|pbix)$|(config|certificate|publish|UT)\.js$|(commands|user|tests)\.cpp$ +// +// T!T@n1130|[pP]0rsche911|[cC]o[mM][mM]ac\!12|[pP][aA]ss@[wW]or[dD]1|[rR]dP[aA]\$\$[wW]0r[dD]|iis6\!dfu|[pP]@ss[wW]or[dD]1|[pP][aA]\$\$[wW]or[dD]1|\!\!123ab|[aA]dmin123|[pP]@ss[wW]0r[dD]1|[uU]ser@123|[aA]bc@123|[pP][aA]ss[wW]or[dD]@123|[rR]dP@\$\$[wW]0r[dD]|homerrocks|[pP][aA]\$\$[wW]0r[dD]1?|\![pP][aA]sswor[dD]1|[pP][aA]55[wW]or[dD]1|[pP]@\$\$[wW]0r[dD]1|[pP][aA]ss[wW]0r[dD]1|[jJ]\$p1ter|[rR]dP[aA]ss[wW]0r[dD]|Y29NbWFjITEy|[pP][aA]ss4Sales|[rR]dPa\$\$[wW]or[dD]|\![pP]@ss[wW]0r[dD]1|WS2012R2R0cks\!|DSFS0319Test|March2010M2\!|[pP][aA]ss[wW]ord~1|UL0brlXlp_r8vG6iiRvCcsFDfu6bJ6KK|7\-Tdh3Klrec4dJbOyONDOkCQ84BWN1JN|\$mCertPwd|[pP][aA]\$\$[wW]or[dD]!|2012\$erver!|2008\$erver!|#Bugsfor\$|ITG2Install!|[rR]dP[aA]\$\$[wW]0r[dD]|T!T@n113000|T!T@n1130T!T@n1130|TitanP[wW][dD]%|ChocoCheese!|n1130@T!T|[mM]icr0s0ft|test1test!|123@tieorg|IWantYouToTripLikeIDo!\?|homerocks|[eE]lvis1|S_MSLocal~!@#|([uU]ser|USER)@123 +// +// Found known password in source file. +// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan +// 3 +// +// +// AzureSecret +// CSCAN0150 +// \.(xml|pubxml|definitions|ps1|wadcfgx|cmd|ccf|pbix)$ +// +// userPWD="[a-zA-Z0-9]{60}" +// \n[^\r\n]{0,400}(>|'|=|")[a-zA-Z0-9/+]{43}=[^{@] +// \n[^\r\n]{0,400}(>|'|=|"|#)[a-zA-Z0-9/+]{86}== +// \n[^\r\n]{0,800}(([tT]oken|TOKEN|[sS]ecret|SECRET|sig|SIG|sas|SAS|([pP]ass[wW]ord|PASSWORD))=|>)[a-zA-Z0-9%]{43,53}%3[dD][^{a-zA-Z0-9%] +// \n.*(([uU]ser|USER) ?([iI]d|ID|[nN]ame|NAME)|[uU]id|UID)=.{2,128}?\s*?;\s*?(([pP]ass[wW]ord|PASSWORD)|([pP]wd|PWD))=[^'$%>@'";\[\{][^;"']{2,350}?(;|"|') +// +// +// +// Key Patterns ContentFilters +// +// AccountKey\s*=\s*MII[a-zA-Z0-9/+]{43,}={0,2} +// =(?<c>.)\k<c>{3,} +// (password|pwd)=<[a-z0-9]+> +// +// +// +// Found symmetric key or storage credential in source file. +// Validate file contains secrets, remove, roll credential, use an approved secret store. +// 3 +// Microsoft.Art.ContentSearch.SymmetricKeyValidator, Microsoft.Art.ContentSearch +// +// +// DomainPassword +// CSCAN0160 +// \.cs$|\.c$|\.cpp$|\.ps1$|\.ps$|\.cmd$|\.bat$|\.log$|\.psd$|\.psm1$ +// +// NetworkCredential\(.*,.*,([cC][oO][rR][pP]|[eE][uU][rR][oO][pP][eE]|[mM][iI][dD][dD][lL][eE][eE][aA][sS][tT]|[nN][oO][rR][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[sS][oO][uU][tT][hH][pP][aA][cC][iI][fF][iI][cC]|[sS][oO][uU][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[fF][aA][rR][eE][aA][sS][tT]|[aA][fF][rR][iI][cC][aA]|[rR][eE][dD][mM][oO][nN][dD]|[eE][xX][cC][hH][aA][nN][gG][eE]|[eE][xX][tT][rR][aA][nN][eE][tT]|[pP][aA][rR][tT][nN][eE][rR][sS]|[eE][xX][tT][rR][aA][nN][eE][tT][tT][eE][sS][tT]|[pP][aA][rR][tT][tT][eE][sS][tT]|[nN][oO][eE]|[nN][tT][dD][eE][vV]|[nN][tT][wW][kK][sS][tT][aA]|[sS][yY][sS]\-[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][dD][eE][pP][lL][oO][yY]|[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][sS][eE]|[sS][eE][gG][rR][oO][uU][pP]|[xX][cC][oO][rR][pP]|[xX][rR][eE][pP]|[pP][hH][xX]|[gG][mM][eE]|[uU][sS][mM][eE]|[cC][dD][oO][cC][iI][dD][mM]|[mM][sS][lL][pP][aA])\\.* +// [nN][eE][tT]\s[uU][sS][eE].*\/[uU]\:([cC][oO][rR][pP]|[eE][uU][rR][oO][pP][eE]|[mM][iI][dD][dD][lL][eE][eE][aA][sS][tT]|[nN][oO][rR][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[sS][oO][uU][tT][hH][pP][aA][cC][iI][fF][iI][cC]|[sS][oO][uU][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[fF][aA][rR][eE][aA][sS][tT]|[aA][fF][rR][iI][cC][aA]|[rR][eE][dD][mM][oO][nN][dD]|[eE][xX][cC][hH][aA][nN][gG][eE]|[eE][xX][tT][rR][aA][nN][eE][tT]|[pP][aA][rR][tT][nN][eE][rR][sS]|[eE][xX][tT][rR][aA][nN][eE][tT][tT][eE][sS][tT]|[pP][aA][rR][tT][tT][eE][sS][tT]|[nN][oO][eE]|[nN][tT][dD][eE][vV]|[nN][tT][wW][kK][sS][tT][aA]|[sS][yY][sS]\-[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][dD][eE][pP][lL][oO][yY]|[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][sS][eE]|[sS][eE][gG][rR][oO][uU][pP]|[xX][cC][oO][rR][pP]|[xX][rR][eE][pP]|[pP][hH][xX]|[gG][mM][eE]|[uU][sS][mM][eE]|[cC][dD][oO][cC][iI][dD][mM]|[mM][sS][lL][pP][aA])\\.* +// [sS][cC][hH][tT][aA][sS][kK][sS].*/[rR][uU]\s([cC][oO][rR][pP]|[eE][uU][rR][oO][pP][eE]|[mM][iI][dD][dD][lL][eE][eE][aA][sS][tT]|[nN][oO][rR][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[sS][oO][uU][tT][hH][pP][aA][cC][iI][fF][iI][cC]|[sS][oO][uU][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[fF][aA][rR][eE][aA][sS][tT]|[aA][fF][rR][iI][cC][aA]|[rR][eE][dD][mM][oO][nN][dD]|[eE][xX][cC][hH][aA][nN][gG][eE]|[eE][xX][tT][rR][aA][nN][eE][tT]|[pP][aA][rR][tT][nN][eE][rR][sS]|[eE][xX][tT][rR][aA][nN][eE][tT][tT][eE][sS][tT]|[pP][aA][rR][tT][tT][eE][sS][tT]|[nN][oO][eE]|[nN][tT][dD][eE][vV]|[nN][tT][wW][kK][sS][tT][aA]|[sS][yY][sS]\-[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][dD][eE][pP][lL][oO][yY]|[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][sS][eE]|[sS][eE][gG][rR][oO][uU][pP]|[xX][cC][oO][rR][pP]|[xX][rR][eE][pP]|[pP][hH][xX]|[gG][mM][eE]|[uU][sS][mM][eE]|[cC][dD][oO][cC][iI][dD][mM]|[mM][sS][lL][pP][aA]).*/[rR][pP].* +// [nN]ew-[oO]bject\s*System.Net.NetworkCredential\(.*?,\s*"[^"]+" +// +// +// +// Placeholder ContentFilters +// +// %1% +// \$MIGUSER_PASSWORD +// %miguser_pwd% +// +// +// +// Found domain credential in source file. +// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan +// 3 +// +// +// EncryptedPassword +// CSCAN0200 +// \.ini$ +// +// [eE][nN][cC]_[uU][sS][eE][rR][nN][aA][mM][eE]=[\w]+[\r\n]+[eE][nN][cC]_[pP][aA][sS][sS][wW][oO][rR][dD]=[\w]+ +// +// Found DevDiv TFVC repo secrets. +// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan +// 2 +// Microsoft.Art.ContentSearch.EncodedUserNameExtractor, Microsoft.Art.ContentSearch +// +// +// GitCredential +// CSCAN0210 +// \.gitCredentials$ +// +// [hH][tT][tT][pP][sS]?://.+:.+@\[^/].[cC][oO][mM] +// +// Found Git repo credentials. +// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan +// 2 +// +// +// DefaultPasswordContexts +// CSCAN0220 +// \.(cs|xml|config|json|tsx?|cfg|txt|ps1|bat|cscfg|publishsettings|cmd|psm1|aspx|asmx|vbs|added_cluster|clean|pubxml|ccf|ini|svd|sql|c|xslt|csv|FF|ExtendedTests|settings|cshtml|template|trd|argfile|scala|rdg|linq|hql|go|rs|pl|java|php|py|vb)$|(config|certificate|publish|UT)\.js$|(commands|user|tests)\.cpp$ +// +// [cC]onvert[tT]o-[sS]ecure[sS]tring(\s*-[sS]tring)?\s*"(?<scoringvalue>[^"\r\n]+)" +// new\sX509Certificate2\([^()]*,\s*"(?<scoringvalue>[^"\r\n]+)"[^)]*\) +// <[pP]ass[wW]ord>(<[vV]alue>)?(?<scoringvalue>.+)(</[vV]alue>)?</[pP]ass[wW]ord> +// ([cC]lear[tT]ext[pP]ass[wW]ord|CLEARTEXTPASSWORD)(")?\s*[:=]\s*"(?<scoringvalue>[^"\r\n]+)" +// [cC]ert[uU]til(.exe)?\s+(\-[a-zA-Z]+\s+)*\-[pP]\s+(?<quote>["'])(?<scoringvalue>[^"'%]+)\k<quote> +// [cC]ert[uU]til(.exe)?\s+(\-[a-zA-Z]+\s+)*\-[pP]\s+(?<scoringvalue>[^"']\S*)\s +// ([pP]ass[wW]ord|PASSWORD)\s*=\s*[nN]?(?<quote>["'])(?<scoringvalue>[^"'\r\n]{4,})\k<quote> +// +// +// +// DefaultPasswordContexts Content Filter +// +// <value></value> +// ['"]\$?[\{\(\[\<].*[\}\)\]\>]['"] +// +// +// +// Found known password context with password in source file. +// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan +// 3 +// Microsoft.Art.ContentSearch.PasswordContextValidator, Microsoft.Art.ContentSearch +// +// +// SlackToken +// CSCAN0230 +// \.(ps1|psm1|jsx?|tsx?|json|coffee|xml|md|html|py|php|java|ipynb|rb|scala)$|hubot +// +// xoxp-[a-zA-Z0-9]+-[a-zA-Z0-9]+-[a-zA-Z0-9]+-[a-zA-Z0-9]+ +// xoxb-[a-zA-Z0-9]+-[a-zA-Z0-9]+ +// +// Found slack token in source file. +// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan +// 3 +// +// +// VstsPersonalAccessToken +// CSCAN0240 +// \.(azure|bat|cmd|config|cpp|cs|cscfg|definitions|dtsx|ini|java|jsx?|json|keys|loadtest|m|md|php|properties|ps1|psm1|pubxml|py|resx|sample|sql|ste|test|tsx?|txt|waz|xml)$ +// +// ([aA]ccess_?[tT]oken|ACCESS_?TOKEN).*?['="][a-z2-7]{52}('|"|\s|[\r\n]+) +// [pP]ass[wW]ord\s+[a-z2-7]{52}(\s|[\r\n]+) +// ([aA]ccess_?[tT]oken|ACCESS_?TOKEN).*?[>|'|=|"][a-zA-Z0-9/+]{70}== +// +// Found Vsts personal access token in source file. +// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan +// 3 +// Microsoft.Art.ContentSearch.Base64EncodedVstsAccessTokenValidator, Microsoft.Art.ContentSearch +// + +// CSCAN0250 - covered in jwt.go + +// +// AnsibleVault +// CSCAN0260 +// \.yml$ +// +// \$ANSIBLE_VAULT;[0-9]\.[0-9];AES256[\r\n]+[0-9]+ +// +// Found ansible vault in source file. +// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan +// 3 +// +// +// AzurePowerShellTokenCache +// CSCAN0270 +// \.json$ +// +// ["']TokenCache["']\s*:\s*\{\s*["']CacheData["']\s*:\s*["'][a-zA-Z0-9/\+]{86} +// +// Found Azure Subscription Token Cache. +// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan +// 3 +// + From cb4d7e55b48a60083e6e1e2f13de35db06d72516 Mon Sep 17 00:00:00 2001 From: Dimitri Vasdekis Date: Tue, 17 Jan 2023 05:29:41 +0000 Subject: [PATCH 2/8] Covered off all rule types in comments --- .gitignore | 9 ++ cmd/generate/config/rules/azure.go | 200 +++++++---------------------- 2 files changed, 56 insertions(+), 153 deletions(-) diff --git a/.gitignore b/.gitignore index 49abd80e2..67b6c8b6b 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,12 @@ cmd/generate/config/gitleaks.toml *.out dist/ + +# Hugo build files (created automatically by VSCode Go extension) +.hugo_build.lock + +# Hugo Sitemap.xml files (created automatically by VSCode Go extension) +public/index.xml +public/sitemap.xml +public/categories/index.xml +public/tags/index.xml \ No newline at end of file diff --git a/cmd/generate/config/rules/azure.go b/cmd/generate/config/rules/azure.go index 68b49b545..f27074754 100644 --- a/cmd/generate/config/rules/azure.go +++ b/cmd/generate/config/rules/azure.go @@ -199,6 +199,24 @@ func AzureStorageCredential9() *config.Rule { return validate(r, tps, nil) } +func AzureStorageCredential10() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0130 - Found Azure storage credential in MonitoringAgent config file. Validate file contains secrets, remove, roll credential, and use approved store.", + RuleID: "azure-storage-credential-10", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`Account moniker\s?=.*key\s?=.*`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-10", + "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), + } + return validate(r, tps, nil) +} + + // CSCAN0050, CSCAN0060, CSCAN0070 - covered in PrivateKey.go // CSCAN0080 looks for 'Password' in XML file @@ -209,7 +227,7 @@ func AzurePassword1() *config.Rule { Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file. Validate file contains secrets, remove, roll credential, and use approved store.", RuleID: "azure-password-1", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`AccountKey\s*=\s*MII[a-zA-Z0-9/+]{43,}?={0,2}`), + Regex: generateUniqueTokenRegex(`<machineKey[^>]+(decryptionKey\s*\=\s*"[a-fA-F0-9]{48,}|validationKey\s*\=\s*"[a-fA-F0-9]{48,})[^>]+>`), } // validate @@ -220,6 +238,22 @@ func AzurePassword1() *config.Rule { return validate(r, tps, nil) } +func AzurePassword2() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file. Validate file contains secrets, remove, roll credential, and use approved store.", + RuleID: "azure-password-2", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`(decryptionKey|validationKey)=['][a-zA-Z0-9][']`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-2", + "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), + } + return validate(r, tps, nil) +} // // ConfigFile @@ -227,7 +261,7 @@ func AzurePassword1() *config.Rule { // \.(config|cscfg|conf|json|jsx?|txt|cpp|sql|dtsx|md|java|FF|template|settings|ini|BF|ste|isml|test|tsx?|resx|Azure|sample|backup|rd|hpp|psm1|cshtml|htm|bat|waz|yml|Beta|sh|m|php|py|xaml|keys|cmd|rds|loadtest|properties|vbs|ccf|user)$|(hubot|project.params) // // -// (decryptionKey|validationKey)="[a-zA-Z0-9]+" +// // <add\skey="[^"]*([kK][eE][yY]([sS]|[0-9])?|([cC]redential|CREDENTIAL)[sS]?|([sS]ecret|SECRET)(s|S|[0-9])?|[pP]ass[wW]ord|PASSWORD|[tT]oken|TOKEN|([kK]ey|KEY)([pP]rimary|PRIMARY|[sS]econdary|SECONDARY|[oO]r[sS]as|SAS|[eE]ncrypted|ENCRYPTED))"\s*value\s*="[^"]+" // <add\skey="[^"]+"\s*value="[^"]*([eE]ncrypted|ENCRYPTED).?([sS]ecret|SECRET)[^"]+"\s*/> // ([cC]onnection[sS]tring|[cC]onn[sS]tring)[^=]*?=["'][^"']*?([pP]ass[wW]ord|PASSWORD)=[^\$\s;][^"'\s]*?(;|") @@ -264,99 +298,10 @@ func AzurePassword1() *config.Rule { // +// CSCAN0110, CSCAN0111, CSCAN0140, CSCAN0220 searches for generic passwords - covered elsewhere +// CSCAN0120 searches for Twilio keys - covered in twilio.go -// ScriptPassword -// CSCAN0110 -// (\.cmd|\.ps|\.ps1|\.psm1)$ -// -// \s-([pP]ass[wW]ord|PASSWORD)\s+("[^"\r\n]*"|'[^'\r\n]*') -// \s-([pP]ass[wW]ord|PASSWORD)\s+[^$\(\)\[\{<\-\r\n]+\s*(\r\n|\-) -// -// Found potential password in script file. -// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan -// 3 -// -// -// GeneralPassword -// CSCAN0111 -// \.(asax|ascx|aspx|bak|c|cmd|conf|cpp|cs|dart|dsql|hpp|html|idl|iis|ini|ja|java|jsx?|md|mef|omi|php|pl|pm|ps1|psm1|py|rb|resx|sh|shf|sql|svc|test|trx|tsx?|txt|vbs|xml)$ -// -// [a-zA-Z_\s](([pP]ass[wW]ord)PASSWORD|([cC]lient|CLIENT|[aA]pp|APP)_?([sS]ecret|SECRET))\s{0,3}=\s{0,3}['"][^\s"']{2,200}?['"][;\s] -// -// -// -// FalsePositiveCases -// -// ['"](yes|no|true|false)['"] -// placeholder -// ['"](?<c>.)\k<c>{3,} -// \s\+\s -// ['"][%\$#@].*[%\$#@]?['"] -// ['"]\$?[\{\(\[\<].*[\}\)\]\>]['"] -// ['"]\$\d['"] -// ['"]\s?([^\s'"]+?\s)+([^\s'"]+?)?['"] -// ['"]\s+['"] -// ['"]\\0['"] -// \{\d\} -// -1 -// vault|param|attribute|any|['"]\"['"]|foo|bar|fake|example|here|invalid|\*\*\* -// -// -// -// Found potential password in script file. -// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan -// 3 -// -// -// ExternalApiSecret -// CSCAN0120 -// \.cs$|\.cpp$|\.c$ -// -// private\sconst\sstring\s[aA]ccessTokenSecret\s=\s".*"; -// private\sconst\sstring\s[aA]ccessToken\s=\s".*"; -// private\sconst\sstring\s[cC]onsumerSecret\s=\s".*"; -// private\sconst\sstring\s[cC]onsumerKey\s=\s".*"; -// FacebookClient\([pP]ageAccessToken\); -// [pP]ageAccessToken\s=\s".*"; -// private\sstring\s[tT]wilioAccountSid\s=\s".*"; -// private\sstring\s[tT]wilioAuthToken\s=\s".*"; -// -// Found potential external API secret in source file. -// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan -// 3 -// -// -// MonitoringAgent -// CSCAN0130 -// AgentConfig\.xml$ -// -// Account moniker\s?=.*key\s?=.* -// -// -// -// Auto Key Patterns ContentFilters -// -// autoKey -// %s -// -// -// -// Found storage credential in MonitoringAgent config file. -// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan -// 3 -// -// -// DefaultPassword -// CSCAN0140 -// \.(cs|xml|config|json|tsx?|cfg|txt|ps1|bat|cscfg|rdg|linq|publishsettings|cmd|psm1|aspx|asmx|vbs|added_cluster|clean|pubxml|ccf|ini|svd|sql|c|xslt|csv|FF|ExtendedTests|settings|cshtml|template|trd|argfile|scala|pbix)$|(config|certificate|publish|UT)\.js$|(commands|user|tests)\.cpp$ -// -// T!T@n1130|[pP]0rsche911|[cC]o[mM][mM]ac\!12|[pP][aA]ss@[wW]or[dD]1|[rR]dP[aA]\$\$[wW]0r[dD]|iis6\!dfu|[pP]@ss[wW]or[dD]1|[pP][aA]\$\$[wW]or[dD]1|\!\!123ab|[aA]dmin123|[pP]@ss[wW]0r[dD]1|[uU]ser@123|[aA]bc@123|[pP][aA]ss[wW]or[dD]@123|[rR]dP@\$\$[wW]0r[dD]|homerrocks|[pP][aA]\$\$[wW]0r[dD]1?|\![pP][aA]sswor[dD]1|[pP][aA]55[wW]or[dD]1|[pP]@\$\$[wW]0r[dD]1|[pP][aA]ss[wW]0r[dD]1|[jJ]\$p1ter|[rR]dP[aA]ss[wW]0r[dD]|Y29NbWFjITEy|[pP][aA]ss4Sales|[rR]dPa\$\$[wW]or[dD]|\![pP]@ss[wW]0r[dD]1|WS2012R2R0cks\!|DSFS0319Test|March2010M2\!|[pP][aA]ss[wW]ord~1|UL0brlXlp_r8vG6iiRvCcsFDfu6bJ6KK|7\-Tdh3Klrec4dJbOyONDOkCQ84BWN1JN|\$mCertPwd|[pP][aA]\$\$[wW]or[dD]!|2012\$erver!|2008\$erver!|#Bugsfor\$|ITG2Install!|[rR]dP[aA]\$\$[wW]0r[dD]|T!T@n113000|T!T@n1130T!T@n1130|TitanP[wW][dD]%|ChocoCheese!|n1130@T!T|[mM]icr0s0ft|test1test!|123@tieorg|IWantYouToTripLikeIDo!\?|homerocks|[eE]lvis1|S_MSLocal~!@#|([uU]ser|USER)@123 -// -// Found known password in source file. -// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan -// 3 -// // // AzureSecret // CSCAN0150 @@ -368,21 +313,13 @@ func AzurePassword1() *config.Rule { // \n[^\r\n]{0,800}(([tT]oken|TOKEN|[sS]ecret|SECRET|sig|SIG|sas|SAS|([pP]ass[wW]ord|PASSWORD))=|>)[a-zA-Z0-9%]{43,53}%3[dD][^{a-zA-Z0-9%] // \n.*(([uU]ser|USER) ?([iI]d|ID|[nN]ame|NAME)|[uU]id|UID)=.{2,128}?\s*?;\s*?(([pP]ass[wW]ord|PASSWORD)|([pP]wd|PWD))=[^'$%>@'";\[\{][^;"']{2,350}?(;|"|') // -// -// -// Key Patterns ContentFilters -// -// AccountKey\s*=\s*MII[a-zA-Z0-9/+]{43,}={0,2} -// =(?<c>.)\k<c>{3,} -// (password|pwd)=<[a-z0-9]+> -// -// -// // Found symmetric key or storage credential in source file. // Validate file contains secrets, remove, roll credential, use an approved secret store. // 3 // Microsoft.Art.ContentSearch.SymmetricKeyValidator, Microsoft.Art.ContentSearch // + + // // DomainPassword // CSCAN0160 @@ -407,6 +344,8 @@ func AzurePassword1() *config.Rule { // Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan // 3 // + + // // EncryptedPassword // CSCAN0200 @@ -419,56 +358,11 @@ func AzurePassword1() *config.Rule { // 2 // Microsoft.Art.ContentSearch.EncodedUserNameExtractor, Microsoft.Art.ContentSearch // -// -// GitCredential -// CSCAN0210 -// \.gitCredentials$ -// -// [hH][tT][tT][pP][sS]?://.+:.+@\[^/].[cC][oO][mM] -// -// Found Git repo credentials. -// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan -// 2 -// -// -// DefaultPasswordContexts -// CSCAN0220 -// \.(cs|xml|config|json|tsx?|cfg|txt|ps1|bat|cscfg|publishsettings|cmd|psm1|aspx|asmx|vbs|added_cluster|clean|pubxml|ccf|ini|svd|sql|c|xslt|csv|FF|ExtendedTests|settings|cshtml|template|trd|argfile|scala|rdg|linq|hql|go|rs|pl|java|php|py|vb)$|(config|certificate|publish|UT)\.js$|(commands|user|tests)\.cpp$ -// -// [cC]onvert[tT]o-[sS]ecure[sS]tring(\s*-[sS]tring)?\s*"(?<scoringvalue>[^"\r\n]+)" -// new\sX509Certificate2\([^()]*,\s*"(?<scoringvalue>[^"\r\n]+)"[^)]*\) -// <[pP]ass[wW]ord>(<[vV]alue>)?(?<scoringvalue>.+)(</[vV]alue>)?</[pP]ass[wW]ord> -// ([cC]lear[tT]ext[pP]ass[wW]ord|CLEARTEXTPASSWORD)(")?\s*[:=]\s*"(?<scoringvalue>[^"\r\n]+)" -// [cC]ert[uU]til(.exe)?\s+(\-[a-zA-Z]+\s+)*\-[pP]\s+(?<quote>["'])(?<scoringvalue>[^"'%]+)\k<quote> -// [cC]ert[uU]til(.exe)?\s+(\-[a-zA-Z]+\s+)*\-[pP]\s+(?<scoringvalue>[^"']\S*)\s -// ([pP]ass[wW]ord|PASSWORD)\s*=\s*[nN]?(?<quote>["'])(?<scoringvalue>[^"'\r\n]{4,})\k<quote> -// -// -// -// DefaultPasswordContexts Content Filter -// -// <value></value> -// ['"]\$?[\{\(\[\<].*[\}\)\]\>]['"] -// -// -// -// Found known password context with password in source file. -// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan -// 3 -// Microsoft.Art.ContentSearch.PasswordContextValidator, Microsoft.Art.ContentSearch -// -// -// SlackToken -// CSCAN0230 -// \.(ps1|psm1|jsx?|tsx?|json|coffee|xml|md|html|py|php|java|ipynb|rb|scala)$|hubot -// -// xoxp-[a-zA-Z0-9]+-[a-zA-Z0-9]+-[a-zA-Z0-9]+-[a-zA-Z0-9]+ -// xoxb-[a-zA-Z0-9]+-[a-zA-Z0-9]+ -// -// Found slack token in source file. -// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan -// 3 -// + +// CSCAN0210 checks for Git repo credentials - covered elsewhere + +// CSCAN0230 checks for Slack tokens - covered in slack.go + // // VstsPersonalAccessToken // CSCAN0240 From 632e72703b31753b71ca62ba3a7e0d53b9509bb6 Mon Sep 17 00:00:00 2001 From: Dimitri Vasdekis Date: Wed, 18 Jan 2023 01:37:29 +0000 Subject: [PATCH 3/8] Finished Azure and Ansible rules --- cmd/generate/config/rules/ansible.go | 24 ++ cmd/generate/config/rules/azure.go | 562 +++++++++++++++++++-------- 2 files changed, 429 insertions(+), 157 deletions(-) create mode 100644 cmd/generate/config/rules/ansible.go diff --git a/cmd/generate/config/rules/ansible.go b/cmd/generate/config/rules/ansible.go new file mode 100644 index 000000000..0429df733 --- /dev/null +++ b/cmd/generate/config/rules/ansible.go @@ -0,0 +1,24 @@ +package rules + +import ( + "github.com/zricethezav/gitleaks/v8/config" +) + +func AnsibleVaultToken() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0270 - Found Azure Subscription Token Cache.", + RuleID: "ansible-vault-token", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`\$ANSIBLE_VAULT;[0-9]\.[0-9];AES256[\r\n]+[0-9]+`), + } + + // validate + tps := []string{ + generateSampleSecret("ansible-vault-token", + `$ANSIBLE_VAULT;1.0;AES256\n1145141919810`), + } + return validate(r, tps, nil) +} + + diff --git a/cmd/generate/config/rules/azure.go b/cmd/generate/config/rules/azure.go index f27074754..2c11b13e4 100644 --- a/cmd/generate/config/rules/azure.go +++ b/cmd/generate/config/rules/azure.go @@ -8,28 +8,10 @@ import ( // Rules come from https://www.powershellgallery.com/packages/AzSK.AzureDevOps/0.9.8/Content/Framework%5CConfigurations%5CSVT%5CAzureDevOps%5CCredentialPatterns.xml // Only rules with 'ContentSearchPatterns' have been used. -func AzureBase64EncodedCertificate() *config.Rule { - // define rule - r := config.Rule{ - Description: "CSCAN0020 - Found Azure base64 encoded certificate with private key in source file. Validate file contains secrets, remove, roll credential, and use approved store.", - RuleID: "azure-base64-encoded-certificate", - SecretGroup: 1, - Regex: generateUniqueTokenRegex(`MII[a-z0-9=_\-]{200}`), - Keywords: []string{"MII"}, - - } - - tps := []string{ - generateSampleSecret("azure-base64-encoded-certificate", - "MII" + secrets.NewSecret(alphaNumeric("200"))), - } - return validate(r, tps, nil) -} - func AzureAppServiceDeploymentSecrets() *config.Rule { // define rule r := config.Rule{ - Description: "CSCAN0030 - Found Azure app service deployment secrets in publish settings file. Validate file contains secrets, remove, roll credential, and use approved store.", + Description: "CSCAN0020, CSCAN0030 - Found Azure app service deployment secrets in publish settings file.", RuleID: "azure-app-service-deployment-secrets", SecretGroup: 1, Regex: generateUniqueTokenRegex(`MII[a-z0-9=_\-]{200}`), @@ -47,7 +29,7 @@ func AzureAppServiceDeploymentSecrets() *config.Rule { func AzureStorageCredential1() *config.Rule { // define rule r := config.Rule{ - Description: "CSCAN0030 - Found Azure storage credential in source code file. Validate file contains secrets, remove, roll credential, and use approved store.", + Description: "CSCAN0030 - Found Azure storage credential in source code file.", RuleID: "azure-storage-credential-1", SecretGroup: 1, Regex: generateUniqueTokenRegex(`\n[ \t]{0,50}(//|/\*)[ \t]{0,10}[a-zA-Z0-9/+]{86}==`), @@ -56,7 +38,7 @@ func AzureStorageCredential1() *config.Rule { // validate tps := []string{ generateSampleSecret("azure-storage-credential-1", - "MII" + secrets.NewSecret(alphaNumeric("200"))), + "\n\t\t//\t\t" + secrets.NewSecret(alphaNumeric("86") + "==")), } return validate(r, tps, nil) } @@ -64,7 +46,7 @@ func AzureStorageCredential1() *config.Rule { func AzureStorageCredential2() *config.Rule { // define rule r := config.Rule{ - Description: "CSCAN0030 - Found Azure storage credential in source code file. Validate file contains secrets, remove, roll credential, and use approved store.", + Description: "CSCAN0030 - Found Azure storage credential in source code file.", RuleID: "azure-storage-credential-2", SecretGroup: 1, Regex: generateUniqueTokenRegex(`\n[ \t]{0,50}(//|/\*)[ \t]{0,10}[a-zA-Z0-9/+]{43}=[^{@\d%]`), @@ -73,7 +55,7 @@ func AzureStorageCredential2() *config.Rule { // validate tps := []string{ generateSampleSecret("azure-storage-credential-2", - "MII" + secrets.NewSecret(alphaNumeric("200"))), + "\n\t\t//\t\t" + secrets.NewSecret(alphaNumeric("86") + "=a")), } return validate(r, tps, nil) } @@ -81,16 +63,18 @@ func AzureStorageCredential2() *config.Rule { func AzureStorageCredential3() *config.Rule { // define rule r := config.Rule{ - Description: "CSCAN0030 - Found Azure storage credential in source code file. Validate file contains secrets, remove, roll credential, and use approved store.", + Description: "CSCAN0030 - Found Azure storage credential in source code file.", RuleID: "azure-storage-credential-3", SecretGroup: 1, + // Define a regex rule to search for Regex: generateUniqueTokenRegex(`\n[^\r\n]{0,400}[>|'|=|"][a-zA-Z0-9/+]{86}==`), } // validate tps := []string{ generateSampleSecret("azure-storage-credential-3", - "MII" + secrets.NewSecret(alphaNumeric("200"))), + // Create a test string that matches the regex + "\n\t\t//\t\t" + secrets.NewSecret(alphaNumeric("86") + "=a")), } return validate(r, tps, nil) } @@ -98,7 +82,7 @@ func AzureStorageCredential3() *config.Rule { func AzureStorageCredential4() *config.Rule { // define rule r := config.Rule{ - Description: "CSCAN0030 - Found Azure storage credential in source code file. Validate file contains secrets, remove, roll credential, and use approved store.", + Description: "CSCAN0030 - Found Azure storage credential in source code file.", RuleID: "azure-storage-credential-4", SecretGroup: 1, Regex: generateUniqueTokenRegex(`\n[^\r\n]{0,400}[>|'|=|"][a-zA-Z0-9/+]{43}=[^{@\d%]`), @@ -116,7 +100,7 @@ func AzureStorageCredential4() *config.Rule { func AzureStorageCredential5() *config.Rule { // define rule r := config.Rule{ - Description: "CSCAN0030 - Found Azure storage credential in source code file. Validate file contains secrets, remove, roll credential, and use approved store.", + Description: "CSCAN0030 - Found Azure storage credential in source code file.", RuleID: "azure-storage-credential-5", SecretGroup: 1, Regex: generateUniqueTokenRegex(`\n[^\r\n]{0,800}((sig|SIG|sas|SAS|([pP]ass[wW]ord|PASSWORD))=|>)[a-zA-Z0-9%]{43,53}%3[dD][^{a-zA-Z0-9%]`), @@ -134,7 +118,7 @@ func AzureStorageCredential5() *config.Rule { func AzureStorageCredential6() *config.Rule { // define rule r := config.Rule{ - Description: "CSCAN0030 - Found Azure storage credential in source code file. Validate file contains secrets, remove, roll credential, and use approved store.", + Description: "CSCAN0030 - Found Azure storage credential in source code file.", RuleID: "azure-storage-credential-6", SecretGroup: 1, Regex: generateUniqueTokenRegex(`\n.*(([uU]ser|USER) ?([iI]d|ID|[nN]ame|NAME)|[uU]id|UID)=.{2,128}?\s*?;\s*?(([pP]ass[wW]ord|PASSWORD)|([pP]wd|PWD))=[^'$%>@'";\[\{][^;"']{2,350}?(;|"|')`), @@ -151,7 +135,7 @@ func AzureStorageCredential6() *config.Rule { func AzureStorageCredential7() *config.Rule { // define rule r := config.Rule{ - Description: "CSCAN0030 - Found Azure storage credential in source code file. Validate file contains secrets, remove, roll credential, and use approved store.", + Description: "CSCAN0030 - Found Azure storage credential in source code file.", RuleID: "azure-storage-credential-7", SecretGroup: 1, Regex: generateUniqueTokenRegex(`AccountKey\s*=\s*MII[a-zA-Z0-9/+]{43,}?={0,2}`), @@ -160,7 +144,7 @@ func AzureStorageCredential7() *config.Rule { // validate tps := []string{ generateSampleSecret("azure-storage-credential-7", - "AccountKey = MII" + secrets.NewSecret(alphaNumeric("43"))), + "AccountKey = MII" + secrets.NewSecret(alphaNumeric("43") + "=")), } return validate(r, tps, nil) } @@ -168,7 +152,7 @@ func AzureStorageCredential7() *config.Rule { func AzureStorageCredential8() *config.Rule { // define rule r := config.Rule{ - Description: "CSCAN0100 - Found Azure storage credential in source code file. Validate file contains secrets, remove, roll credential, and use approved store.", + Description: "CSCAN0100 - Found Azure storage credential in source code file.", RuleID: "azure-storage-credential-8", SecretGroup: 1, Regex: generateUniqueTokenRegex(`<XstoreAccountInfo[ -~"\s\S\n\r\t]+accountSharedKey\s*=\s*"[^"]{30}[ -~"\s\S\n\r\t]+/>`), @@ -185,7 +169,7 @@ func AzureStorageCredential8() *config.Rule { func AzureStorageCredential9() *config.Rule { // define rule r := config.Rule{ - Description: "CSCAN0100 - Found Azure storage credential in source code file. Validate file contains secrets, remove, roll credential, and use approved store.", + Description: "CSCAN0100 - Found Azure storage credential in source code file.", RuleID: "azure-storage-credential-9", SecretGroup: 1, Regex: generateUniqueTokenRegex(`<ServiceBusAccountInfo[ -~"\s\S\n\r\t]+connectionString\s*=\s*"[^"]{30}[ -~"\s\S\n\r\t]+/>`), @@ -202,7 +186,7 @@ func AzureStorageCredential9() *config.Rule { func AzureStorageCredential10() *config.Rule { // define rule r := config.Rule{ - Description: "CSCAN0130 - Found Azure storage credential in MonitoringAgent config file. Validate file contains secrets, remove, roll credential, and use approved store.", + Description: "CSCAN0130 - Found Azure storage credential in MonitoringAgent config file.", RuleID: "azure-storage-credential-10", SecretGroup: 1, Regex: generateUniqueTokenRegex(`Account moniker\s?=.*key\s?=.*`), @@ -224,7 +208,7 @@ func AzureStorageCredential10() *config.Rule { func AzurePassword1() *config.Rule { // define rule r := config.Rule{ - Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file. Validate file contains secrets, remove, roll credential, and use approved store.", + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", RuleID: "azure-password-1", SecretGroup: 1, Regex: generateUniqueTokenRegex(`<machineKey[^>]+(decryptionKey\s*\=\s*"[a-fA-F0-9]{48,}|validationKey\s*\=\s*"[a-fA-F0-9]{48,})[^>]+>`), @@ -241,7 +225,7 @@ func AzurePassword1() *config.Rule { func AzurePassword2() *config.Rule { // define rule r := config.Rule{ - Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file. Validate file contains secrets, remove, roll credential, and use approved store.", + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", RuleID: "azure-password-2", SecretGroup: 1, Regex: generateUniqueTokenRegex(`(decryptionKey|validationKey)=['][a-zA-Z0-9][']`), @@ -255,129 +239,404 @@ func AzurePassword2() *config.Rule { return validate(r, tps, nil) } -// -// ConfigFile -// CSCAN0090 -// \.(config|cscfg|conf|json|jsx?|txt|cpp|sql|dtsx|md|java|FF|template|settings|ini|BF|ste|isml|test|tsx?|resx|Azure|sample|backup|rd|hpp|psm1|cshtml|htm|bat|waz|yml|Beta|sh|m|php|py|xaml|keys|cmd|rds|loadtest|properties|vbs|ccf|user)$|(hubot|project.params) -// -// -// -// <add\skey="[^"]*([kK][eE][yY]([sS]|[0-9])?|([cC]redential|CREDENTIAL)[sS]?|([sS]ecret|SECRET)(s|S|[0-9])?|[pP]ass[wW]ord|PASSWORD|[tT]oken|TOKEN|([kK]ey|KEY)([pP]rimary|PRIMARY|[sS]econdary|SECONDARY|[oO]r[sS]as|SAS|[eE]ncrypted|ENCRYPTED))"\s*value\s*="[^"]+" -// <add\skey="[^"]+"\s*value="[^"]*([eE]ncrypted|ENCRYPTED).?([sS]ecret|SECRET)[^"]+"\s*/> -// ([cC]onnection[sS]tring|[cC]onn[sS]tring)[^=]*?=["'][^"']*?([pP]ass[wW]ord|PASSWORD)=[^\$\s;][^"'\s]*?(;|") -// [vV]alue\s?=\s?"((([A-Za-z0-9+/]){4}){1,200})==" -// \n[^\r\n]{0,400}(>|'|=|")[a-zA-Z0-9/+]{86}== -// \n[^\r\n]{0,400}(>|'|=|")[a-zA-Z0-9/+]{43}=[^{@] -// \n[^\r\n]{0,800}((sig|SIG|sas|SAS|([pP]ass[wW]ord|PASSWORD))=|>)[a-zA-Z0-9%]{43,53}%3[dD][^{a-zA-Z0-9%] -// \n.*(([uU]ser|USER) ?([iI]d|ID|[nN]ame|NAME)|[uU]id|UID)=.{2,128}?\s*?;\s*?(([pP]ass[wW]ord|PASSWORD)|([pP]wd|PWD))=[^'$%>@'";\[\{][^;"']{2,350}?(;|"|') -// <[cC]redential\sname="[^"]*([kK][eE][yY]([sS]|[0-9])?|[cC]redential(s)?|[sS]ecret(s|[0-9])?|[pP]ass[wW]ord|PASSWORD|[tT]oken|[kK]ey([pP]rimary|[sS]econdary|[oO]r[sS]as|[eE]ncrypted))"(\s*value\s*="[^"]+".*?/>|[^>\s]*>.*?</[cC]redential>) -// <[sS]etting\sname="[^"]*[pP]ass[wW]ord".*[\r\n]*\s*<[vV]alue>.+</[vV]alue> -// (?s)<SSIS:Parameter\n?\s*SSIS:Name="[pP]ass[wW]ord">.*?<SSIS:Property\n?\s*SSIS:Name="[vV]alue">[^><#$\[\{\(]+</SSIS:Property> -// <SSIS:Property\n?\s*SSIS:Name="[vV]alue">.*["'][pP]ass[wW]ord["']:["'][^"']+["'] -// -// -// -// Key Patterns ContentFilters -// -// key\s*=\s*"[^"]*AppKey[^"]*"\s+value\s*=\s*"[a-z]+" -// key\s*=\s*"(?<keygroup>[^"]*)"\s+value\s*=\s*"[^"]*\k<keygroup>" -// value\s*=\s*"(([a-z]+_[a-z]+)+"|[a-z]+( [a-z]+)+"|_+[a-z]+_+"|[a-z]+-[a-z]+-[a-z]+["-]|[a-z]+-[a-z]+"|[a-z]+\\[a-z]+"|\d+"|[^"]*ConnectionString") -// AccountKey\s*=\s*MII[a-zA-Z0-9/+]{43,}={0,2} -// Credentials?Type|ConnectionStringKey|notasecret|PartitionKey|notreal|insertkey|LookupKey|IgnoreKeys|SecretsService|SecretsTenantId|(Password|pwd|secret|credentials?)(Key|Location)|KeyManager|fake|vault -// value="(true|false|@\(api|ssh\-rsa 2048|invalid|to be|a shared secret|secreturi|clientsecret|Overr?idden by|someValue|SOME\-SIGNING\-KEY|TokenBroker|UNKNOWN|Client Secret of|Junk Credentials|Default\-|__BOOTSTRAPKEY_|CacheSecret|CatalogCert|CosmosCredentials|DeleteServiceCert|EmailCredentials|MetricsConnection|SangamCredentials|SubscriptionConnection|Enter_your_|My_Issuer|ScaleUnitXstoreSharedKey|private_powerapps|TestSecret|foo_|bar_|temp_|__WinfabricTestInfra|configured|SecretFor|Test|XSTORE_KEY|ServiceBusDiagnosticXstoreSharedKey|BoxApplicationKey|googleapps) -// (SecurityHashcode|_AppKey"|((credential|password|token)s?|(Account|access)Key=)"[\s\r\n]*/|username"\s*value="|\.dll|(Secret|Token|Key|Credential)s?(Encryption|From|(Signing)?Certificate|Options|Thumbprint|Contacts|String|UserId)|Key(1;value1|word|s?Path|Index|Id|Store|WillDoWithoutValidation|:NamePattern|Name"|Ref")|(Secret|Credential)s?(Name|Path)"|(StrongName|Chaos\s?Mon|Redis|Registry|Registery|User|Insights?|Instrumentation|Match\()Key|(Certificate|cert)(Issuer|Subject)|rollingdate|skuId|HKEY_|AddServicePrincipalCredentials|Password Resets|SecretStore|(0|x|\*){8,}) -// =(?<c>.)\k<c>{3,} -// (password|pwd)=<[a-z0-9]+> -// -// -// -// Found password, symmetric key or storage credential in source file. -// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan -// 3 -// Microsoft.Art.ContentSearch.SymmetricKeyValidator, Microsoft.Art.ContentSearch -// +func AzurePassword3() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-3", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`<add\skey="[^"]*([kK][eE][yY]([sS]|[0-9])?|([cC]redential|CREDENTIAL)[sS]?|([sS]ecret|SECRET)(s|S|[0-9])?|[pP]ass[wW]ord|PASSWORD|[tT]oken|TOKEN|([kK]ey|KEY)([pP]rimary|PRIMARY|[sS]econdary|SECONDARY|[oO]r[sS]as|SAS|[eE]ncrypted|ENCRYPTED))"\s*value\s*="[^"]+"`), + } + // validate + tps := []string{ + generateSampleSecret("azure-password-3", + "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), + } + return validate(r, tps, nil) +} -// CSCAN0110, CSCAN0111, CSCAN0140, CSCAN0220 searches for generic passwords - covered elsewhere +func AzurePassword4() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-4", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`<add\skey="[^"]+"\s*value="[^"]*([eE]ncrypted|ENCRYPTED).?([sS]ecret|SECRET)[^"]+"\s*/>`), + } -// CSCAN0120 searches for Twilio keys - covered in twilio.go + // validate + tps := []string{ + generateSampleSecret("azure-password-4", + "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), + } + return validate(r, tps, nil) +} -// -// AzureSecret -// CSCAN0150 -// \.(xml|pubxml|definitions|ps1|wadcfgx|cmd|ccf|pbix)$ -// -// userPWD="[a-zA-Z0-9]{60}" -// \n[^\r\n]{0,400}(>|'|=|")[a-zA-Z0-9/+]{43}=[^{@] -// \n[^\r\n]{0,400}(>|'|=|"|#)[a-zA-Z0-9/+]{86}== -// \n[^\r\n]{0,800}(([tT]oken|TOKEN|[sS]ecret|SECRET|sig|SIG|sas|SAS|([pP]ass[wW]ord|PASSWORD))=|>)[a-zA-Z0-9%]{43,53}%3[dD][^{a-zA-Z0-9%] -// \n.*(([uU]ser|USER) ?([iI]d|ID|[nN]ame|NAME)|[uU]id|UID)=.{2,128}?\s*?;\s*?(([pP]ass[wW]ord|PASSWORD)|([pP]wd|PWD))=[^'$%>@'";\[\{][^;"']{2,350}?(;|"|') -// -// Found symmetric key or storage credential in source file. -// Validate file contains secrets, remove, roll credential, use an approved secret store. -// 3 -// Microsoft.Art.ContentSearch.SymmetricKeyValidator, Microsoft.Art.ContentSearch -// +func AzurePassword5() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-5", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`([cC]onnection[sS]tring|[cC]onn[sS]tring)[^=]*?=["'][^"']*?([pP]ass[wW]ord|PASSWORD)=[^\$\s;][^"'\s]*?(;|")`), + } + // validate + tps := []string{ + generateSampleSecret("azure-password-5", + "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), + } + return validate(r, tps, nil) +} -// -// DomainPassword -// CSCAN0160 -// \.cs$|\.c$|\.cpp$|\.ps1$|\.ps$|\.cmd$|\.bat$|\.log$|\.psd$|\.psm1$ -// -// NetworkCredential\(.*,.*,([cC][oO][rR][pP]|[eE][uU][rR][oO][pP][eE]|[mM][iI][dD][dD][lL][eE][eE][aA][sS][tT]|[nN][oO][rR][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[sS][oO][uU][tT][hH][pP][aA][cC][iI][fF][iI][cC]|[sS][oO][uU][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[fF][aA][rR][eE][aA][sS][tT]|[aA][fF][rR][iI][cC][aA]|[rR][eE][dD][mM][oO][nN][dD]|[eE][xX][cC][hH][aA][nN][gG][eE]|[eE][xX][tT][rR][aA][nN][eE][tT]|[pP][aA][rR][tT][nN][eE][rR][sS]|[eE][xX][tT][rR][aA][nN][eE][tT][tT][eE][sS][tT]|[pP][aA][rR][tT][tT][eE][sS][tT]|[nN][oO][eE]|[nN][tT][dD][eE][vV]|[nN][tT][wW][kK][sS][tT][aA]|[sS][yY][sS]\-[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][dD][eE][pP][lL][oO][yY]|[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][sS][eE]|[sS][eE][gG][rR][oO][uU][pP]|[xX][cC][oO][rR][pP]|[xX][rR][eE][pP]|[pP][hH][xX]|[gG][mM][eE]|[uU][sS][mM][eE]|[cC][dD][oO][cC][iI][dD][mM]|[mM][sS][lL][pP][aA])\\.* -// [nN][eE][tT]\s[uU][sS][eE].*\/[uU]\:([cC][oO][rR][pP]|[eE][uU][rR][oO][pP][eE]|[mM][iI][dD][dD][lL][eE][eE][aA][sS][tT]|[nN][oO][rR][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[sS][oO][uU][tT][hH][pP][aA][cC][iI][fF][iI][cC]|[sS][oO][uU][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[fF][aA][rR][eE][aA][sS][tT]|[aA][fF][rR][iI][cC][aA]|[rR][eE][dD][mM][oO][nN][dD]|[eE][xX][cC][hH][aA][nN][gG][eE]|[eE][xX][tT][rR][aA][nN][eE][tT]|[pP][aA][rR][tT][nN][eE][rR][sS]|[eE][xX][tT][rR][aA][nN][eE][tT][tT][eE][sS][tT]|[pP][aA][rR][tT][tT][eE][sS][tT]|[nN][oO][eE]|[nN][tT][dD][eE][vV]|[nN][tT][wW][kK][sS][tT][aA]|[sS][yY][sS]\-[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][dD][eE][pP][lL][oO][yY]|[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][sS][eE]|[sS][eE][gG][rR][oO][uU][pP]|[xX][cC][oO][rR][pP]|[xX][rR][eE][pP]|[pP][hH][xX]|[gG][mM][eE]|[uU][sS][mM][eE]|[cC][dD][oO][cC][iI][dD][mM]|[mM][sS][lL][pP][aA])\\.* -// [sS][cC][hH][tT][aA][sS][kK][sS].*/[rR][uU]\s([cC][oO][rR][pP]|[eE][uU][rR][oO][pP][eE]|[mM][iI][dD][dD][lL][eE][eE][aA][sS][tT]|[nN][oO][rR][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[sS][oO][uU][tT][hH][pP][aA][cC][iI][fF][iI][cC]|[sS][oO][uU][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[fF][aA][rR][eE][aA][sS][tT]|[aA][fF][rR][iI][cC][aA]|[rR][eE][dD][mM][oO][nN][dD]|[eE][xX][cC][hH][aA][nN][gG][eE]|[eE][xX][tT][rR][aA][nN][eE][tT]|[pP][aA][rR][tT][nN][eE][rR][sS]|[eE][xX][tT][rR][aA][nN][eE][tT][tT][eE][sS][tT]|[pP][aA][rR][tT][tT][eE][sS][tT]|[nN][oO][eE]|[nN][tT][dD][eE][vV]|[nN][tT][wW][kK][sS][tT][aA]|[sS][yY][sS]\-[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][dD][eE][pP][lL][oO][yY]|[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][sS][eE]|[sS][eE][gG][rR][oO][uU][pP]|[xX][cC][oO][rR][pP]|[xX][rR][eE][pP]|[pP][hH][xX]|[gG][mM][eE]|[uU][sS][mM][eE]|[cC][dD][oO][cC][iI][dD][mM]|[mM][sS][lL][pP][aA]).*/[rR][pP].* -// [nN]ew-[oO]bject\s*System.Net.NetworkCredential\(.*?,\s*"[^"]+" -// -// -// -// Placeholder ContentFilters -// -// %1% -// \$MIGUSER_PASSWORD -// %miguser_pwd% -// -// -// -// Found domain credential in source file. -// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan -// 3 -// +func AzurePassword6() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-6", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`[vV]alue\s?=\s?"((([A-Za-z0-9+/]){4}){1,200})=="`), + } + // validate + tps := []string{ + generateSampleSecret("azure-password-6", + "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), + } + return validate(r, tps, nil) +} -// -// EncryptedPassword -// CSCAN0200 -// \.ini$ -// -// [eE][nN][cC]_[uU][sS][eE][rR][nN][aA][mM][eE]=[\w]+[\r\n]+[eE][nN][cC]_[pP][aA][sS][sS][wW][oO][rR][dD]=[\w]+ -// -// Found DevDiv TFVC repo secrets. -// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan -// 2 -// Microsoft.Art.ContentSearch.EncodedUserNameExtractor, Microsoft.Art.ContentSearch -// +func AzurePassword7() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-7", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`\n[^\r\n]{0,400}(>|'|=|")[a-zA-Z0-9/+]{86}==`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-7", + "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), + } + return validate(r, tps, nil) +} + +func AzurePassword8() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-8", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`n[^\r\n]{0,400}(>|'|=|")[a-zA-Z0-9/+]{43}=[^{@]`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-8", + ` + This is a random text string that contains some characters> + ` + secrets.NewSecret(alphaNumeric("86") + "==")), + } + return validate(r, tps, nil) +} + +func AzurePassword9() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-9", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`\n[^\r\n]{0,800}((sig|SIG|sas|SAS|([pP]ass[wW]ord|PASSWORD))=|>)[a-zA-Z0-9%]{43,53}%3[dD][^{a-zA-Z0-9%]`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-9", + ` + This is a random text string that contains some characters> + ` + secrets.NewSecret(alphaNumeric("86") + "==")), + } + return validate(r, tps, nil) +} + +func AzurePassword10() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-10", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`\n.*(([uU]ser|USER) ?([iI]d|ID|[nN]ame|NAME)|[uU]id|UID)=.{2,128}?\s*?;\s*?(([pP]ass[wW]ord|PASSWORD)|([pP]wd|PWD))=[^'$%>@'";\[\{][^;"']{2,350}?(;|"|')`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-10", + ` + This is a random text string that contains some characters> + ` + secrets.NewSecret(alphaNumeric("86") + "==")), + } + return validate(r, tps, nil) +} + +func AzurePassword11() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-11", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`<[cC]redential\sname="[^"]*([kK][eE][yY]([sS]|[0-9])?|[cC]redential(s)?|[sS]ecret(s|[0-9])?|[pP]ass[wW]ord|PASSWORD|[tT]oken|[kK]ey([pP]rimary|[sS]econdary|[oO]r[sS]as|[eE]ncrypted))"(\s*value\s*="[^"]+".*?/>|[^>\s]*>.*?</[cC]redential>)`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-11", + ` + This is a random text string that contains some characters> + ` + secrets.NewSecret(alphaNumeric("86") + "==")), + } + return validate(r, tps, nil) +} + +func AzurePassword12() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-12", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`<[sS]etting\sname="[^"]*[pP]ass[wW]ord".*[\r\n]*\s*<[vV]alue>.+</[vV]alue>`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-12", + ` + This is a random text string that contains some characters> + ` + secrets.NewSecret(alphaNumeric("86") + "==")), + } + return validate(r, tps, nil) +} + +func AzurePassword13() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-13", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`(?s)<SSIS:Parameter\n?\s*SSIS:Name="[pP]ass[wW]ord">.*?<SSIS:Property\n?\s*SSIS:Name="[vV]alue">[^><#$\[\{\(]+</SSIS:Property>`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-13", + ` + This is a random text string that contains some characters> + ` + secrets.NewSecret(alphaNumeric("86") + "==")), + } + return validate(r, tps, nil) +} + +func AzurePassword14() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-14", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`<SSIS:Property\n?\s*SSIS:Name="[vV]alue">.*["'][pP]ass[wW]ord["']:["'][^"']+["']`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-14", + ` + This is a random text string that contains some characters> + ` + secrets.NewSecret(alphaNumeric("86") + "==")), + } + return validate(r, tps, nil) +} + +func AzurePassword15() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-15", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`userPWD="[a-zA-Z0-9]{60}"`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-15", + ` + This is a random text string that contains some characters> + ` + secrets.NewSecret(alphaNumeric("86") + "==")), + } + return validate(r, tps, nil) +} + +func AzureNetworkCredential1() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0160 - Found Azure domain credential in source file.", + RuleID: "azure-network-credential-1", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`NetworkCredential\(.*,.*,([cC][oO][rR][pP]|[eE][uU][rR][oO][pP][eE]|[mM][iI][dD][dD][lL][eE][eE][aA][sS][tT]|[nN][oO][rR][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[sS][oO][uU][tT][hH][pP][aA][cC][iI][fF][iI][cC]|[sS][oO][uU][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[fF][aA][rR][eE][aA][sS][tT]|[aA][fF][rR][iI][cC][aA]|[rR][eE][dD][mM][oO][nN][dD]|[eE][xX][cC][hH][aA][nN][gG][eE]|[eE][xX][tT][rR][aA][nN][eE][tT]|[pP][aA][rR][tT][nN][eE][rR][sS]|[eE][xX][tT][rR][aA][nN][eE][tT][tT][eE][sS][tT]|[pP][aA][rR][tT][tT][eE][sS][tT]|[nN][oO][eE]|[nN][tT][dD][eE][vV]|[nN][tT][wW][kK][sS][tT][aA]|[sS][yY][sS]\-[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][dD][eE][pP][lL][oO][yY]|[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][sS][eE]|[sS][eE][gG][rR][oO][uU][pP]|[xX][cC][oO][rR][pP]|[xX][rR][eE][pP]|[pP][hH][xX]|[gG][mM][eE]|[uU][sS][mM][eE]|[cC][dD][oO][cC][iI][dD][mM]|[mM][sS][lL][pP][aA])\\.*`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-network-credential-1", + "NetworkCredential(username, password, europe)"), + } + return validate(r, tps, nil) +} + +func AzureNetworkCredential2() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0160 - Found Azure domain credential in source file.", + RuleID: "azure-network-credential-2", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`[nN][eE][tT]\s[uU][sS][eE].*\/[uU]\:([cC][oO][rR][pP]|[eE][uU][rR][oO][pP][eE]|[mM][iI][dD][dD][lL][eE][eE][aA][sS][tT]|[nN][oO][rR][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[sS][oO][uU][tT][hH][pP][aA][cC][iI][fF][iI][cC]|[sS][oO][uU][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[fF][aA][rR][eE][aA][sS][tT]|[aA][fF][rR][iI][cC][aA]|[rR][eE][dD][mM][oO][nN][dD]|[eE][xX][cC][hH][aA][nN][gG][eE]|[eE][xX][tT][rR][aA][nN][eE][tT]|[pP][aA][rR][tT][nN][eE][rR][sS]|[eE][xX][tT][rR][aA][nN][eE][tT][tT][eE][sS][tT]|[pP][aA][rR][tT][tT][eE][sS][tT]|[nN][oO][eE]|[nN][tT][dD][eE][vV]|[nN][tT][wW][kK][sS][tT][aA]|[sS][yY][sS]\-[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][dD][eE][pP][lL][oO][yY]|[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][sS][eE]|[sS][eE][gG][rR][oO][uU][pP]|[xX][cC][oO][rR][pP]|[xX][rR][eE][pP]|[pP][hH][xX]|[gG][mM][eE]|[uU][sS][mM][eE]|[cC][dD][oO][cC][iI][dD][mM]|[mM][sS][lL][pP][aA])\\.*`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-network-credential-2", + `Net use \server\u:corp\share /user:corp\username`), + } + return validate(r, tps, nil) +} + +func AzureNetworkCredential3() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0160 - Found Azure domain credential in source file.", + RuleID: "azure-network-credential-3", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`[sS][cC][hH][tT][aA][sS][kK][sS].*/[rR][uU]\s([cC][oO][rR][pP]|[eE][uU][rR][oO][pP][eE]|[mM][iI][dD][dD][lL][eE][eE][aA][sS][tT]|[nN][oO][rR][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[sS][oO][uU][tT][hH][pP][aA][cC][iI][fF][iI][cC]|[sS][oO][uU][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[fF][aA][rR][eE][aA][sS][tT]|[aA][fF][rR][iI][cC][aA]|[rR][eE][dD][mM][oO][nN][dD]|[eE][xX][cC][hH][aA][nN][gG][eE]|[eE][xX][tT][rR][aA][nN][eE][tT]|[pP][aA][rR][tT][nN][eE][rR][sS]|[eE][xX][tT][rR][aA][nN][eE][tT][tT][eE][sS][tT]|[pP][aA][rR][tT][tT][eE][sS][tT]|[nN][oO][eE]|[nN][tT][dD][eE][vV]|[nN][tT][wW][kK][sS][tT][aA]|[sS][yY][sS]\-[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][dD][eE][pP][lL][oO][yY]|[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][sS][eE]|[sS][eE][gG][rR][oO][uU][pP]|[xX][cC][oO][rR][pP]|[xX][rR][eE][pP]|[pP][hH][xX]|[gG][mM][eE]|[uU][sS][mM][eE]|[cC][dD][oO][cC][iI][dD][mM]|[mM][sS][lL][pP][aA]).*/[rR][pP].*`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-network-credential-3", + `Schtasks /create /tn corp-daily-backup /tr \corp\backup.bat /ru corp\admin /rp password /sc daily`), + } + return validate(r, tps, nil) +} + +func AzureNetworkCredential4() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0160 - Found Azure domain credential in source file.", + RuleID: "azure-network-credential-4", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`[nN]ew-[oO]bject\s*System.Net.NetworkCredential\(.*?,\s*"[^"]+"`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-network-credential-4", + `New-Object System.Net.NetworkCredential(username, "password")`), + } + return validate(r, tps, nil) +} + +func AzureDevTFVCSecrets() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0200 - Found Azure DevDiv TFVC repo secrets.", + RuleID: "azure-devtfvc-secrets", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`[eE][nN][cC]_[uU][sS][eE][rR][nN][aA][mM][eE]=[\w]+[\r\n]+[eE][nN][cC]_[pP][aA][sS][sS][wW][oO][rR][dD]=[\w]+`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-devtfvc-secrets", + `enc_username=myusername\r\nenc_password=mypassword`), + } + return validate(r, tps, nil) +} + +func AzureVSTSPAT1() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0240 - Found Azure Found Vsts personal access token in source file.", + RuleID: "azure-vsts-pat1", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`([aA]ccess_?[tT]oken|ACCESS_?TOKEN).*?['="][a-z2-7]{52}('|"|\s|[\r\n]+)`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-vsts-pat1", + `Access_token=='a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2'`), + } + return validate(r, tps, nil) +} + +func AzureVSTSPAT2() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0240 - Found Azure Found Vsts personal access token in source file.", + RuleID: "azure-vsts-pat2", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`[pP]ass[wW]ord\s+[a-z2-7]{52}(\s|[\r\n]+)`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-vsts-pat2", + `Access_token=='a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2'`), + } + return validate(r, tps, nil) +} + +func AzureVSTSPAT3() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0240 - Found Azure Vsts personal access token in source file.", + RuleID: "azure-vsts-pat3", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`([aA]ccess_?[tT]oken|ACCESS_?TOKEN).*?[>|'|=|"][a-zA-Z0-9/+]{70}==`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-vsts-pat3", + `Access_token=='a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2'`), + } + return validate(r, tps, nil) +} + +func AzurePowershellTokenCache() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0270 - Found Azure Subscription Token Cache.", + RuleID: "azure-powershell-tokencache", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`["']TokenCache["']\s*:\s*\{\s*["']CacheData["']\s*:\s*["'][a-zA-Z0-9/\+]{86}`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-powershell-tokencache", + `Access_token=='a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2'`), + } + return validate(r, tps, nil) +} + +// CSCAN0110, CSCAN0111, CSCAN0140, CSCAN0220 searches for generic passwords - covered elsewhere + +// CSCAN0120 searches for Twilio keys - covered in twilio.go // CSCAN0210 checks for Git repo credentials - covered elsewhere // CSCAN0230 checks for Slack tokens - covered in slack.go -// -// VstsPersonalAccessToken -// CSCAN0240 -// \.(azure|bat|cmd|config|cpp|cs|cscfg|definitions|dtsx|ini|java|jsx?|json|keys|loadtest|m|md|php|properties|ps1|psm1|pubxml|py|resx|sample|sql|ste|test|tsx?|txt|waz|xml)$ -// -// ([aA]ccess_?[tT]oken|ACCESS_?TOKEN).*?['="][a-z2-7]{52}('|"|\s|[\r\n]+) -// [pP]ass[wW]ord\s+[a-z2-7]{52}(\s|[\r\n]+) -// ([aA]ccess_?[tT]oken|ACCESS_?TOKEN).*?[>|'|=|"][a-zA-Z0-9/+]{70}== -// -// Found Vsts personal access token in source file. -// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan -// 3 -// Microsoft.Art.ContentSearch.Base64EncodedVstsAccessTokenValidator, Microsoft.Art.ContentSearch -// - // CSCAN0250 - covered in jwt.go // @@ -385,21 +644,10 @@ func AzurePassword2() *config.Rule { // CSCAN0260 // \.yml$ // -// \$ANSIBLE_VAULT;[0-9]\.[0-9];AES256[\r\n]+[0-9]+ +// // // Found ansible vault in source file. // Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan // 3 // -// -// AzurePowerShellTokenCache -// CSCAN0270 -// \.json$ -// -// ["']TokenCache["']\s*:\s*\{\s*["']CacheData["']\s*:\s*["'][a-zA-Z0-9/\+]{86} -// -// Found Azure Subscription Token Cache. -// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan -// 3 -// From ba35e21a2fa09b70f9515ae4511eec21503257d7 Mon Sep 17 00:00:00 2001 From: Dimitri Vasdekis Date: Wed, 18 Jan 2023 01:49:57 +0000 Subject: [PATCH 4/8] About to run go run main.go --- cmd/generate/config/main.go | 37 ++++++++++++++++++++++++++++++ cmd/generate/config/rules/azure.go | 36 ++++++++++------------------- 2 files changed, 49 insertions(+), 24 deletions(-) diff --git a/cmd/generate/config/main.go b/cmd/generate/config/main.go index 2211675c1..7ea9a37ae 100644 --- a/cmd/generate/config/main.go +++ b/cmd/generate/config/main.go @@ -24,10 +24,47 @@ func main() { configRules = append(configRules, rules.AlgoliaApiKey()) configRules = append(configRules, rules.AlibabaAccessKey()) configRules = append(configRules, rules.AlibabaSecretKey()) + configRules = append(configRules, rules.AnsibleVaultToken()) configRules = append(configRules, rules.AsanaClientID()) configRules = append(configRules, rules.AsanaClientSecret()) configRules = append(configRules, rules.Atlassian()) configRules = append(configRules, rules.AWS()) + configRules = append(configRules, rules.AzureAppServiceDeploymentSecrets()) + configRules = append(configRules, rules.AzureStorageCredential1()) + configRules = append(configRules, rules.AzureStorageCredential2()) + configRules = append(configRules, rules.AzureStorageCredential3()) + configRules = append(configRules, rules.AzureStorageCredential4()) + configRules = append(configRules, rules.AzureStorageCredential5()) + configRules = append(configRules, rules.AzureStorageCredential6()) + configRules = append(configRules, rules.AzureStorageCredential7()) + configRules = append(configRules, rules.AzureStorageCredential8()) + configRules = append(configRules, rules.AzureStorageCredential9()) + configRules = append(configRules, rules.AzureStorageCredential10()) + configRules = append(configRules, rules.AzurePassword1()) + configRules = append(configRules, rules.AzurePassword2()) + configRules = append(configRules, rules.AzurePassword3()) + configRules = append(configRules, rules.AzurePassword4()) + configRules = append(configRules, rules.AzurePassword5()) + configRules = append(configRules, rules.AzurePassword6()) + configRules = append(configRules, rules.AzurePassword7()) + configRules = append(configRules, rules.AzurePassword8()) + configRules = append(configRules, rules.AzurePassword9()) + configRules = append(configRules, rules.AzurePassword10()) + configRules = append(configRules, rules.AzurePassword11()) + configRules = append(configRules, rules.AzurePassword12()) + configRules = append(configRules, rules.AzurePassword13()) + configRules = append(configRules, rules.AzurePassword14()) + configRules = append(configRules, rules.AzurePassword15()) + configRules = append(configRules, rules.AzureNetworkCredential1()) + configRules = append(configRules, rules.AzureNetworkCredential2()) + configRules = append(configRules, rules.AzureNetworkCredential3()) + configRules = append(configRules, rules.AzureNetworkCredential4()) + configRules = append(configRules, rules.AzureDevTFVCSecrets()) + configRules = append(configRules, rules.AzureVSTSPAT1()) + configRules = append(configRules, rules.AzureVSTSPAT2()) + configRules = append(configRules, rules.AzureVSTSPAT3()) + configRules = append(configRules, rules.AzurePowershellTokenCache()) + configRules = append(configRules, rules.AzureAppServiceDeploymentSecrets()) configRules = append(configRules, rules.BitBucketClientID()) configRules = append(configRules, rules.BitBucketClientSecret()) configRules = append(configRules, rules.BittrexAccessKey()) diff --git a/cmd/generate/config/rules/azure.go b/cmd/generate/config/rules/azure.go index 2c11b13e4..05227e1ee 100644 --- a/cmd/generate/config/rules/azure.go +++ b/cmd/generate/config/rules/azure.go @@ -8,6 +8,17 @@ import ( // Rules come from https://www.powershellgallery.com/packages/AzSK.AzureDevOps/0.9.8/Content/Framework%5CConfigurations%5CSVT%5CAzureDevOps%5CCredentialPatterns.xml // Only rules with 'ContentSearchPatterns' have been used. +// CSCAN0110, CSCAN0111, CSCAN0140, CSCAN0220 searches for generic passwords - covered elsewhere + +// CSCAN0120 searches for Twilio keys - covered in twilio.go + +// CSCAN0210 checks for Git repo credentials - covered elsewhere + +// CSCAN0230 checks for Slack tokens - covered in slack.go + +// CSCAN0250 - covered in jwt.go + + func AzureAppServiceDeploymentSecrets() *config.Rule { // define rule r := config.Rule{ @@ -55,7 +66,7 @@ func AzureStorageCredential2() *config.Rule { // validate tps := []string{ generateSampleSecret("azure-storage-credential-2", - "\n\t\t//\t\t" + secrets.NewSecret(alphaNumeric("86") + "=a")), + "\n\t\t//\t\t" + secrets.NewSecret(alphaNumeric("43") + "=a")), } return validate(r, tps, nil) } @@ -628,26 +639,3 @@ func AzurePowershellTokenCache() *config.Rule { } return validate(r, tps, nil) } - -// CSCAN0110, CSCAN0111, CSCAN0140, CSCAN0220 searches for generic passwords - covered elsewhere - -// CSCAN0120 searches for Twilio keys - covered in twilio.go - -// CSCAN0210 checks for Git repo credentials - covered elsewhere - -// CSCAN0230 checks for Slack tokens - covered in slack.go - -// CSCAN0250 - covered in jwt.go - -// -// AnsibleVault -// CSCAN0260 -// \.yml$ -// -// -// -// Found ansible vault in source file. -// Validate file contains secrets, remove, roll credential, and use approved store. For additional information on secret remediation see https://aka.ms/credscan -// 3 -// - From da517535dd4d2f4540cb4d0053f7024ca575aea9 Mon Sep 17 00:00:00 2001 From: Dimitri Vasdekis Date: Wed, 18 Jan 2023 02:25:26 +0000 Subject: [PATCH 5/8] Fixed some rules, but tests need work --- cmd/generate/config/rules/ansible.go | 8 ++++---- cmd/generate/config/rules/azure.go | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/cmd/generate/config/rules/ansible.go b/cmd/generate/config/rules/ansible.go index 0429df733..6b616e9f8 100644 --- a/cmd/generate/config/rules/ansible.go +++ b/cmd/generate/config/rules/ansible.go @@ -1,6 +1,7 @@ package rules import ( + "github.com/zricethezav/gitleaks/v8/cmd/generate/secrets" "github.com/zricethezav/gitleaks/v8/config" ) @@ -10,15 +11,14 @@ func AnsibleVaultToken() *config.Rule { Description: "CSCAN0270 - Found Azure Subscription Token Cache.", RuleID: "ansible-vault-token", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`\$ANSIBLE_VAULT;[0-9]\.[0-9];AES256[\r\n]+[0-9]+`), + Regex: generateUniqueTokenRegex(`ANSIBLE_VAULT;[0-9]\.[0-9];AES256;[\r\n]+[0-9]+`), + Keywords: []string{"ANSIBLE_VAULT;", "AES256;"}, } // validate tps := []string{ generateSampleSecret("ansible-vault-token", - `$ANSIBLE_VAULT;1.0;AES256\n1145141919810`), + "ANSIBLE_VAULT;1.0;AES256;\n" + secrets.NewSecret(numeric("32"))), } return validate(r, tps, nil) } - - diff --git a/cmd/generate/config/rules/azure.go b/cmd/generate/config/rules/azure.go index 05227e1ee..d50a5d8ef 100644 --- a/cmd/generate/config/rules/azure.go +++ b/cmd/generate/config/rules/azure.go @@ -43,13 +43,13 @@ func AzureStorageCredential1() *config.Rule { Description: "CSCAN0030 - Found Azure storage credential in source code file.", RuleID: "azure-storage-credential-1", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`\n[ \t]{0,50}(//|/\*)[ \t]{0,10}[a-zA-Z0-9/+]{86}==`), + Regex: generateUniqueTokenRegex(`$(//|/\*)[ \t]{0,10}[a-zA-Z0-9/+]{86}==`), } // validate tps := []string{ generateSampleSecret("azure-storage-credential-1", - "\n\t\t//\t\t" + secrets.NewSecret(alphaNumeric("86") + "==")), + "/n" + "//" + secrets.NewSecret(alphaNumeric("86") + "==")), } return validate(r, tps, nil) } @@ -114,7 +114,7 @@ func AzureStorageCredential5() *config.Rule { Description: "CSCAN0030 - Found Azure storage credential in source code file.", RuleID: "azure-storage-credential-5", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`\n[^\r\n]{0,800}((sig|SIG|sas|SAS|([pP]ass[wW]ord|PASSWORD))=|>)[a-zA-Z0-9%]{43,53}%3[dD][^{a-zA-Z0-9%]`), + Regex: generateUniqueTokenRegex(`(?i)\n[^\r\n]{0,800}((sig|sas|password)=|>)[a-zA-Z0-9%]{43,53}%3[dD][^{a-zA-Z0-9%]`), } // validate @@ -132,7 +132,7 @@ func AzureStorageCredential6() *config.Rule { Description: "CSCAN0030 - Found Azure storage credential in source code file.", RuleID: "azure-storage-credential-6", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`\n.*(([uU]ser|USER) ?([iI]d|ID|[nN]ame|NAME)|[uU]id|UID)=.{2,128}?\s*?;\s*?(([pP]ass[wW]ord|PASSWORD)|([pP]wd|PWD))=[^'$%>@'";\[\{][^;"']{2,350}?(;|"|')`), + Regex: generateUniqueTokenRegex(`(?i)\n.*((user) ?(id|name)|uid)=.{2,128}?\s*?;\s*?((password)|(pwd))=[^'$%>@'";\[\{][^;"']{2,350}?(;|"|')`), } // validate From 24deef2ac17c2df84e9ea4500919d26efc05f2c3 Mon Sep 17 00:00:00 2001 From: Dimitri Vasdekis Date: Tue, 17 Jan 2023 05:05:46 +0000 Subject: [PATCH 6/8] Initial secret set for Azure Needs work - many tests fail --- .gitignore | 9 + cmd/generate/config/main.go | 37 ++ cmd/generate/config/rules/ansible.go | 24 + cmd/generate/config/rules/azure.go | 641 +++++++++++++++++++++++++++ 4 files changed, 711 insertions(+) create mode 100644 cmd/generate/config/rules/ansible.go create mode 100644 cmd/generate/config/rules/azure.go diff --git a/.gitignore b/.gitignore index 49abd80e2..67b6c8b6b 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,12 @@ cmd/generate/config/gitleaks.toml *.out dist/ + +# Hugo build files (created automatically by VSCode Go extension) +.hugo_build.lock + +# Hugo Sitemap.xml files (created automatically by VSCode Go extension) +public/index.xml +public/sitemap.xml +public/categories/index.xml +public/tags/index.xml \ No newline at end of file diff --git a/cmd/generate/config/main.go b/cmd/generate/config/main.go index 2211675c1..7ea9a37ae 100644 --- a/cmd/generate/config/main.go +++ b/cmd/generate/config/main.go @@ -24,10 +24,47 @@ func main() { configRules = append(configRules, rules.AlgoliaApiKey()) configRules = append(configRules, rules.AlibabaAccessKey()) configRules = append(configRules, rules.AlibabaSecretKey()) + configRules = append(configRules, rules.AnsibleVaultToken()) configRules = append(configRules, rules.AsanaClientID()) configRules = append(configRules, rules.AsanaClientSecret()) configRules = append(configRules, rules.Atlassian()) configRules = append(configRules, rules.AWS()) + configRules = append(configRules, rules.AzureAppServiceDeploymentSecrets()) + configRules = append(configRules, rules.AzureStorageCredential1()) + configRules = append(configRules, rules.AzureStorageCredential2()) + configRules = append(configRules, rules.AzureStorageCredential3()) + configRules = append(configRules, rules.AzureStorageCredential4()) + configRules = append(configRules, rules.AzureStorageCredential5()) + configRules = append(configRules, rules.AzureStorageCredential6()) + configRules = append(configRules, rules.AzureStorageCredential7()) + configRules = append(configRules, rules.AzureStorageCredential8()) + configRules = append(configRules, rules.AzureStorageCredential9()) + configRules = append(configRules, rules.AzureStorageCredential10()) + configRules = append(configRules, rules.AzurePassword1()) + configRules = append(configRules, rules.AzurePassword2()) + configRules = append(configRules, rules.AzurePassword3()) + configRules = append(configRules, rules.AzurePassword4()) + configRules = append(configRules, rules.AzurePassword5()) + configRules = append(configRules, rules.AzurePassword6()) + configRules = append(configRules, rules.AzurePassword7()) + configRules = append(configRules, rules.AzurePassword8()) + configRules = append(configRules, rules.AzurePassword9()) + configRules = append(configRules, rules.AzurePassword10()) + configRules = append(configRules, rules.AzurePassword11()) + configRules = append(configRules, rules.AzurePassword12()) + configRules = append(configRules, rules.AzurePassword13()) + configRules = append(configRules, rules.AzurePassword14()) + configRules = append(configRules, rules.AzurePassword15()) + configRules = append(configRules, rules.AzureNetworkCredential1()) + configRules = append(configRules, rules.AzureNetworkCredential2()) + configRules = append(configRules, rules.AzureNetworkCredential3()) + configRules = append(configRules, rules.AzureNetworkCredential4()) + configRules = append(configRules, rules.AzureDevTFVCSecrets()) + configRules = append(configRules, rules.AzureVSTSPAT1()) + configRules = append(configRules, rules.AzureVSTSPAT2()) + configRules = append(configRules, rules.AzureVSTSPAT3()) + configRules = append(configRules, rules.AzurePowershellTokenCache()) + configRules = append(configRules, rules.AzureAppServiceDeploymentSecrets()) configRules = append(configRules, rules.BitBucketClientID()) configRules = append(configRules, rules.BitBucketClientSecret()) configRules = append(configRules, rules.BittrexAccessKey()) diff --git a/cmd/generate/config/rules/ansible.go b/cmd/generate/config/rules/ansible.go new file mode 100644 index 000000000..6b616e9f8 --- /dev/null +++ b/cmd/generate/config/rules/ansible.go @@ -0,0 +1,24 @@ +package rules + +import ( + "github.com/zricethezav/gitleaks/v8/cmd/generate/secrets" + "github.com/zricethezav/gitleaks/v8/config" +) + +func AnsibleVaultToken() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0270 - Found Azure Subscription Token Cache.", + RuleID: "ansible-vault-token", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`ANSIBLE_VAULT;[0-9]\.[0-9];AES256;[\r\n]+[0-9]+`), + Keywords: []string{"ANSIBLE_VAULT;", "AES256;"}, + } + + // validate + tps := []string{ + generateSampleSecret("ansible-vault-token", + "ANSIBLE_VAULT;1.0;AES256;\n" + secrets.NewSecret(numeric("32"))), + } + return validate(r, tps, nil) +} diff --git a/cmd/generate/config/rules/azure.go b/cmd/generate/config/rules/azure.go new file mode 100644 index 000000000..d50a5d8ef --- /dev/null +++ b/cmd/generate/config/rules/azure.go @@ -0,0 +1,641 @@ +package rules + +import ( + "github.com/zricethezav/gitleaks/v8/cmd/generate/secrets" + "github.com/zricethezav/gitleaks/v8/config" +) + +// Rules come from https://www.powershellgallery.com/packages/AzSK.AzureDevOps/0.9.8/Content/Framework%5CConfigurations%5CSVT%5CAzureDevOps%5CCredentialPatterns.xml +// Only rules with 'ContentSearchPatterns' have been used. + +// CSCAN0110, CSCAN0111, CSCAN0140, CSCAN0220 searches for generic passwords - covered elsewhere + +// CSCAN0120 searches for Twilio keys - covered in twilio.go + +// CSCAN0210 checks for Git repo credentials - covered elsewhere + +// CSCAN0230 checks for Slack tokens - covered in slack.go + +// CSCAN0250 - covered in jwt.go + + +func AzureAppServiceDeploymentSecrets() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0020, CSCAN0030 - Found Azure app service deployment secrets in publish settings file.", + RuleID: "azure-app-service-deployment-secrets", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`MII[a-z0-9=_\-]{200}`), + Keywords: []string{"MII"}, + } + + // validate + tps := []string{ + generateSampleSecret("azure-app-service-deployment-secrets", + "MII" + secrets.NewSecret(alphaNumeric("200"))), + } + return validate(r, tps, nil) +} + +func AzureStorageCredential1() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0030 - Found Azure storage credential in source code file.", + RuleID: "azure-storage-credential-1", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`$(//|/\*)[ \t]{0,10}[a-zA-Z0-9/+]{86}==`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-1", + "/n" + "//" + secrets.NewSecret(alphaNumeric("86") + "==")), + } + return validate(r, tps, nil) +} + +func AzureStorageCredential2() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0030 - Found Azure storage credential in source code file.", + RuleID: "azure-storage-credential-2", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`\n[ \t]{0,50}(//|/\*)[ \t]{0,10}[a-zA-Z0-9/+]{43}=[^{@\d%]`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-2", + "\n\t\t//\t\t" + secrets.NewSecret(alphaNumeric("43") + "=a")), + } + return validate(r, tps, nil) +} + +func AzureStorageCredential3() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0030 - Found Azure storage credential in source code file.", + RuleID: "azure-storage-credential-3", + SecretGroup: 1, + // Define a regex rule to search for + Regex: generateUniqueTokenRegex(`\n[^\r\n]{0,400}[>|'|=|"][a-zA-Z0-9/+]{86}==`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-3", + // Create a test string that matches the regex + "\n\t\t//\t\t" + secrets.NewSecret(alphaNumeric("86") + "=a")), + } + return validate(r, tps, nil) +} + +func AzureStorageCredential4() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0030 - Found Azure storage credential in source code file.", + RuleID: "azure-storage-credential-4", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`\n[^\r\n]{0,400}[>|'|=|"][a-zA-Z0-9/+]{43}=[^{@\d%]`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-4", + "MII" + secrets.NewSecret(alphaNumeric("200"))), + } + return validate(r, tps, nil) +} + + +func AzureStorageCredential5() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0030 - Found Azure storage credential in source code file.", + RuleID: "azure-storage-credential-5", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`(?i)\n[^\r\n]{0,800}((sig|sas|password)=|>)[a-zA-Z0-9%]{43,53}%3[dD][^{a-zA-Z0-9%]`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-5", + "MII" + secrets.NewSecret(alphaNumeric("200"))), + } + return validate(r, tps, nil) +} + + +func AzureStorageCredential6() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0030 - Found Azure storage credential in source code file.", + RuleID: "azure-storage-credential-6", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`(?i)\n.*((user) ?(id|name)|uid)=.{2,128}?\s*?;\s*?((password)|(pwd))=[^'$%>@'";\[\{][^;"']{2,350}?(;|"|')`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-6", + "MII" + secrets.NewSecret(alphaNumeric("200"))), + } + return validate(r, tps, nil) +} + +func AzureStorageCredential7() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0030 - Found Azure storage credential in source code file.", + RuleID: "azure-storage-credential-7", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`AccountKey\s*=\s*MII[a-zA-Z0-9/+]{43,}?={0,2}`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-7", + "AccountKey = MII" + secrets.NewSecret(alphaNumeric("43") + "=")), + } + return validate(r, tps, nil) +} + +func AzureStorageCredential8() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0100 - Found Azure storage credential in source code file.", + RuleID: "azure-storage-credential-8", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`<XstoreAccountInfo[ -~"\s\S\n\r\t]+accountSharedKey\s*=\s*"[^"]{30}[ -~"\s\S\n\r\t]+/>`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-8", + "AccountKey = MII" + secrets.NewSecret(alphaNumeric("43"))), + } + return validate(r, tps, nil) +} + +func AzureStorageCredential9() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0100 - Found Azure storage credential in source code file.", + RuleID: "azure-storage-credential-9", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`<ServiceBusAccountInfo[ -~"\s\S\n\r\t]+connectionString\s*=\s*"[^"]{30}[ -~"\s\S\n\r\t]+/>`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-9", + "AccountKey = MII" + secrets.NewSecret(alphaNumeric("43"))), + } + return validate(r, tps, nil) +} + +func AzureStorageCredential10() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0130 - Found Azure storage credential in MonitoringAgent config file.", + RuleID: "azure-storage-credential-10", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`Account moniker\s?=.*key\s?=.*`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-storage-credential-10", + "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), + } + return validate(r, tps, nil) +} + + +// CSCAN0050, CSCAN0060, CSCAN0070 - covered in PrivateKey.go + +// CSCAN0080 looks for 'Password' in XML file + +func AzurePassword1() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-1", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`<machineKey[^>]+(decryptionKey\s*\=\s*"[a-fA-F0-9]{48,}|validationKey\s*\=\s*"[a-fA-F0-9]{48,})[^>]+>`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-1", + "AccountKey = MII" + secrets.NewSecret(alphaNumeric("43"))), + } + return validate(r, tps, nil) +} + +func AzurePassword2() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-2", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`(decryptionKey|validationKey)=['][a-zA-Z0-9][']`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-2", + "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), + } + return validate(r, tps, nil) +} + +func AzurePassword3() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-3", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`<add\skey="[^"]*([kK][eE][yY]([sS]|[0-9])?|([cC]redential|CREDENTIAL)[sS]?|([sS]ecret|SECRET)(s|S|[0-9])?|[pP]ass[wW]ord|PASSWORD|[tT]oken|TOKEN|([kK]ey|KEY)([pP]rimary|PRIMARY|[sS]econdary|SECONDARY|[oO]r[sS]as|SAS|[eE]ncrypted|ENCRYPTED))"\s*value\s*="[^"]+"`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-3", + "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), + } + return validate(r, tps, nil) +} + +func AzurePassword4() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-4", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`<add\skey="[^"]+"\s*value="[^"]*([eE]ncrypted|ENCRYPTED).?([sS]ecret|SECRET)[^"]+"\s*/>`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-4", + "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), + } + return validate(r, tps, nil) +} + +func AzurePassword5() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-5", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`([cC]onnection[sS]tring|[cC]onn[sS]tring)[^=]*?=["'][^"']*?([pP]ass[wW]ord|PASSWORD)=[^\$\s;][^"'\s]*?(;|")`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-5", + "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), + } + return validate(r, tps, nil) +} + +func AzurePassword6() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-6", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`[vV]alue\s?=\s?"((([A-Za-z0-9+/]){4}){1,200})=="`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-6", + "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), + } + return validate(r, tps, nil) +} + +func AzurePassword7() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-7", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`\n[^\r\n]{0,400}(>|'|=|")[a-zA-Z0-9/+]{86}==`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-7", + "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), + } + return validate(r, tps, nil) +} + +func AzurePassword8() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-8", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`n[^\r\n]{0,400}(>|'|=|")[a-zA-Z0-9/+]{43}=[^{@]`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-8", + ` + This is a random text string that contains some characters> + ` + secrets.NewSecret(alphaNumeric("86") + "==")), + } + return validate(r, tps, nil) +} + +func AzurePassword9() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-9", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`\n[^\r\n]{0,800}((sig|SIG|sas|SAS|([pP]ass[wW]ord|PASSWORD))=|>)[a-zA-Z0-9%]{43,53}%3[dD][^{a-zA-Z0-9%]`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-9", + ` + This is a random text string that contains some characters> + ` + secrets.NewSecret(alphaNumeric("86") + "==")), + } + return validate(r, tps, nil) +} + +func AzurePassword10() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-10", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`\n.*(([uU]ser|USER) ?([iI]d|ID|[nN]ame|NAME)|[uU]id|UID)=.{2,128}?\s*?;\s*?(([pP]ass[wW]ord|PASSWORD)|([pP]wd|PWD))=[^'$%>@'";\[\{][^;"']{2,350}?(;|"|')`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-10", + ` + This is a random text string that contains some characters> + ` + secrets.NewSecret(alphaNumeric("86") + "==")), + } + return validate(r, tps, nil) +} + +func AzurePassword11() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-11", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`<[cC]redential\sname="[^"]*([kK][eE][yY]([sS]|[0-9])?|[cC]redential(s)?|[sS]ecret(s|[0-9])?|[pP]ass[wW]ord|PASSWORD|[tT]oken|[kK]ey([pP]rimary|[sS]econdary|[oO]r[sS]as|[eE]ncrypted))"(\s*value\s*="[^"]+".*?/>|[^>\s]*>.*?</[cC]redential>)`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-11", + ` + This is a random text string that contains some characters> + ` + secrets.NewSecret(alphaNumeric("86") + "==")), + } + return validate(r, tps, nil) +} + +func AzurePassword12() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-12", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`<[sS]etting\sname="[^"]*[pP]ass[wW]ord".*[\r\n]*\s*<[vV]alue>.+</[vV]alue>`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-12", + ` + This is a random text string that contains some characters> + ` + secrets.NewSecret(alphaNumeric("86") + "==")), + } + return validate(r, tps, nil) +} + +func AzurePassword13() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-13", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`(?s)<SSIS:Parameter\n?\s*SSIS:Name="[pP]ass[wW]ord">.*?<SSIS:Property\n?\s*SSIS:Name="[vV]alue">[^><#$\[\{\(]+</SSIS:Property>`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-13", + ` + This is a random text string that contains some characters> + ` + secrets.NewSecret(alphaNumeric("86") + "==")), + } + return validate(r, tps, nil) +} + +func AzurePassword14() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-14", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`<SSIS:Property\n?\s*SSIS:Name="[vV]alue">.*["'][pP]ass[wW]ord["']:["'][^"']+["']`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-14", + ` + This is a random text string that contains some characters> + ` + secrets.NewSecret(alphaNumeric("86") + "==")), + } + return validate(r, tps, nil) +} + +func AzurePassword15() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", + RuleID: "azure-password-15", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`userPWD="[a-zA-Z0-9]{60}"`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-password-15", + ` + This is a random text string that contains some characters> + ` + secrets.NewSecret(alphaNumeric("86") + "==")), + } + return validate(r, tps, nil) +} + +func AzureNetworkCredential1() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0160 - Found Azure domain credential in source file.", + RuleID: "azure-network-credential-1", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`NetworkCredential\(.*,.*,([cC][oO][rR][pP]|[eE][uU][rR][oO][pP][eE]|[mM][iI][dD][dD][lL][eE][eE][aA][sS][tT]|[nN][oO][rR][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[sS][oO][uU][tT][hH][pP][aA][cC][iI][fF][iI][cC]|[sS][oO][uU][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[fF][aA][rR][eE][aA][sS][tT]|[aA][fF][rR][iI][cC][aA]|[rR][eE][dD][mM][oO][nN][dD]|[eE][xX][cC][hH][aA][nN][gG][eE]|[eE][xX][tT][rR][aA][nN][eE][tT]|[pP][aA][rR][tT][nN][eE][rR][sS]|[eE][xX][tT][rR][aA][nN][eE][tT][tT][eE][sS][tT]|[pP][aA][rR][tT][tT][eE][sS][tT]|[nN][oO][eE]|[nN][tT][dD][eE][vV]|[nN][tT][wW][kK][sS][tT][aA]|[sS][yY][sS]\-[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][dD][eE][pP][lL][oO][yY]|[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][sS][eE]|[sS][eE][gG][rR][oO][uU][pP]|[xX][cC][oO][rR][pP]|[xX][rR][eE][pP]|[pP][hH][xX]|[gG][mM][eE]|[uU][sS][mM][eE]|[cC][dD][oO][cC][iI][dD][mM]|[mM][sS][lL][pP][aA])\\.*`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-network-credential-1", + "NetworkCredential(username, password, europe)"), + } + return validate(r, tps, nil) +} + +func AzureNetworkCredential2() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0160 - Found Azure domain credential in source file.", + RuleID: "azure-network-credential-2", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`[nN][eE][tT]\s[uU][sS][eE].*\/[uU]\:([cC][oO][rR][pP]|[eE][uU][rR][oO][pP][eE]|[mM][iI][dD][dD][lL][eE][eE][aA][sS][tT]|[nN][oO][rR][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[sS][oO][uU][tT][hH][pP][aA][cC][iI][fF][iI][cC]|[sS][oO][uU][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[fF][aA][rR][eE][aA][sS][tT]|[aA][fF][rR][iI][cC][aA]|[rR][eE][dD][mM][oO][nN][dD]|[eE][xX][cC][hH][aA][nN][gG][eE]|[eE][xX][tT][rR][aA][nN][eE][tT]|[pP][aA][rR][tT][nN][eE][rR][sS]|[eE][xX][tT][rR][aA][nN][eE][tT][tT][eE][sS][tT]|[pP][aA][rR][tT][tT][eE][sS][tT]|[nN][oO][eE]|[nN][tT][dD][eE][vV]|[nN][tT][wW][kK][sS][tT][aA]|[sS][yY][sS]\-[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][dD][eE][pP][lL][oO][yY]|[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][sS][eE]|[sS][eE][gG][rR][oO][uU][pP]|[xX][cC][oO][rR][pP]|[xX][rR][eE][pP]|[pP][hH][xX]|[gG][mM][eE]|[uU][sS][mM][eE]|[cC][dD][oO][cC][iI][dD][mM]|[mM][sS][lL][pP][aA])\\.*`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-network-credential-2", + `Net use \server\u:corp\share /user:corp\username`), + } + return validate(r, tps, nil) +} + +func AzureNetworkCredential3() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0160 - Found Azure domain credential in source file.", + RuleID: "azure-network-credential-3", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`[sS][cC][hH][tT][aA][sS][kK][sS].*/[rR][uU]\s([cC][oO][rR][pP]|[eE][uU][rR][oO][pP][eE]|[mM][iI][dD][dD][lL][eE][eE][aA][sS][tT]|[nN][oO][rR][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[sS][oO][uU][tT][hH][pP][aA][cC][iI][fF][iI][cC]|[sS][oO][uU][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[fF][aA][rR][eE][aA][sS][tT]|[aA][fF][rR][iI][cC][aA]|[rR][eE][dD][mM][oO][nN][dD]|[eE][xX][cC][hH][aA][nN][gG][eE]|[eE][xX][tT][rR][aA][nN][eE][tT]|[pP][aA][rR][tT][nN][eE][rR][sS]|[eE][xX][tT][rR][aA][nN][eE][tT][tT][eE][sS][tT]|[pP][aA][rR][tT][tT][eE][sS][tT]|[nN][oO][eE]|[nN][tT][dD][eE][vV]|[nN][tT][wW][kK][sS][tT][aA]|[sS][yY][sS]\-[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][dD][eE][pP][lL][oO][yY]|[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][sS][eE]|[sS][eE][gG][rR][oO][uU][pP]|[xX][cC][oO][rR][pP]|[xX][rR][eE][pP]|[pP][hH][xX]|[gG][mM][eE]|[uU][sS][mM][eE]|[cC][dD][oO][cC][iI][dD][mM]|[mM][sS][lL][pP][aA]).*/[rR][pP].*`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-network-credential-3", + `Schtasks /create /tn corp-daily-backup /tr \corp\backup.bat /ru corp\admin /rp password /sc daily`), + } + return validate(r, tps, nil) +} + +func AzureNetworkCredential4() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0160 - Found Azure domain credential in source file.", + RuleID: "azure-network-credential-4", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`[nN]ew-[oO]bject\s*System.Net.NetworkCredential\(.*?,\s*"[^"]+"`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-network-credential-4", + `New-Object System.Net.NetworkCredential(username, "password")`), + } + return validate(r, tps, nil) +} + +func AzureDevTFVCSecrets() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0200 - Found Azure DevDiv TFVC repo secrets.", + RuleID: "azure-devtfvc-secrets", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`[eE][nN][cC]_[uU][sS][eE][rR][nN][aA][mM][eE]=[\w]+[\r\n]+[eE][nN][cC]_[pP][aA][sS][sS][wW][oO][rR][dD]=[\w]+`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-devtfvc-secrets", + `enc_username=myusername\r\nenc_password=mypassword`), + } + return validate(r, tps, nil) +} + +func AzureVSTSPAT1() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0240 - Found Azure Found Vsts personal access token in source file.", + RuleID: "azure-vsts-pat1", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`([aA]ccess_?[tT]oken|ACCESS_?TOKEN).*?['="][a-z2-7]{52}('|"|\s|[\r\n]+)`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-vsts-pat1", + `Access_token=='a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2'`), + } + return validate(r, tps, nil) +} + +func AzureVSTSPAT2() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0240 - Found Azure Found Vsts personal access token in source file.", + RuleID: "azure-vsts-pat2", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`[pP]ass[wW]ord\s+[a-z2-7]{52}(\s|[\r\n]+)`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-vsts-pat2", + `Access_token=='a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2'`), + } + return validate(r, tps, nil) +} + +func AzureVSTSPAT3() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0240 - Found Azure Vsts personal access token in source file.", + RuleID: "azure-vsts-pat3", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`([aA]ccess_?[tT]oken|ACCESS_?TOKEN).*?[>|'|=|"][a-zA-Z0-9/+]{70}==`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-vsts-pat3", + `Access_token=='a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2'`), + } + return validate(r, tps, nil) +} + +func AzurePowershellTokenCache() *config.Rule { + // define rule + r := config.Rule{ + Description: "CSCAN0270 - Found Azure Subscription Token Cache.", + RuleID: "azure-powershell-tokencache", + SecretGroup: 1, + Regex: generateUniqueTokenRegex(`["']TokenCache["']\s*:\s*\{\s*["']CacheData["']\s*:\s*["'][a-zA-Z0-9/\+]{86}`), + } + + // validate + tps := []string{ + generateSampleSecret("azure-powershell-tokencache", + `Access_token=='a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2'`), + } + return validate(r, tps, nil) +} From 25e68bf9a556d8458911f80f215a8a8c821f42ce Mon Sep 17 00:00:00 2001 From: Dimitri Vasdekis Date: Wed, 18 Jan 2023 23:28:00 +0000 Subject: [PATCH 7/8] Fix remaining Azure secrets - but couldn't get XML to work --- cmd/generate/config/main.go | 58 ++-- cmd/generate/config/rules/azure.go | 517 +++++++++-------------------- config/gitleaks.toml | 192 ++++++++++- 3 files changed, 373 insertions(+), 394 deletions(-) diff --git a/cmd/generate/config/main.go b/cmd/generate/config/main.go index 7ea9a37ae..c3272cdf0 100644 --- a/cmd/generate/config/main.go +++ b/cmd/generate/config/main.go @@ -30,41 +30,31 @@ func main() { configRules = append(configRules, rules.Atlassian()) configRules = append(configRules, rules.AWS()) configRules = append(configRules, rules.AzureAppServiceDeploymentSecrets()) - configRules = append(configRules, rules.AzureStorageCredential1()) - configRules = append(configRules, rules.AzureStorageCredential2()) - configRules = append(configRules, rules.AzureStorageCredential3()) - configRules = append(configRules, rules.AzureStorageCredential4()) - configRules = append(configRules, rules.AzureStorageCredential5()) - configRules = append(configRules, rules.AzureStorageCredential6()) - configRules = append(configRules, rules.AzureStorageCredential7()) - configRules = append(configRules, rules.AzureStorageCredential8()) - configRules = append(configRules, rules.AzureStorageCredential9()) - configRules = append(configRules, rules.AzureStorageCredential10()) - configRules = append(configRules, rules.AzurePassword1()) - configRules = append(configRules, rules.AzurePassword2()) - configRules = append(configRules, rules.AzurePassword3()) - configRules = append(configRules, rules.AzurePassword4()) - configRules = append(configRules, rules.AzurePassword5()) - configRules = append(configRules, rules.AzurePassword6()) - configRules = append(configRules, rules.AzurePassword7()) - configRules = append(configRules, rules.AzurePassword8()) - configRules = append(configRules, rules.AzurePassword9()) - configRules = append(configRules, rules.AzurePassword10()) - configRules = append(configRules, rules.AzurePassword11()) - configRules = append(configRules, rules.AzurePassword12()) - configRules = append(configRules, rules.AzurePassword13()) - configRules = append(configRules, rules.AzurePassword14()) - configRules = append(configRules, rules.AzurePassword15()) - configRules = append(configRules, rules.AzureNetworkCredential1()) - configRules = append(configRules, rules.AzureNetworkCredential2()) - configRules = append(configRules, rules.AzureNetworkCredential3()) - configRules = append(configRules, rules.AzureNetworkCredential4()) configRules = append(configRules, rules.AzureDevTFVCSecrets()) - configRules = append(configRules, rules.AzureVSTSPAT1()) - configRules = append(configRules, rules.AzureVSTSPAT2()) - configRules = append(configRules, rules.AzureVSTSPAT3()) - configRules = append(configRules, rules.AzurePowershellTokenCache()) - configRules = append(configRules, rules.AzureAppServiceDeploymentSecrets()) + configRules = append(configRules, rules.AzureDevopsPAT()) + configRules = append(configRules, rules.AzureNetworkCredential()) + configRules = append(configRules, rules.AzureNetworkCredentialSchtasks()) + configRules = append(configRules, rules.AzureNetworkCredentialDotNet()) + configRules = append(configRules, rules.AzurePasswordDecryptionkey()) + configRules = append(configRules, rules.AzurePasswordAddKey()) + configRules = append(configRules, rules.AzurePasswordConnString()) + configRules = append(configRules, rules.AzurePasswordValueString()) + configRules = append(configRules, rules.AzurePassworduidpw()) + configRules = append(configRules, rules.AzureStorageCredential43char()) + configRules = append(configRules, rules.AzureStorageCredential86char()) + configRules = append(configRules, rules.AzureStorageCredentialAccountKey()) + configRules = append(configRules, rules.AzureStorageCredentialBlobURL()) + configRules = append(configRules, rules.AzureStorageCredentialMonikerKey()) + configRules = append(configRules, rules.AzureStorageCredentialServiceBus()) + configRules = append(configRules, rules.AzureStorageCredentialSig53()) + configRules = append(configRules, rules.AzureStorageCredentialUserIDPW()) + configRules = append(configRules, rules.AzureStorageCredentialXStore()) + + // Below work on Regex.com but something about the internal conversion to generateUniqueTokenRegex is breaking them + //configRules = append(configRules, rules.AzurePowershellTokenCache()) + //configRules = append(configRules, rules.AzurePasswordXMLCredential()) + //configRules = append(configRules, rules.AzurePasswordXMLValue()) + //configRules = append(configRules, rules.AzurePasswordSSISProperty()) configRules = append(configRules, rules.BitBucketClientID()) configRules = append(configRules, rules.BitBucketClientSecret()) configRules = append(configRules, rules.BittrexAccessKey()) diff --git a/cmd/generate/config/rules/azure.go b/cmd/generate/config/rules/azure.go index d50a5d8ef..382a20e51 100644 --- a/cmd/generate/config/rules/azure.go +++ b/cmd/generate/config/rules/azure.go @@ -37,520 +37,355 @@ func AzureAppServiceDeploymentSecrets() *config.Rule { return validate(r, tps, nil) } -func AzureStorageCredential1() *config.Rule { +func AzureStorageCredential86char() *config.Rule { // define rule r := config.Rule{ - Description: "CSCAN0030 - Found Azure storage credential in source code file.", - RuleID: "azure-storage-credential-1", + Description: "CSCAN0030, CSCAN0090, CSCAN0150 - Found Azure storage credential in source code file.", + RuleID: "azure-storage-credential-86char", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`$(//|/\*)[ \t]{0,10}[a-zA-Z0-9/+]{86}==`), + Regex: generateUniqueTokenRegex(`[ \t]{0,10}[a-zA-Z0-9/+]{86}==`), } // validate tps := []string{ - generateSampleSecret("azure-storage-credential-1", - "/n" + "//" + secrets.NewSecret(alphaNumeric("86") + "==")), + generateSampleSecret("azure-storage-credential-86char", + secrets.NewSecret(alphaNumeric("86") + "==")), } return validate(r, tps, nil) } -func AzureStorageCredential2() *config.Rule { +func AzureStorageCredential43char() *config.Rule { // define rule r := config.Rule{ - Description: "CSCAN0030 - Found Azure storage credential in source code file.", - RuleID: "azure-storage-credential-2", + Description: "CSCAN0030, CSCAN0090, CSCAN0150 - Found Azure storage credential in source code file.", + RuleID: "azure-storage-credential-43char", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`\n[ \t]{0,50}(//|/\*)[ \t]{0,10}[a-zA-Z0-9/+]{43}=[^{@\d%]`), + Regex: generateUniqueTokenRegex(`[a-zA-Z0-9/+]{43}=[^{@\d%]`), } // validate tps := []string{ - generateSampleSecret("azure-storage-credential-2", - "\n\t\t//\t\t" + secrets.NewSecret(alphaNumeric("43") + "=a")), + generateSampleSecret("azure-storage-credential-43char", + secrets.NewSecret(alphaNumeric("43") + "=a")), } return validate(r, tps, nil) } -func AzureStorageCredential3() *config.Rule { +func AzureStorageCredentialSig53() *config.Rule { // define rule r := config.Rule{ - Description: "CSCAN0030 - Found Azure storage credential in source code file.", - RuleID: "azure-storage-credential-3", + Description: "CSCAN0030, CSCAN0090, CSCAN0150 - Found Azure storage credential in source code file.", + RuleID: "azure-storage-credential-sig53", SecretGroup: 1, - // Define a regex rule to search for - Regex: generateUniqueTokenRegex(`\n[^\r\n]{0,400}[>|'|=|"][a-zA-Z0-9/+]{86}==`), + Regex: generateUniqueTokenRegex(`((sig|sas|password)=|>)[a-zA-Z0-9%]{43,53}%3d[^{a-zA-Z0-9%]`), } // validate tps := []string{ - generateSampleSecret("azure-storage-credential-3", - // Create a test string that matches the regex - "\n\t\t//\t\t" + secrets.NewSecret(alphaNumeric("86") + "=a")), + generateSampleSecret("azure-storage-credential-sig53", + "sig=" + secrets.NewSecret(alphaNumeric("53") + "%3D")), } return validate(r, tps, nil) } -func AzureStorageCredential4() *config.Rule { - // define rule - r := config.Rule{ - Description: "CSCAN0030 - Found Azure storage credential in source code file.", - RuleID: "azure-storage-credential-4", - SecretGroup: 1, - Regex: generateUniqueTokenRegex(`\n[^\r\n]{0,400}[>|'|=|"][a-zA-Z0-9/+]{43}=[^{@\d%]`), - } - // validate - tps := []string{ - generateSampleSecret("azure-storage-credential-4", - "MII" + secrets.NewSecret(alphaNumeric("200"))), - } - return validate(r, tps, nil) -} - - -func AzureStorageCredential5() *config.Rule { +func AzureStorageCredentialUserIDPW() *config.Rule { // define rule r := config.Rule{ Description: "CSCAN0030 - Found Azure storage credential in source code file.", - RuleID: "azure-storage-credential-5", + RuleID: "azure-storage-credential-useridpw", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`(?i)\n[^\r\n]{0,800}((sig|sas|password)=|>)[a-zA-Z0-9%]{43,53}%3[dD][^{a-zA-Z0-9%]`), + Regex: generateUniqueTokenRegex(`((user) ?(id|name)|uid)=.{2,128}?\s*?;\s*?((password)|(pwd))=[^'$%>@'";\[\{][^;"']{2,350}?(;|"|')`), } // validate tps := []string{ - generateSampleSecret("azure-storage-credential-5", - "MII" + secrets.NewSecret(alphaNumeric("200"))), + generateSampleSecret("azure-storage-credential-useridpw", + "userid=" + secrets.NewSecret(alphaNumeric("128")) + ";password=" + secrets.NewSecret(alphaNumeric("200")) + ";"), } return validate(r, tps, nil) } - -func AzureStorageCredential6() *config.Rule { +func AzureStorageCredentialAccountKey() *config.Rule { // define rule r := config.Rule{ Description: "CSCAN0030 - Found Azure storage credential in source code file.", - RuleID: "azure-storage-credential-6", - SecretGroup: 1, - Regex: generateUniqueTokenRegex(`(?i)\n.*((user) ?(id|name)|uid)=.{2,128}?\s*?;\s*?((password)|(pwd))=[^'$%>@'";\[\{][^;"']{2,350}?(;|"|')`), - } - - // validate - tps := []string{ - generateSampleSecret("azure-storage-credential-6", - "MII" + secrets.NewSecret(alphaNumeric("200"))), - } - return validate(r, tps, nil) -} - -func AzureStorageCredential7() *config.Rule { - // define rule - r := config.Rule{ - Description: "CSCAN0030 - Found Azure storage credential in source code file.", - RuleID: "azure-storage-credential-7", + RuleID: "azure-storage-credential-accountkey", SecretGroup: 1, Regex: generateUniqueTokenRegex(`AccountKey\s*=\s*MII[a-zA-Z0-9/+]{43,}?={0,2}`), } // validate tps := []string{ - generateSampleSecret("azure-storage-credential-7", + generateSampleSecret("azure-storage-credential-accountkey", "AccountKey = MII" + secrets.NewSecret(alphaNumeric("43") + "=")), } return validate(r, tps, nil) } -func AzureStorageCredential8() *config.Rule { +func AzureStorageCredentialXStore() *config.Rule { // define rule r := config.Rule{ Description: "CSCAN0100 - Found Azure storage credential in source code file.", - RuleID: "azure-storage-credential-8", + RuleID: "azure-storage-credential-xstore", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`<XstoreAccountInfo[ -~"\s\S\n\r\t]+accountSharedKey\s*=\s*"[^"]{30}[ -~"\s\S\n\r\t]+/>`), + Regex: generateUniqueTokenRegex(`["), } return validate(r, tps, nil) } -func AzureStorageCredential9() *config.Rule { +func AzureStorageCredentialServiceBus() *config.Rule { // define rule r := config.Rule{ Description: "CSCAN0100 - Found Azure storage credential in source code file.", - RuleID: "azure-storage-credential-9", + RuleID: "azure-storage-credential-servicebus", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`<ServiceBusAccountInfo[ -~"\s\S\n\r\t]+connectionString\s*=\s*"[^"]{30}[ -~"\s\S\n\r\t]+/>`), + Regex: generateUniqueTokenRegex(`["), } return validate(r, tps, nil) } -func AzureStorageCredential10() *config.Rule { +func AzureStorageCredentialMonikerKey() *config.Rule { // define rule r := config.Rule{ Description: "CSCAN0130 - Found Azure storage credential in MonitoringAgent config file.", - RuleID: "azure-storage-credential-10", + RuleID: "azure-storage-credential-monikerkey", SecretGroup: 1, Regex: generateUniqueTokenRegex(`Account moniker\s?=.*key\s?=.*`), } // validate tps := []string{ - generateSampleSecret("azure-storage-credential-10", - "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), + generateSampleSecret("azure-storage-credential-monikerkey", + "Account Moniker = 'John Doe' Key = '" + secrets.NewSecret(alphaNumeric("200") + "'")), } return validate(r, tps, nil) } -// CSCAN0050, CSCAN0060, CSCAN0070 - covered in PrivateKey.go - -// CSCAN0080 looks for 'Password' in XML file - -func AzurePassword1() *config.Rule { +func AzureStorageCredentialBlobURL() *config.Rule { // define rule r := config.Rule{ - Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", - RuleID: "azure-password-1", + Description: "CSCAN0110 - Found Azure storage credential in source code file.", + RuleID: "azure-storage-credential-bloburl", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`<machineKey[^>]+(decryptionKey\s*\=\s*"[a-fA-F0-9]{48,}|validationKey\s*\=\s*"[a-fA-F0-9]{48,})[^>]+>`), + Regex: generateUniqueTokenRegex(`(?i)https://[a-zA-Z0-9-]+.(blob|file|queue|table|dfs|z8.web).core.windows.net/.*?sig=[a-zA-Z0-9%]{30,}`), } // validate tps := []string{ - generateSampleSecret("azure-password-1", - "AccountKey = MII" + secrets.NewSecret(alphaNumeric("43"))), + generateSampleSecret("azure-storage-credential-bloburl", + "https://myacct.blob.core.windows.net/a?sp=r&sr=b&sig=" + secrets.NewSecret(alphaNumeric("43"))), } return validate(r, tps, nil) } -func AzurePassword2() *config.Rule { - // define rule - r := config.Rule{ - Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", - RuleID: "azure-password-2", - SecretGroup: 1, - Regex: generateUniqueTokenRegex(`(decryptionKey|validationKey)=['][a-zA-Z0-9][']`), - } +// CSCAN0050, CSCAN0060, CSCAN0070 - covered in PrivateKey.go - // validate - tps := []string{ - generateSampleSecret("azure-password-2", - "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), - } - return validate(r, tps, nil) -} +// CSCAN0080 looks for 'Password' in XML file -func AzurePassword3() *config.Rule { +func AzurePasswordDecryptionkey() *config.Rule { // define rule r := config.Rule{ Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", - RuleID: "azure-password-3", + RuleID: "azure-password-machinekey", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`<add\skey="[^"]*([kK][eE][yY]([sS]|[0-9])?|([cC]redential|CREDENTIAL)[sS]?|([sS]ecret|SECRET)(s|S|[0-9])?|[pP]ass[wW]ord|PASSWORD|[tT]oken|TOKEN|([kK]ey|KEY)([pP]rimary|PRIMARY|[sS]econdary|SECONDARY|[oO]r[sS]as|SAS|[eE]ncrypted|ENCRYPTED))"\s*value\s*="[^"]+"`), + Regex: generateUniqueTokenRegex(`(decryptionKey\s*\=\s*['"].*['"]|validationKey\s*\=\s*['"].*['"])`), } // validate tps := []string{ - generateSampleSecret("azure-password-3", - "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), + generateSampleSecret("azure-password-machinekey", + ""), } return validate(r, tps, nil) } -func AzurePassword4() *config.Rule { - // define rule - r := config.Rule{ - Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", - RuleID: "azure-password-4", - SecretGroup: 1, - Regex: generateUniqueTokenRegex(`<add\skey="[^"]+"\s*value="[^"]*([eE]ncrypted|ENCRYPTED).?([sS]ecret|SECRET)[^"]+"\s*/>`), - } - - // validate - tps := []string{ - generateSampleSecret("azure-password-4", - "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), - } - return validate(r, tps, nil) -} -func AzurePassword5() *config.Rule { +func AzurePasswordAddKey() *config.Rule { // define rule r := config.Rule{ Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", - RuleID: "azure-password-5", + RuleID: "azure-password-addkey", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`([cC]onnection[sS]tring|[cC]onn[sS]tring)[^=]*?=["'][^"']*?([pP]ass[wW]ord|PASSWORD)=[^\$\s;][^"'\s]*?(;|")`), + Regex: generateUniqueTokenRegex(`[")), } return validate(r, tps, nil) } -func AzurePassword6() *config.Rule { +func AzurePasswordConnString() *config.Rule { // define rule r := config.Rule{ Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", - RuleID: "azure-password-6", - SecretGroup: 1, - Regex: generateUniqueTokenRegex(`[vV]alue\s?=\s?"((([A-Za-z0-9+/]){4}){1,200})=="`), - } - - // validate - tps := []string{ - generateSampleSecret("azure-password-6", - "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), - } - return validate(r, tps, nil) -} - -func AzurePassword7() *config.Rule { - // define rule - r := config.Rule{ - Description: "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file.", - RuleID: "azure-password-7", + RuleID: "azure-password-connstring", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`\n[^\r\n]{0,400}(>|'|=|")[a-zA-Z0-9/+]{86}==`), + Regex: generateUniqueTokenRegex(`(connectionstring|connstring)[^=]*?=["'][^"']*?(password)=[^\$\s;][^"'\s]*?(;|['"])`), } // validate tps := []string{ - generateSampleSecret("azure-password-7", - "decryptionKey='" + secrets.NewSecret(alphaNumeric("200") + "'")), + generateSampleSecret("azure-password-connstring", + //connstring='password=secret123;Server=localhost;' + "connstring='Server=localhost;password=" + secrets.NewSecret(alphaNumeric("23") + "'")), } return validate(r, tps, nil) } -func AzurePassword8() *config.Rule { +func AzurePasswordValueString() *config.Rule { // define rule r := config.Rule{ Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", - RuleID: "azure-password-8", - SecretGroup: 1, - Regex: generateUniqueTokenRegex(`n[^\r\n]{0,400}(>|'|=|")[a-zA-Z0-9/+]{43}=[^{@]`), - } - - // validate - tps := []string{ - generateSampleSecret("azure-password-8", - ` - This is a random text string that contains some characters> - ` + secrets.NewSecret(alphaNumeric("86") + "==")), - } - return validate(r, tps, nil) -} - -func AzurePassword9() *config.Rule { - // define rule - r := config.Rule{ - Description: "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file.", - RuleID: "azure-password-9", - SecretGroup: 1, - Regex: generateUniqueTokenRegex(`\n[^\r\n]{0,800}((sig|SIG|sas|SAS|([pP]ass[wW]ord|PASSWORD))=|>)[a-zA-Z0-9%]{43,53}%3[dD][^{a-zA-Z0-9%]`), - } - - // validate - tps := []string{ - generateSampleSecret("azure-password-9", - ` - This is a random text string that contains some characters> - ` + secrets.NewSecret(alphaNumeric("86") + "==")), - } - return validate(r, tps, nil) -} - -func AzurePassword10() *config.Rule { - // define rule - r := config.Rule{ - Description: "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file.", - RuleID: "azure-password-10", + RuleID: "azure-password-value-string", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`\n.*(([uU]ser|USER) ?([iI]d|ID|[nN]ame|NAME)|[uU]id|UID)=.{2,128}?\s*?;\s*?(([pP]ass[wW]ord|PASSWORD)|([pP]wd|PWD))=[^'$%>@'";\[\{][^;"']{2,350}?(;|"|')`), + Regex: generateUniqueTokenRegex(`value\s?=\s?['"]((([A-Za-z0-9+/]){4}){1,200})==['"]`), } // validate tps := []string{ - generateSampleSecret("azure-password-10", - ` - This is a random text string that contains some characters> - ` + secrets.NewSecret(alphaNumeric("86") + "==")), + generateSampleSecret("azure-password-value-string", + "Value='" + secrets.NewSecret(alphaNumeric("20") + "=='")), } return validate(r, tps, nil) } -func AzurePassword11() *config.Rule { +func AzurePassworduidpw() *config.Rule { // define rule r := config.Rule{ Description: "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file.", - RuleID: "azure-password-11", + RuleID: "azure-password-uidpw", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`<[cC]redential\sname="[^"]*([kK][eE][yY]([sS]|[0-9])?|[cC]redential(s)?|[sS]ecret(s|[0-9])?|[pP]ass[wW]ord|PASSWORD|[tT]oken|[kK]ey([pP]rimary|[sS]econdary|[oO]r[sS]as|[eE]ncrypted))"(\s*value\s*="[^"]+".*?/>|[^>\s]*>.*?</[cC]redential>)`), + Regex: generateUniqueTokenRegex(`((user) ?(id|name)|uid)=.{2,128}?\s*?;\s*?((password|(pwd))=[^'$%@'";\[\{][^;"']{2,350}?(;|"|'))`), } // validate tps := []string{ - generateSampleSecret("azure-password-11", - ` - This is a random text string that contains some characters> - ` + secrets.NewSecret(alphaNumeric("86") + "==")), + generateSampleSecret("azure-password-uidpw", + `uid=testuser;pwd=` + secrets.NewSecret(alphaNumeric("86") + ";")), } return validate(r, tps, nil) } -func AzurePassword12() *config.Rule { - // define rule - r := config.Rule{ - Description: "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file.", - RuleID: "azure-password-12", - SecretGroup: 1, - Regex: generateUniqueTokenRegex(`<[sS]etting\sname="[^"]*[pP]ass[wW]ord".*[\r\n]*\s*<[vV]alue>.+</[vV]alue>`), - } +// TODO: Come back to the two XML passwords below +// func AzurePasswordXMLCredential() *config.Rule { +// // define rule +// r := config.Rule{ +// Description: "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file.", +// RuleID: "azure-password-xml-credential", +// SecretGroup: 1, +// Regex: generateUniqueTokenRegex(`\s?name=['"][^"]*(key(s|[0-9])?|credential(s)?|secret(s|[0-9])?|password|token|key(primary|secondary|orsas|encrypted))['"](\s*value\s*=['"][^"]+['"].*?)`), +// } - // validate - tps := []string{ - generateSampleSecret("azure-password-12", - ` - This is a random text string that contains some characters> - ` + secrets.NewSecret(alphaNumeric("86") + "==")), - } - return validate(r, tps, nil) -} +// // validate +// tps := []string{ +// generateSampleSecret("azure-password-xml-credential", +// "name='primary_key' value='" + secrets.NewSecret(alphaNumeric("86") + "'")), +// } +// return validate(r, tps, nil) +// } -func AzurePassword13() *config.Rule { - // define rule - r := config.Rule{ - Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", - RuleID: "azure-password-13", - SecretGroup: 1, - Regex: generateUniqueTokenRegex(`(?s)<SSIS:Parameter\n?\s*SSIS:Name="[pP]ass[wW]ord">.*?<SSIS:Property\n?\s*SSIS:Name="[vV]alue">[^><#$\[\{\(]+</SSIS:Property>`), - } +// func AzurePasswordXMLValue() *config.Rule { +// // define rule +// r := config.Rule{ +// Description: "CSCAN0090, CSCAN0150 - Found Azure password, symmetric key or storage credential in source file.", +// RuleID: "azure-password-xml-value", +// SecretGroup: 1, +// Regex: generateUniqueTokenRegex(`.*.+`), +// } - // validate - tps := []string{ - generateSampleSecret("azure-password-13", - ` - This is a random text string that contains some characters> - ` + secrets.NewSecret(alphaNumeric("86") + "==")), - } - return validate(r, tps, nil) -} +// // validate +// tps := []string{ +// generateSampleSecret("azure-password-xml-value", +// //testpassword123 +// "" + secrets.NewSecret(alphaNumeric("86") + "")), +// } +// return validate(r, tps, nil) +// } -func AzurePassword14() *config.Rule { - // define rule - r := config.Rule{ - Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", - RuleID: "azure-password-14", - SecretGroup: 1, - Regex: generateUniqueTokenRegex(`<SSIS:Property\n?\s*SSIS:Name="[vV]alue">.*["'][pP]ass[wW]ord["']:["'][^"']+["']`), - } +// func AzurePasswordSSISProperty() *config.Rule { +// // define rule +// r := config.Rule{ +// Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", +// RuleID: "azure-password-ssis", +// SecretGroup: 1, +// Regex: generateUniqueTokenRegex(`(?s).*?[^><#$\[\{\(]+`), +// } - // validate - tps := []string{ - generateSampleSecret("azure-password-14", - ` - This is a random text string that contains some characters> - ` + secrets.NewSecret(alphaNumeric("86") + "==")), - } - return validate(r, tps, nil) -} +// // validate +// tps := []string{ +// generateSampleSecret("azure-password-ssis", +// ` +// This is a random text string that contains some characters> +// ` + secrets.NewSecret(alphaNumeric("86") + "==")), +// } +// return validate(r, tps, nil) +// } -func AzurePassword15() *config.Rule { - // define rule - r := config.Rule{ - Description: "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file.", - RuleID: "azure-password-15", - SecretGroup: 1, - Regex: generateUniqueTokenRegex(`userPWD="[a-zA-Z0-9]{60}"`), - } - // validate - tps := []string{ - generateSampleSecret("azure-password-15", - ` - This is a random text string that contains some characters> - ` + secrets.NewSecret(alphaNumeric("86") + "==")), - } - return validate(r, tps, nil) -} - -func AzureNetworkCredential1() *config.Rule { +func AzureNetworkCredential() *config.Rule { // define rule r := config.Rule{ Description: "CSCAN0160 - Found Azure domain credential in source file.", - RuleID: "azure-network-credential-1", + RuleID: "azure-network-credential", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`NetworkCredential\(.*,.*,([cC][oO][rR][pP]|[eE][uU][rR][oO][pP][eE]|[mM][iI][dD][dD][lL][eE][eE][aA][sS][tT]|[nN][oO][rR][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[sS][oO][uU][tT][hH][pP][aA][cC][iI][fF][iI][cC]|[sS][oO][uU][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[fF][aA][rR][eE][aA][sS][tT]|[aA][fF][rR][iI][cC][aA]|[rR][eE][dD][mM][oO][nN][dD]|[eE][xX][cC][hH][aA][nN][gG][eE]|[eE][xX][tT][rR][aA][nN][eE][tT]|[pP][aA][rR][tT][nN][eE][rR][sS]|[eE][xX][tT][rR][aA][nN][eE][tT][tT][eE][sS][tT]|[pP][aA][rR][tT][tT][eE][sS][tT]|[nN][oO][eE]|[nN][tT][dD][eE][vV]|[nN][tT][wW][kK][sS][tT][aA]|[sS][yY][sS]\-[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][dD][eE][pP][lL][oO][yY]|[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][sS][eE]|[sS][eE][gG][rR][oO][uU][pP]|[xX][cC][oO][rR][pP]|[xX][rR][eE][pP]|[pP][hH][xX]|[gG][mM][eE]|[uU][sS][mM][eE]|[cC][dD][oO][cC][iI][dD][mM]|[mM][sS][lL][pP][aA])\\.*`), + Regex: generateUniqueTokenRegex(`NetworkCredential\((\s*).*,(\s*).*,(\s*)(corp|europe|middleeast|northamerica|southpacific|southamerica|fareast|africa|redmond|exchange|extranet|partners|extranettest|parttest|noe|ntdev|ntwksta|sys-wingroup|windeploy|wingroup|winse|segroup|xcorp|xrep|phx|gme|usme|cdocidm|mslpa)\)`), } // validate tps := []string{ - generateSampleSecret("azure-network-credential-1", + generateSampleSecret("azure-network-credential", "NetworkCredential(username, password, europe)"), } return validate(r, tps, nil) } -func AzureNetworkCredential2() *config.Rule { - // define rule - r := config.Rule{ - Description: "CSCAN0160 - Found Azure domain credential in source file.", - RuleID: "azure-network-credential-2", - SecretGroup: 1, - Regex: generateUniqueTokenRegex(`[nN][eE][tT]\s[uU][sS][eE].*\/[uU]\:([cC][oO][rR][pP]|[eE][uU][rR][oO][pP][eE]|[mM][iI][dD][dD][lL][eE][eE][aA][sS][tT]|[nN][oO][rR][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[sS][oO][uU][tT][hH][pP][aA][cC][iI][fF][iI][cC]|[sS][oO][uU][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[fF][aA][rR][eE][aA][sS][tT]|[aA][fF][rR][iI][cC][aA]|[rR][eE][dD][mM][oO][nN][dD]|[eE][xX][cC][hH][aA][nN][gG][eE]|[eE][xX][tT][rR][aA][nN][eE][tT]|[pP][aA][rR][tT][nN][eE][rR][sS]|[eE][xX][tT][rR][aA][nN][eE][tT][tT][eE][sS][tT]|[pP][aA][rR][tT][tT][eE][sS][tT]|[nN][oO][eE]|[nN][tT][dD][eE][vV]|[nN][tT][wW][kK][sS][tT][aA]|[sS][yY][sS]\-[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][dD][eE][pP][lL][oO][yY]|[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][sS][eE]|[sS][eE][gG][rR][oO][uU][pP]|[xX][cC][oO][rR][pP]|[xX][rR][eE][pP]|[pP][hH][xX]|[gG][mM][eE]|[uU][sS][mM][eE]|[cC][dD][oO][cC][iI][dD][mM]|[mM][sS][lL][pP][aA])\\.*`), - } - - // validate - tps := []string{ - generateSampleSecret("azure-network-credential-2", - `Net use \server\u:corp\share /user:corp\username`), - } - return validate(r, tps, nil) -} - -func AzureNetworkCredential3() *config.Rule { +func AzureNetworkCredentialSchtasks() *config.Rule { // define rule r := config.Rule{ Description: "CSCAN0160 - Found Azure domain credential in source file.", - RuleID: "azure-network-credential-3", + RuleID: "azure-network-credential-schtasks", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`[sS][cC][hH][tT][aA][sS][kK][sS].*/[rR][uU]\s([cC][oO][rR][pP]|[eE][uU][rR][oO][pP][eE]|[mM][iI][dD][dD][lL][eE][eE][aA][sS][tT]|[nN][oO][rR][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[sS][oO][uU][tT][hH][pP][aA][cC][iI][fF][iI][cC]|[sS][oO][uU][tT][hH][aA][mM][eE][rR][iI][cC][aA]|[fF][aA][rR][eE][aA][sS][tT]|[aA][fF][rR][iI][cC][aA]|[rR][eE][dD][mM][oO][nN][dD]|[eE][xX][cC][hH][aA][nN][gG][eE]|[eE][xX][tT][rR][aA][nN][eE][tT]|[pP][aA][rR][tT][nN][eE][rR][sS]|[eE][xX][tT][rR][aA][nN][eE][tT][tT][eE][sS][tT]|[pP][aA][rR][tT][tT][eE][sS][tT]|[nN][oO][eE]|[nN][tT][dD][eE][vV]|[nN][tT][wW][kK][sS][tT][aA]|[sS][yY][sS]\-[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][dD][eE][pP][lL][oO][yY]|[wW][iI][nN][gG][rR][oO][uU][pP]|[wW][iI][nN][sS][eE]|[sS][eE][gG][rR][oO][uU][pP]|[xX][cC][oO][rR][pP]|[xX][rR][eE][pP]|[pP][hH][xX]|[gG][mM][eE]|[uU][sS][mM][eE]|[cC][dD][oO][cC][iI][dD][mM]|[mM][sS][lL][pP][aA]).*/[rR][pP].*`), + Regex: generateUniqueTokenRegex(`schtasks.*/ru\s(corp|europe|middleeast|northamerica|southpacific|southamerica|fareast|africa|redmond|exchange|extranet|partners|extranettest|parttest|noe|ntdev|ntwksta|sys\-wingroup|windeploy|wingroup|winse|segroup|xcorp|xrep|phx|gme|usme|cdocidm|mslpa).*/rp.*`), } // validate tps := []string{ - generateSampleSecret("azure-network-credential-3", + generateSampleSecret("azure-network-credential-schtasks", `Schtasks /create /tn corp-daily-backup /tr \corp\backup.bat /ru corp\admin /rp password /sc daily`), } return validate(r, tps, nil) } -func AzureNetworkCredential4() *config.Rule { +func AzureNetworkCredentialDotNet() *config.Rule { // define rule r := config.Rule{ Description: "CSCAN0160 - Found Azure domain credential in source file.", - RuleID: "azure-network-credential-4", + RuleID: "azure-network-credential-dotnet", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`[nN]ew-[oO]bject\s*System.Net.NetworkCredential\(.*?,\s*"[^"]+"`), + Regex: generateUniqueTokenRegex(`new-object\s*System.Net.NetworkCredential\(.*?,\s*['"][^"]+['"]`), } // validate tps := []string{ - generateSampleSecret("azure-network-credential-4", - `New-Object System.Net.NetworkCredential(username, "password")`), + generateSampleSecret("azure-network-credential-dotnet", + "New-Object System.Net.NetworkCredential(username, '" + secrets.NewSecret(alphaNumeric("86")) + "')"), } return validate(r, tps, nil) } @@ -561,81 +396,49 @@ func AzureDevTFVCSecrets() *config.Rule { Description: "CSCAN0200 - Found Azure DevDiv TFVC repo secrets.", RuleID: "azure-devtfvc-secrets", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`[eE][nN][cC]_[uU][sS][eE][rR][nN][aA][mM][eE]=[\w]+[\r\n]+[eE][nN][cC]_[pP][aA][sS][sS][wW][oO][rR][dD]=[\w]+`), + Regex: generateUniqueTokenRegex(`enc_username=.+[\n\r\s]+enc_password=.{3,}`), } // validate tps := []string{ generateSampleSecret("azure-devtfvc-secrets", - `enc_username=myusername\r\nenc_password=mypassword`), - } - return validate(r, tps, nil) -} - -func AzureVSTSPAT1() *config.Rule { - // define rule - r := config.Rule{ - Description: "CSCAN0240 - Found Azure Found Vsts personal access token in source file.", - RuleID: "azure-vsts-pat1", - SecretGroup: 1, - Regex: generateUniqueTokenRegex(`([aA]ccess_?[tT]oken|ACCESS_?TOKEN).*?['="][a-z2-7]{52}('|"|\s|[\r\n]+)`), - } - - // validate - tps := []string{ - generateSampleSecret("azure-vsts-pat1", - `Access_token=='a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2'`), + "enc_username=myusername enc_password=" + secrets.NewSecret(alphaNumeric("86"))), } return validate(r, tps, nil) } -func AzureVSTSPAT2() *config.Rule { +func AzureDevopsPAT() *config.Rule { // define rule r := config.Rule{ - Description: "CSCAN0240 - Found Azure Found Vsts personal access token in source file.", - RuleID: "azure-vsts-pat2", + Description: "CSCAN0240 - Found Azure Devops personal access token in source file.", + RuleID: "azure-devops-pat", SecretGroup: 1, - Regex: generateUniqueTokenRegex(`[pP]ass[wW]ord\s+[a-z2-7]{52}(\s|[\r\n]+)`), + Regex: generateUniqueTokenRegex(`(access_token).*?['="][a-zA-Z0-9/+]{10,99}['"]`), } // validate tps := []string{ - generateSampleSecret("azure-vsts-pat2", - `Access_token=='a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2'`), + generateSampleSecret("azure-devops-pat", + "Access_token=='" + secrets.NewSecret(hex("52")) + "'"), } return validate(r, tps, nil) } -func AzureVSTSPAT3() *config.Rule { - // define rule - r := config.Rule{ - Description: "CSCAN0240 - Found Azure Vsts personal access token in source file.", - RuleID: "azure-vsts-pat3", - SecretGroup: 1, - Regex: generateUniqueTokenRegex(`([aA]ccess_?[tT]oken|ACCESS_?TOKEN).*?[>|'|=|"][a-zA-Z0-9/+]{70}==`), - } - - // validate - tps := []string{ - generateSampleSecret("azure-vsts-pat3", - `Access_token=='a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2'`), - } - return validate(r, tps, nil) -} -func AzurePowershellTokenCache() *config.Rule { - // define rule - r := config.Rule{ - Description: "CSCAN0270 - Found Azure Subscription Token Cache.", - RuleID: "azure-powershell-tokencache", - SecretGroup: 1, - Regex: generateUniqueTokenRegex(`["']TokenCache["']\s*:\s*\{\s*["']CacheData["']\s*:\s*["'][a-zA-Z0-9/\+]{86}`), - } +// func AzurePowershellTokenCache() *config.Rule { +// // define rule +// r := config.Rule{ +// Description: "CSCAN0270 - Found Azure Subscription Token Cache.", +// RuleID: "azure-powershell-tokencache", +// SecretGroup: 1, +// // Below finds the example on Regex101.com! So not sure what's happening here. +// Regex: generateUniqueTokenRegex(`["']TokenCache["']\s*:\s*\{\s*["']CacheData["']\s*:\s*["'][a-zA-Z0-9/\+]{86}`), +// } - // validate - tps := []string{ - generateSampleSecret("azure-powershell-tokencache", - `Access_token=='a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2b2c3d4e5a2'`), - } - return validate(r, tps, nil) -} +// // validate +// tps := []string{ +// generateSampleSecret("azure-powershell-tokencache", +// "'TokenCache': { 'CacheData': '" + secrets.NewSecret(alphaNumeric("86")) + "'"), +// } +// return validate(r, tps, nil) +// } diff --git a/config/gitleaks.toml b/config/gitleaks.toml index 7a7f00da8..ed1bbbe82 100644 --- a/config/gitleaks.toml +++ b/config/gitleaks.toml @@ -88,6 +88,15 @@ keywords = [ "alibaba", ] +[[rules]] +description = "CSCAN0270 - Found Azure Subscription Token Cache." +id = "ansible-vault-token" +regex = '''(?i)\b(ANSIBLE_VAULT;[0-9]\.[0-9];AES256;[\r\n]+[0-9]+)(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "ansible_vault;","aes256;", +] + [[rules]] description = "Asana Client ID" id = "asana-client-id" @@ -123,6 +132,186 @@ keywords = [ "akia","agpa","aida","aroa","aipa","anpa","anva","asia", ] +[[rules]] +description = "CSCAN0020, CSCAN0030 - Found Azure app service deployment secrets in publish settings file." +id = "azure-app-service-deployment-secrets" +regex = '''(?i)\b(MII[a-z0-9=_\-]{200})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "mii", +] + +[[rules]] +description = "CSCAN0240 - Found Azure Devops personal access token in source file." +id = "azure-devops-pat" +regex = '''(?i)\b((access_token).*?['="][a-zA-Z0-9/+]{10,99}['"])(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + +] + +[[rules]] +description = "CSCAN0200 - Found Azure DevDiv TFVC repo secrets." +id = "azure-devtfvc-secrets" +regex = '''(?i)\b(enc_username=.+[\n\r\s]+enc_password=.{3,})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + +] + +[[rules]] +description = "CSCAN0160 - Found Azure domain credential in source file." +id = "azure-network-credential" +regex = '''(?i)\b(NetworkCredential\((\s*).*,(\s*).*,(\s*)(corp|europe|middleeast|northamerica|southpacific|southamerica|fareast|africa|redmond|exchange|extranet|partners|extranettest|parttest|noe|ntdev|ntwksta|sys-wingroup|windeploy|wingroup|winse|segroup|xcorp|xrep|phx|gme|usme|cdocidm|mslpa)\))(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + +] + +[[rules]] +description = "CSCAN0160 - Found Azure domain credential in source file." +id = "azure-network-credential-dotnet" +regex = '''(?i)\b(new-object\s*System.Net.NetworkCredential\(.*?,\s*['"][^"]+['"])(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + +] + +[[rules]] +description = "CSCAN0160 - Found Azure domain credential in source file." +id = "azure-network-credential-schtasks" +regex = '''(?i)\b(schtasks.*/ru\s(corp|europe|middleeast|northamerica|southpacific|southamerica|fareast|africa|redmond|exchange|extranet|partners|extranettest|parttest|noe|ntdev|ntwksta|sys\-wingroup|windeploy|wingroup|winse|segroup|xcorp|xrep|phx|gme|usme|cdocidm|mslpa).*/rp.*)(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + +] + +[[rules]] +description = "CSCAN0090 - Found Azure password, symmetric key or storage credential in source file." +id = "azure-password-addkey" +regex = '''(?i)\b([)[a-zA-Z0-9%]{43,53}%3d[^{a-zA-Z0-9%])(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + +] + +[[rules]] +description = "CSCAN0030 - Found Azure storage credential in source code file." +id = "azure-storage-credential-useridpw" +regex = '''(?i)\b(((user) ?(id|name)|uid)=.{2,128}?\s*?;\s*?((password)|(pwd))=[^'$%>@'";\[\{][^;"']{2,350}?(;|"|'))(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + +] + +[[rules]] +description = "CSCAN0100 - Found Azure storage credential in source code file." +id = "azure-storage-credential-xstore" +regex = '''(?i)\b([ Date: Fri, 27 Jan 2023 08:47:58 +1000 Subject: [PATCH 8/8] Update .gitignore Co-authored-by: Jesse Houwing --- .gitignore | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index 67b6c8b6b..93ba61b66 100644 --- a/.gitignore +++ b/.gitignore @@ -17,13 +17,4 @@ cmd/generate/config/gitleaks.toml # Test binary *.out -dist/ - -# Hugo build files (created automatically by VSCode Go extension) -.hugo_build.lock - -# Hugo Sitemap.xml files (created automatically by VSCode Go extension) -public/index.xml -public/sitemap.xml -public/categories/index.xml -public/tags/index.xml \ No newline at end of file +dist/ \ No newline at end of file