Improve PlanetScale token detection (#874)

This improves the PlanetScale token detection. It add some flexibility in length. There is no guarantee that the length is always 43 characters (in fact, it's very likely to change a bit soon). Additionally, it adds support for detecting oauth tokens as well.
gitleaks · May 25, 2022 · 865478b · 865478b
1 parent d6c0de7
commit 865478b
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 6 deletions.
diff --git a/cmd/generate/config/main.go b/cmd/generate/config/main.go
@@ -80,7 +80,8 @@ func main() {
 	configRules = append(configRules, rules.NewRelicBrowserAPIKey())
 	configRules = append(configRules, rules.NPM())
 	configRules = append(configRules, rules.PlanetScalePassword())
-	configRules = append(configRules, rules.PlanetScaleToken())
+	configRules = append(configRules, rules.PlanetScaleAPIToken())
+	configRules = append(configRules, rules.PlanetScaleOAuthToken())
 	configRules = append(configRules, rules.PostManAPI())
 	configRules = append(configRules, rules.PrivateKey())
 	configRules = append(configRules, rules.PulumiAPIToken())

diff --git a/cmd/generate/config/rules/planetscale.go b/cmd/generate/config/rules/planetscale.go
@@ -10,7 +10,7 @@ func PlanetScalePassword() *config.Rule {
 	r := config.Rule{
 		RuleID:      "planetscale-password",
 		Description: "PlanetScale password",
-		Regex:       generateUniqueTokenRegex(`pscale_pw_(?i)[a-z0-9=\-_\.]{43}`),
+		Regex:       generateUniqueTokenRegex(`pscale_pw_(?i)[a-z0-9=\-_\.]{32,64}`),
 		SecretGroup: 1,
 		Keywords: []string{
 			"pscale_pw_",
@@ -19,17 +19,19 @@ func PlanetScalePassword() *config.Rule {
 
 	// validate
 	tps := []string{
+		generateSampleSecret("planetScalePassword", "pscale_pw_"+secrets.NewSecret(alphaNumericExtended("32"))),
 		generateSampleSecret("planetScalePassword", "pscale_pw_"+secrets.NewSecret(alphaNumericExtended("43"))),
+		generateSampleSecret("planetScalePassword", "pscale_pw_"+secrets.NewSecret(alphaNumericExtended("64"))),
 	}
 	return validate(r, tps, nil)
 }
 
-func PlanetScaleToken() *config.Rule {
+func PlanetScaleAPIToken() *config.Rule {
 	// define rule
 	r := config.Rule{
 		RuleID:      "planetscale-api-token",
 		Description: "PlanetScale API token",
-		Regex:       generateUniqueTokenRegex(`pscale_tkn_(?i)[a-z0-9=\-_\.]{43}`),
+		Regex:       generateUniqueTokenRegex(`pscale_tkn_(?i)[a-z0-9=\-_\.]{32,64}`),
 		SecretGroup: 1,
 		Keywords: []string{
 			"pscale_tkn_",
@@ -38,7 +40,30 @@ func PlanetScaleToken() *config.Rule {
 
 	// validate
 	tps := []string{
+		generateSampleSecret("planetScalePassword", "pscale_tkn_"+secrets.NewSecret(alphaNumericExtended("32"))),
 		generateSampleSecret("planetScalePassword", "pscale_tkn_"+secrets.NewSecret(alphaNumericExtended("43"))),
+		generateSampleSecret("planetScalePassword", "pscale_tkn_"+secrets.NewSecret(alphaNumericExtended("64"))),
+	}
+	return validate(r, tps, nil)
+}
+
+func PlanetScaleOAuthToken() *config.Rule {
+	// define rule
+	r := config.Rule{
+		RuleID:      "planetscale-oauth-token",
+		Description: "PlanetScale OAuth token",
+		Regex:       generateUniqueTokenRegex(`pscale_oauth_(?i)[a-z0-9=\-_\.]{32,64}`),
+		SecretGroup: 1,
+		Keywords: []string{
+			"pscale_oauth_",
+		},
+	}
+
+	// validate
+	tps := []string{
+		generateSampleSecret("planetScalePassword", "pscale_oauth_"+secrets.NewSecret(alphaNumericExtended("32"))),
+		generateSampleSecret("planetScalePassword", "pscale_oauth_"+secrets.NewSecret(alphaNumericExtended("43"))),
+		generateSampleSecret("planetScalePassword", "pscale_oauth_"+secrets.NewSecret(alphaNumericExtended("64"))),
 	}
 	return validate(r, tps, nil)
 }
diff --git a/config/gitleaks.toml b/config/gitleaks.toml
@@ -545,7 +545,7 @@ keywords = [
 [[rules]]
 description = "PlanetScale password"
 id = "planetscale-password"
-regex = '''(?i)\b(pscale_pw_(?i)[a-z0-9=\-_\.]{43})(?:['|\"|\n|\r|\s|\x60]|$)'''
+regex = '''(?i)\b(pscale_pw_(?i)[a-z0-9=\-_\.]{32,64})(?:['|\"|\n|\r|\s|\x60]|$)'''
 secretGroup = 1
 keywords = [
     "pscale_pw_",
@@ -554,12 +554,21 @@ keywords = [
 [[rules]]
 description = "PlanetScale API token"
 id = "planetscale-api-token"
-regex = '''(?i)\b(pscale_tkn_(?i)[a-z0-9=\-_\.]{43})(?:['|\"|\n|\r|\s|\x60]|$)'''
+regex = '''(?i)\b(pscale_tkn_(?i)[a-z0-9=\-_\.]{32,64})(?:['|\"|\n|\r|\s|\x60]|$)'''
 secretGroup = 1
 keywords = [
     "pscale_tkn_",
 ]
 
+[[rules]]
+description = "PlanetScale OAuth token"
+id = "planetscale-oauth-token"
+regex = '''(?i)\b(pscale_oauth_(?i)[a-z0-9=\-_\.]{32,64})(?:['|\"|\n|\r|\s|\x60]|$)'''
+secretGroup = 1
+keywords = [
+    "pscale_oauth_",
+]
+
 [[rules]]
 description = "Postman API token"
 id = "postman-api-token"