Skip to content

Commit

Permalink
Feature/add sidekiq rules (#933)
Browse files Browse the repository at this point in the history 
* Add sidekiq rules

* Added two new rules for sidekiq
* Other: Add keywords to square rules per Zach's instructions

* Validate now works, but test suite is failing

* Tests are now passing

* Add Sidekiq Rules: Ran go fmt

* * After resolving conflicts, had to rerun the rule generator to add back the semicolon char
* After running tests, had to fix one line in testdata/expected/report/sarif_simple.sarif

* * Added keywords to simple.toml for sidekiq-sensitive-url so that the rule matches what is in gitleaks.toml

Co-authored-by: Andrew Weiner <aweiner@frontrush.com>
  • Loading branch information
@weineran
weineran and Andrew Weiner committed Aug 3, 2022
1 parent afc89f9 commit cd52267
Show file tree
Hide file tree
Showing 8 changed files with 284 additions and 104 deletions.
2 changes: 2 additions & 0 deletions cmd/generate/config/main.go
View file
Expand Up @@ -126,6 +126,8 @@ func main() {
configRules = append(configRules, rules.ShopifyCustomAccessToken())
configRules = append(configRules, rules.ShopifyPrivateAppAccessToken())
configRules = append(configRules, rules.ShopifySharedSecret())
configRules = append(configRules, rules.SidekiqSecret())
configRules = append(configRules, rules.SidekiqSensitiveUrl())
configRules = append(configRules, rules.SlackAccessToken())
configRules = append(configRules, rules.SlackWebHook())
configRules = append(configRules, rules.StripeAccessToken())
Expand Down
6 changes: 3 additions & 3 deletions cmd/generate/config/rules/rule.go
View file
Expand Up @@ -25,7 +25,7 @@ const (
// \x60 = `
secretPrefixUnique = `\b(`
secretPrefix = `(?:'|\"|\s|=|\x60){0,5}(`
secretSuffix = `)(?:['|\"|\n|\r|\s|\x60]|$)`
secretSuffix = `)(?:['|\"|\n|\r|\s|\x60|;]|$)`
)

func generateSemiGenericRegex(identifiers []string, secretRegex string) *regexp.Regexp {
Expand Down Expand Up @@ -70,12 +70,12 @@ func validate(r config.Rule, truePositives []string, falsePositives []string) *c
})
for _, tp := range truePositives {
if len(d.DetectString(tp)) != 1 {
log.Fatal().Msgf("Failed to validate (tp) %s %s", r.RuleID, tp)
log.Fatal().Msgf("Failed to validate. For rule ID [%s], true positive [%s] was not detected by regexp [%s]", r.RuleID, tp, r.Regex)
}
}
for _, fp := range falsePositives {
if len(d.DetectString(fp)) != 0 {
log.Fatal().Msgf("Failed to validate (fp) %s", r.RuleID)
log.Fatal().Msgf("Failed to validate (fp) [%s]", r.RuleID)
}
}
return &r
Expand Down
60 changes: 60 additions & 0 deletions cmd/generate/config/rules/sidekiq.go
View file
@@ -0,0 +1,60 @@
package rules

import (
"regexp"

"github.com/zricethezav/gitleaks/v8/config"
)

func SidekiqSecret() *config.Rule {
// define rule
r := config.Rule{
Description: "Sidekiq Secret",
RuleID: "sidekiq-secret",
SecretGroup: 1,
Regex: generateSemiGenericRegex([]string{"BUNDLE_ENTERPRISE__CONTRIBSYS__COM", "BUNDLE_GEMS__CONTRIBSYS__COM"},
`[a-f0-9]{8}:[a-f0-9]{8}`),
Keywords: []string{"BUNDLE_ENTERPRISE__CONTRIBSYS__COM", "BUNDLE_GEMS__CONTRIBSYS__COM"},
}

// validate
tps := []string{
"BUNDLE_ENTERPRISE__CONTRIBSYS__COM: cafebabe:deadbeef",
"export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=cafebabe:deadbeef",
"export BUNDLE_ENTERPRISE__CONTRIBSYS__COM = cafebabe:deadbeef",
"BUNDLE_GEMS__CONTRIBSYS__COM: \"cafebabe:deadbeef\"",
"export BUNDLE_GEMS__CONTRIBSYS__COM=\"cafebabe:deadbeef\"",
"export BUNDLE_GEMS__CONTRIBSYS__COM = \"cafebabe:deadbeef\"",
"export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=cafebabe:deadbeef;",
"export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=cafebabe:deadbeef && echo 'hello world'",
}
return validate(r, tps, nil)
}

func SidekiqSensitiveUrl() *config.Rule {
// define rule
r := config.Rule{
Description: "Sidekiq Sensitive URL",
RuleID: "sidekiq-sensitive-url",
SecretGroup: 2,
Regex: regexp.MustCompile(`(?i)\b(http(?:s??):\/\/)([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)(?:[\/|\#|\?|:]|$)`),
Keywords: []string{"gems.contribsys.com", "enterprise.contribsys.com"},
}

// validate
tps := []string{
"https://cafebabe:deadbeef@gems.contribsys.com/",
"https://cafebabe:deadbeef@gems.contribsys.com",
"https://cafeb4b3:d3adb33f@enterprise.contribsys.com/",
"https://cafeb4b3:d3adb33f@enterprise.contribsys.com",
"http://cafebabe:deadbeef@gems.contribsys.com/",
"http://cafebabe:deadbeef@gems.contribsys.com",
"http://cafeb4b3:d3adb33f@enterprise.contribsys.com/",
"http://cafeb4b3:d3adb33f@enterprise.contribsys.com",
"http://cafeb4b3:d3adb33f@enterprise.contribsys.com#heading1",
"http://cafeb4b3:d3adb33f@enterprise.contribsys.com?param1=true&param2=false",
"http://cafeb4b3:d3adb33f@enterprise.contribsys.com:80",
"http://cafeb4b3:d3adb33f@enterprise.contribsys.com:80/path?param1=true&param2=false#heading1",
}
return validate(r, tps, nil)
}
2 changes: 2 additions & 0 deletions cmd/generate/config/rules/square.go
View file
Expand Up @@ -11,6 +11,7 @@ func SquareAccessToken() *config.Rule {
RuleID: "square-access-token",
Description: "Square Access Token",
Regex: generateUniqueTokenRegex(`sq0atp-[0-9A-Za-z\-_]{22}`),
Keywords: []string{"sq0atp-"},
}

// validate
Expand All @@ -26,6 +27,7 @@ func SquareSecret() *config.Rule {
RuleID: "square-secret",
Description: "Square Secret",
Regex: generateUniqueTokenRegex(`sq0csp-[0-9A-Za-z\\-_]{43}`),
Keywords: []string{"sq0csp-"},
}

// validate
Expand Down

0 comments on commit cd52267

Please sign in to comment.