add bitbucket app password scanner #1498
Conversation
|
|
||
| // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. | ||
| /* | ||
| The following patterns cover the methods of authentication found here: https://support.atlassian.com/bitbucket-cloud/docs/using-app-passwords/, as well as for other general cases. |
There was a problem hiding this comment.
nit: We can just use regular comments here. /* */ are generally used for package comments given how lengthy they are.
ex:
// The following patterns cover the methods of authentication found here:
// https://support.atlassian.com/bitbucket-cloud/docs/using-app-passwords/, as well as for other general cases.
| */ | ||
|
|
||
| // Covers 'username:appPassword' pattern | ||
| usernamePat1 = regexp.MustCompile(`\b([A-Za-z0-9-_]{1,30}):(?:ATBB[A-Za-z0-9_=\.-]+[A-Z0-9]{8})\b`) |
There was a problem hiding this comment.
nit: We can remove the extra capture group around ?:ATBB... and we can also remove the redundant \ within [A-Za-z0-9_=\.-].
ex:
\b([A-Za-z0-9-_]{1,30}):ATBB[A-Za-z0-9_=.-]+[A-Z0-9]{8}\b
| // Covers 'username:appPassword' pattern | ||
| usernamePat1 = regexp.MustCompile(`\b([A-Za-z0-9-_]{1,30}):(?:ATBB[A-Za-z0-9_=\.-]+[A-Z0-9]{8})\b`) | ||
| // Covers assignment of username to variable | ||
| usernamePat2 = regexp.MustCompile(`(?im)(?:user|usr)\S{0,40}?[:=\s]{1,3}[ '"=]{0,1}([a-zA-Z0-9-_]{1,30})\b`) |
There was a problem hiding this comment.
nit: {0,1} -> ?
ex:
(?im)(?:user|usr)\S{0,40}?[:=\s]{1,3}[ '"=]?([a-zA-Z0-9-_]{1,30})\b
| // Covers 'https://username@bitbucket.org' pattern | ||
| usernamePat3 = regexp.MustCompile(`https:\/\/([a-zA-Z0-9-_]{1,30})@bitbucket.org`) | ||
| // Covers '("username", "password")' pattern, used for HTTP Basic Auth | ||
| usernamePat4 = regexp.MustCompile(`"([a-zA-Z0-9-_]{1,30})",(?: )?"(?:ATBB[A-Za-z0-9_=\.-]+[A-Z0-9]{8})"`) |
There was a problem hiding this comment.
nit: Similar to above, we can remove the redundant capture groups and the \.
ex:
"([a-zA-Z0-9-_]{1,30})", ?"ATBB[A-Za-z0-9_=.-]+[A-Z0-9]{8}"
| // Covers assignment of username to variable | ||
| usernamePat2 = regexp.MustCompile(`(?im)(?:user|usr)\S{0,40}?[:=\s]{1,3}[ '"=]{0,1}([a-zA-Z0-9-_]{1,30})\b`) | ||
| // Covers 'https://username@bitbucket.org' pattern | ||
| usernamePat3 = regexp.MustCompile(`https:\/\/([a-zA-Z0-9-_]{1,30})@bitbucket.org`) |
There was a problem hiding this comment.
nit: We don't need to escape /
ex:
https://([a-zA-Z0-9-_]{1,30})@bitbucket.org
| // Covers '("username", "password")' pattern, used for HTTP Basic Auth | ||
| usernamePat4 = regexp.MustCompile(`"([a-zA-Z0-9-_]{1,30})",(?: )?"(?:ATBB[A-Za-z0-9_=\.-]+[A-Z0-9]{8})"`) | ||
|
|
||
| appPasswordPat = regexp.MustCompile(`\bATBB[A-Za-z0-9_=\.-]+[A-Z0-9]{8}\b`) |
There was a problem hiding this comment.
nit: ditto regarding the redundant \.
ex:
\bATBB[A-Za-z0-9_=.-]+[A-Z0-9]{8}\b
| func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { | ||
| dataStr := string(data) | ||
|
|
||
| usernameMatches := append(usernamePat1.FindAllStringSubmatch(dataStr, -1), usernamePat2.FindAllStringSubmatch(dataStr, -1)...) |
There was a problem hiding this comment.
suggestion: If we combine all the username patterns into a single slice and declare the var above during the package init we can simplify some of the logic here.
ex:
var (
...
usernamePat1 = ..
...
usernamePatterns = []*regexp.Regexp{usernamePat1, usernamePat2, usernamePat3, usernamePat4}
|
...
func (s Scanner) FromData(...) {
...
var usernameMatches [][]string
for _, pattern := range usernamePatterns {
usernameMatches = append(usernameMatches, pattern.FindAllStringSubmatch(dataStr, -1)...)
}
...
There was a problem hiding this comment.
agreed, much cleaner!
|
Anyone in Truffle Security group who could review / fix conflicts? I'd love to get this added to Trufflehog. |
|
@brandonjyan happy to get this merged in once conflicts have been resolved |
No description provided.