From 247a5e72145517fb8c102dbe9228276e34125c7b Mon Sep 17 00:00:00 2001 From: dutchhaag <46950081+dutchhaag@users.noreply.github.com> Date: Thu, 15 Feb 2024 11:54:47 -0600 Subject: [PATCH 01/11] patching golang.org/x/text for CVE-2021-38561 and CVE-2022-32149 (#1342) --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 702b70a9b..9f05076b8 100644 --- a/go.mod +++ b/go.mod @@ -41,7 +41,7 @@ require ( github.com/subosito/gotenv v1.2.0 // indirect golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect golang.org/x/sys v0.6.0 // indirect - golang.org/x/text v0.3.6 // indirect + golang.org/x/text v0.3.8 // indirect gopkg.in/ini.v1 v1.62.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect diff --git a/go.sum b/go.sum index 9c071657d..34696f161 100644 --- a/go.sum +++ b/go.sum @@ -448,8 +448,9 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From 6c52f878cc48a513849900a9aa6f9d68e1c2dbdd Mon Sep 17 00:00:00 2001 From: "Baruch Odem (Rothkoff)" Date: Mon, 19 Feb 2024 17:26:41 +0200 Subject: [PATCH 02/11] fix: age rule id with dashes (#1349) --- cmd/generate/config/rules/age.go | 2 +- config/gitleaks.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/generate/config/rules/age.go b/cmd/generate/config/rules/age.go index 6b0668556..7cb468fd4 100644 --- a/cmd/generate/config/rules/age.go +++ b/cmd/generate/config/rules/age.go @@ -10,7 +10,7 @@ func AgeSecretKey() *config.Rule { // define rule r := config.Rule{ Description: "Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information.", - RuleID: "age secret key", + RuleID: "age-secret-key", Regex: regexp.MustCompile(`AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}`), Keywords: []string{"AGE-SECRET-KEY-1"}, } diff --git a/config/gitleaks.toml b/config/gitleaks.toml index 4d8058a0f..78dffa156 100644 --- a/config/gitleaks.toml +++ b/config/gitleaks.toml @@ -50,7 +50,7 @@ keywords = [ ] [[rules]] -id = "age secret key" +id = "age-secret-key" description = "Discovered a potential Age encryption tool secret key, risking data decryption and unauthorized access to sensitive information." regex = '''AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}''' keywords = [ From 59c0cc71830dbaf717c3f7f8bdd9dd3965f82fcc Mon Sep 17 00:00:00 2001 From: Jarek Porzucek <17789797+jporzucek@users.noreply.github.com> Date: Fri, 22 Mar 2024 17:21:26 +0100 Subject: [PATCH 03/11] Append ordered rules when extending (#1304) --- config/config.go | 13 +++++++++---- report/sarif.go | 2 +- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/config/config.go b/config/config.go index a7980ecec..e3706e01a 100644 --- a/config/config.go +++ b/config/config.go @@ -4,6 +4,7 @@ import ( _ "embed" "fmt" "regexp" + "sort" "strings" "github.com/rs/zerolog/log" @@ -62,7 +63,7 @@ type Config struct { Keywords []string // used to keep sarif results consistent - orderedRules []string + OrderedRules []string } // Extend is a struct that allows users to define how they want their @@ -158,7 +159,7 @@ func (vc *ViperConfig) Translate() (Config, error) { StopWords: vc.Allowlist.StopWords, }, Keywords: keywords, - orderedRules: orderedRules, + OrderedRules: orderedRules, } if maxExtendDepth != extendDepth { @@ -177,9 +178,9 @@ func (vc *ViperConfig) Translate() (Config, error) { return c, nil } -func (c *Config) OrderedRules() []Rule { +func (c *Config) GetOrderedRules() []Rule { var orderedRules []Rule - for _, id := range c.orderedRules { + for _, id := range c.OrderedRules { if _, ok := c.Rules[id]; ok { orderedRules = append(orderedRules, c.Rules[id]) } @@ -240,6 +241,7 @@ func (c *Config) extend(extensionConfig Config) { log.Trace().Msgf("adding %s to base config", ruleID) c.Rules[ruleID] = rule c.Keywords = append(c.Keywords, rule.Keywords...) + c.OrderedRules = append(c.OrderedRules, ruleID) } } @@ -250,4 +252,7 @@ func (c *Config) extend(extensionConfig Config) { extensionConfig.Allowlist.Paths...) c.Allowlist.Regexes = append(c.Allowlist.Regexes, extensionConfig.Allowlist.Regexes...) + + // sort to keep extended rules in order + sort.Strings(c.OrderedRules) } diff --git a/report/sarif.go b/report/sarif.go index 732e0463d..c6b1af1fa 100644 --- a/report/sarif.go +++ b/report/sarif.go @@ -55,7 +55,7 @@ func hasEmptyRules(tool Tool) bool { func getRules(cfg config.Config) []Rules { // TODO for _, rule := range cfg.Rules { var rules []Rules - for _, rule := range cfg.OrderedRules() { + for _, rule := range cfg.GetOrderedRules() { shortDescription := ShortDescription{ Text: rule.Description, } From 979f213b93048dfc303c87d761f846080aab0ac6 Mon Sep 17 00:00:00 2001 From: "Baruch Odem (Rothkoff)" Date: Fri, 22 Mar 2024 20:29:59 +0200 Subject: [PATCH 04/11] update mailchimp with new tokens (#1376) --- cmd/generate/config/rules/mailchimp.go | 10 ++++++++-- config/gitleaks.toml | 2 +- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/cmd/generate/config/rules/mailchimp.go b/cmd/generate/config/rules/mailchimp.go index fe2f8a8dd..6dca25792 100644 --- a/cmd/generate/config/rules/mailchimp.go +++ b/cmd/generate/config/rules/mailchimp.go @@ -10,7 +10,7 @@ func MailChimp() *config.Rule { r := config.Rule{ RuleID: "mailchimp-api-key", Description: "Identified a Mailchimp API key, potentially compromising email marketing campaigns and subscriber data.", - Regex: generateSemiGenericRegex([]string{"mailchimp"}, `[a-f0-9]{32}-us20`, true), + Regex: generateSemiGenericRegex([]string{"MailchimpSDK.initialize", "mailchimp"}, hex("32")+`-us\d\d`, true), Keywords: []string{ "mailchimp", @@ -20,6 +20,12 @@ func MailChimp() *config.Rule { // validate tps := []string{ generateSampleSecret("mailchimp", secrets.NewSecret(hex("32"))+"-us20"), + `mailchimp_api_key: cefa780880ba5f5696192a34f6292c35-us18`, // gitleaks:allow + `MAILCHIMPE_KEY = "b5b9f8e50c640da28993e8b6a48e3e53-us18"`, // gitleaks:allow } - return validate(r, tps, nil) + fps := []string{ + // False Negative + `MailchimpSDK.initialize(token: 3012a5754bbd716926f99c028f7ea428-us18)`, // gitleaks:allow + } + return validate(r, tps, fps) } diff --git a/config/gitleaks.toml b/config/gitleaks.toml index 78dffa156..d8f468e0a 100644 --- a/config/gitleaks.toml +++ b/config/gitleaks.toml @@ -2237,7 +2237,7 @@ keywords = [ [[rules]] id = "mailchimp-api-key" description = "Identified a Mailchimp API key, potentially compromising email marketing campaigns and subscriber data." -regex = '''(?i)(?:mailchimp)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32}-us20)(?:['|\"|\n|\r|\s|\x60|;]|$)''' +regex = '''(?i)(?:MailchimpSDK.initialize|mailchimp)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32}-us\d\d)(?:['|\"|\n|\r|\s|\x60|;]|$)''' keywords = [ "mailchimp", ] From 4b543280a13147d556b70891e55a616355daca5c Mon Sep 17 00:00:00 2001 From: "Baruch Odem (Rothkoff)" Date: Fri, 22 Mar 2024 20:30:42 +0200 Subject: [PATCH 05/11] feat: facebook secret, access token, and page access token rules (#1372) * Add Facebook secret, access token, and page access token rules * comment --- cmd/generate/config/main.go | 4 ++- cmd/generate/config/rules/facebook.go | 48 +++++++++++++++++++++++++-- config/gitleaks.toml | 15 ++++++++- 3 files changed, 62 insertions(+), 5 deletions(-) diff --git a/cmd/generate/config/main.go b/cmd/generate/config/main.go index 63d03521a..b1de86cf5 100644 --- a/cmd/generate/config/main.go +++ b/cmd/generate/config/main.go @@ -67,7 +67,9 @@ func main() { rules.EasyPost(), rules.EasyPostTestAPI(), rules.EtsyAccessToken(), - rules.Facebook(), + rules.FacebookSecret(), + rules.FacebookAccessToken(), + rules.FacebookPageAccessToken(), rules.FastlyAPIToken(), rules.FinicityClientSecret(), rules.FinicityAPIToken(), diff --git a/cmd/generate/config/rules/facebook.go b/cmd/generate/config/rules/facebook.go index 1ddff73be..25bb38b97 100644 --- a/cmd/generate/config/rules/facebook.go +++ b/cmd/generate/config/rules/facebook.go @@ -5,11 +5,13 @@ import ( "github.com/zricethezav/gitleaks/v8/config" ) -func Facebook() *config.Rule { +// This rule includes both App Secret and Client Access Token +// https://developers.facebook.com/docs/facebook-login/guides/access-tokens/ +func FacebookSecret() *config.Rule { // define rule r := config.Rule{ - Description: "Discovered a Facebook Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.", - RuleID: "facebook", + Description: "Discovered a Facebook Application secret, posing a risk of unauthorized access to Facebook accounts and personal data exposure.", + RuleID: "facebook-secret", Regex: generateSemiGenericRegex([]string{"facebook"}, hex("32"), true), Keywords: []string{"facebook"}, @@ -18,6 +20,46 @@ func Facebook() *config.Rule { // validate tps := []string{ generateSampleSecret("facebook", secrets.NewSecret(hex("32"))), + `facebook_app_secret = "6dca6432e45d933e13650d1882bd5e69"`, // gitleaks:allow + `facebook_client_access_token: 26f5fd13099f2c1331aafb86f6489692`, // gitleaks:allow + } + return validate(r, tps, nil) +} + +// https://developers.facebook.com/docs/facebook-login/guides/access-tokens/#apptokens +func FacebookAccessToken() *config.Rule { + // define rule + r := config.Rule{ + Description: "Discovered a Facebook Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.", + RuleID: "facebook-access-token", + Regex: generateUniqueTokenRegex(`\d{15,16}\|[0-9a-z\-_]{27}`, true), + } + + // validate + tps := []string{ + `{"access_token":"911602140448729|AY-lRJZq9BoDLobvAiP25L7RcMg","token_type":"bearer"}`, // gitleaks:allow + `1308742762612587|rhoK1cbv0DOU_RTX_87O4MkX7AI`, // gitleaks:allow + `1477036645700765|wRPf2v3mt2JfMqCLK8n7oltrEmc`, // gitleaks:allow + } + return validate(r, tps, nil) +} + +// https://developers.facebook.com/docs/facebook-login/guides/access-tokens/#pagetokens +func FacebookPageAccessToken() *config.Rule { + // define rule + r := config.Rule{ + Description: "Discovered a Facebook Page Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure.", + RuleID: "facebook-page-access-token", + Regex: generateUniqueTokenRegex("EAA[MC]"+alphaNumeric("20,"), true), + Keywords: []string{"EAAM", "EAAC"}, + } + + // validate + tps := []string{ + `EAAM9GOnCB9kBO2frzOAWGN2zMnZClQshlWydZCrBNdodesbwimx1mfVJgqZBP5RSpMfUzWhtjTTXHG5I1UlvlwRZCgjm3ZBVGeTYiqAAoxyED6HaUdhpGVNoPUwAuAWWFsi9OvyYBQt22DGLqMIgD7VktuCTTZCWKasz81Q822FPhMTB9VFFyClNzQ0NLZClt9zxpsMMrUZCo1VU1rL3CKavir5QTfBjfCEzHNlWAUDUV2YZD`, // gitleaks:allow + `EAAM9GOnCB9kBO2zXpAtRBmCrsPPjdA3KeBl4tqsEpcYd09cpjm9MZCBIklZBjIQBKGIJgFwm8IE17G5pipsfRBRBEHMWxvJsL7iHLUouiprxKRQfAagw8BEEDucceqxTiDhVW2IZAQNNbf0d1JhcapAGntx5S1Csm4j0GgZB3DuUfI2HJ9aViTtdfH2vjBy0wtpXm2iamevohGfoF4NgyRHusDLjqy91uYMkfrkc`, // gitleaks:allow + `- name: FACEBOOK_TOKEN + value: "EAACEdEose0cBA1bad3afsf2aew"`, // gitleaks:allow } return validate(r, tps, nil) } diff --git a/config/gitleaks.toml b/config/gitleaks.toml index d8f468e0a..c4dd81f17 100644 --- a/config/gitleaks.toml +++ b/config/gitleaks.toml @@ -370,8 +370,21 @@ keywords = [ ] [[rules]] -id = "facebook" +id = "facebook-access-token" description = "Discovered a Facebook Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure." +regex = '''(?i)\b(\d{15,16}\|[0-9a-z\-_]{27})(?:['|\"|\n|\r|\s|\x60|;]|$)''' + +[[rules]] +id = "facebook-page-access-token" +description = "Discovered a Facebook Page Access Token, posing a risk of unauthorized access to Facebook accounts and personal data exposure." +regex = '''(?i)\b(EAA[MC][a-z0-9]{20,})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +keywords = [ + "eaam","eaac", +] + +[[rules]] +id = "facebook-secret" +description = "Discovered a Facebook Application secret, posing a risk of unauthorized access to Facebook accounts and personal data exposure." regex = '''(?i)(?:facebook)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' keywords = [ "facebook", From db69e8266ea340c14af1166791b5b9e2c7f27a2c Mon Sep 17 00:00:00 2001 From: "Baruch Odem (Rothkoff)" Date: Fri, 22 Mar 2024 20:31:09 +0200 Subject: [PATCH 06/11] add update token from square (#1370) --- cmd/generate/config/rules/square.go | 7 +++++-- config/gitleaks.toml | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/cmd/generate/config/rules/square.go b/cmd/generate/config/rules/square.go index 84cc8dda4..bf5796d82 100644 --- a/cmd/generate/config/rules/square.go +++ b/cmd/generate/config/rules/square.go @@ -10,13 +10,15 @@ func SquareAccessToken() *config.Rule { r := config.Rule{ RuleID: "square-access-token", Description: "Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure.", - Regex: generateUniqueTokenRegex(`sq0atp-[0-9A-Za-z\-_]{22}`, true), - Keywords: []string{"sq0atp-"}, + Regex: generateUniqueTokenRegex(`(EAAA|sq0atp-)[0-9A-Za-z\-_]{22,60}`, true), + Keywords: []string{"sq0atp-", "EAAA"}, } // validate tps := []string{ generateSampleSecret("square", secrets.NewSecret(`sq0atp-[0-9A-Za-z\-_]{22}`)), + "ARG token=sq0atp-812erere3wewew45678901", // gitleaks:allow + "ARG token=EAAAlsBxkkVgvmr7FasTFbM6VUGZ31EJ4jZKTJZySgElBDJ_wyafHuBFquFexY7E", // gitleaks:allow", } return validate(r, tps, nil) } @@ -33,6 +35,7 @@ func SquareSecret() *config.Rule { // validate tps := []string{ generateSampleSecret("square", secrets.NewSecret(`sq0csp-[0-9A-Za-z\\-_]{43}`)), + `value: "sq0csp-0p9h7g6f4s3s3s3-4a3ardgwa6ADRDJDDKUFYDYDYDY"`, // gitleaks:allow } return validate(r, tps, nil) } diff --git a/config/gitleaks.toml b/config/gitleaks.toml index c4dd81f17..269f18297 100644 --- a/config/gitleaks.toml +++ b/config/gitleaks.toml @@ -2685,9 +2685,9 @@ keywords = [ [[rules]] id = "square-access-token" description = "Detected a Square Access Token, risking unauthorized payment processing and financial transaction exposure." -regex = '''(?i)\b(sq0atp-[0-9A-Za-z\-_]{22})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +regex = '''(?i)\b((EAAA|sq0atp-)[0-9A-Za-z\-_]{22,60})(?:['|\"|\n|\r|\s|\x60|;]|$)''' keywords = [ - "sq0atp-", + "sq0atp-","eaaa", ] [[rules]] From 57ac4b3dc7f926b4c40882e476a951506675c95a Mon Sep 17 00:00:00 2001 From: Katrin Leinweber <9948149+katrinleinweber@users.noreply.github.com> Date: Mon, 15 Apr 2024 16:13:43 +0200 Subject: [PATCH 07/11] Update "contributing guidelines" link (#1390) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5e92898c0..d2661ae3c 100644 --- a/README.md +++ b/README.md @@ -382,7 +382,7 @@ stopwords = [ ] ``` -Refer to the default [gitleaks config](https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml) for examples or follow the [contributing guidelines](https://github.com/zricethezav/gitleaks/blob/master/README.md) if you would like to contribute to the default configuration. Additionally, you can check out [this gitleaks blog post](https://blog.gitleaks.io/stop-leaking-secrets-configuration-2-3-aeed293b1fbf) which covers advanced configuration setups. +Refer to the default [gitleaks config](https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml) for examples or follow the [contributing guidelines](https://github.com/gitleaks/gitleaks/blob/master/CONTRIBUTING.md) if you would like to contribute to the default configuration. Additionally, you can check out [this gitleaks blog post](https://blog.gitleaks.io/stop-leaking-secrets-configuration-2-3-aeed293b1fbf) which covers advanced configuration setups. ### Additional Configuration From 821b2323940b1792d9001d0812a2a4f7480a69c0 Mon Sep 17 00:00:00 2001 From: "Baruch Odem (Rothkoff)" Date: Mon, 29 Apr 2024 21:44:19 +0300 Subject: [PATCH 08/11] Add Cloudflare API and Origin CA keys (#1374) * add real heroku example * Add Cloudflare API and Origin CA keys --------- Co-authored-by: Baruch Odem --- cmd/generate/config/main.go | 3 + cmd/generate/config/rules/cloudflare.go | 76 +++++++++++++++++++++++++ cmd/generate/config/rules/heroku.go | 1 + config/gitleaks.toml | 24 ++++++++ 4 files changed, 104 insertions(+) create mode 100644 cmd/generate/config/rules/cloudflare.go diff --git a/cmd/generate/config/main.go b/cmd/generate/config/main.go index b1de86cf5..086eceb34 100644 --- a/cmd/generate/config/main.go +++ b/cmd/generate/config/main.go @@ -45,6 +45,9 @@ func main() { rules.CodecovAccessToken(), rules.CoinbaseAccessToken(), rules.Clojars(), + rules.CloudflareAPIKey(), + rules.CloudflareGlobalAPIKey(), + rules.CloudflareOriginCAKey(), rules.ConfluentAccessToken(), rules.ConfluentSecretKey(), rules.Contentful(), diff --git a/cmd/generate/config/rules/cloudflare.go b/cmd/generate/config/rules/cloudflare.go new file mode 100644 index 000000000..e2e0d6e5d --- /dev/null +++ b/cmd/generate/config/rules/cloudflare.go @@ -0,0 +1,76 @@ +package rules + +import ( + "github.com/zricethezav/gitleaks/v8/config" +) + +var global_keys = []string{ + `cloudflare_global_api_key = "d3d1443e0adc9c24564c6c5676d679d47e2ca"`, // gitleaks:allow + `CLOUDFLARE_GLOBAL_API_KEY: 674538c7ecac77d064958a04a83d9e9db068c`, // gitleaks:allow + `cloudflare: "0574b9f43978174cc2cb9a1068681225433c4"`, // gitleaks:allow +} + +var api_keys = []string{ + `cloudflare_api_key = "Bu0rrK-lerk6y0Suqo1qSqlDDajOk61wZchCkje4"`, // gitleaks:allow + `CLOUDFLARE_API_KEY: 5oK0U90ME14yU6CVxV90crvfqVlNH2wRKBwcLWDc`, // gitleaks:allow + `cloudflare: "oj9Yoyq0zmOyWmPPob1aoY5YSNNuJ0fbZSOURBlX"`, // gitleaks:allow +} + +var origin_ca_keys = []string{ + `CLOUDFLARE_ORIGIN_CA: v1.0-aaa334dc886f30631ba0a610-0d98ef66290d7e50aac7c27b5986c99e6f3f1084c881d8ac0eae5de1d1aa0644076ff57022069b3237d19afe60ad045f207ef2b16387ee37b749441b2ae2e9ebe5b4606e846475d4a5`, + `CLOUDFLARE_ORIGIN_CA: v1.0-15d20c7fccb4234ac5cdd756-d5c2630d1b606535cf9320ae7456b090e0896cec64169a92fae4e931ab0f72f111b2e4ffed5b2bb40f6fba6b2214df23b188a23693d59ce3fb0d28f7e89a2206d98271b002dac695ed`, +} + +var identifiers = []string{"cloudflare"} + +func CloudflareGlobalAPIKey() *config.Rule { + // define rule + r := config.Rule{ + Description: "Detected a Cloudflare Global API Key, potentially compromising cloud application deployments and operational security.", + RuleID: "cloudflare-global-api-key", + Regex: generateSemiGenericRegex(identifiers, hex("37"), true), + + Keywords: identifiers, + } + + // validate + tps := global_keys + fps := append(api_keys, origin_ca_keys...) + + return validate(r, tps, fps) +} + +func CloudflareAPIKey() *config.Rule { + // define rule + r := config.Rule{ + Description: "Detected a Cloudflare API Key, potentially compromising cloud application deployments and operational security.", + RuleID: "cloudflare-api-key", + Regex: generateSemiGenericRegex(identifiers, alphaNumericExtendedShort("40"), true), + + Keywords: identifiers, + } + + // validate + tps := api_keys + fps := append(global_keys, origin_ca_keys...) + + return validate(r, tps, fps) +} + +func CloudflareOriginCAKey() *config.Rule { + ca_identifiers := append(identifiers, "v1.0-") + // define rule + r := config.Rule{ + Description: "Detected a Cloudflare Origin CA Key, potentially compromising cloud application deployments and operational security.", + RuleID: "cloudflare-origin-ca-key", + Regex: generateUniqueTokenRegex(`v1\.0-`+hex("24")+"-"+hex("146"), false), + + Keywords: ca_identifiers, + } + + // validate + tps := origin_ca_keys + fps := append(global_keys, api_keys...) + + return validate(r, tps, fps) +} diff --git a/cmd/generate/config/rules/heroku.go b/cmd/generate/config/rules/heroku.go index 5af883e07..9406c1186 100644 --- a/cmd/generate/config/rules/heroku.go +++ b/cmd/generate/config/rules/heroku.go @@ -17,6 +17,7 @@ func Heroku() *config.Rule { // validate tps := []string{ `const HEROKU_KEY = "12345678-ABCD-ABCD-ABCD-1234567890AB"`, // gitleaks:allow + `heroku_api_key = "832d2129-a846-4e27-99f4-7004b6ad53ef"`, // gitleaks:allow } return validate(r, tps, nil) } diff --git a/config/gitleaks.toml b/config/gitleaks.toml index 269f18297..02e0cd090 100644 --- a/config/gitleaks.toml +++ b/config/gitleaks.toml @@ -177,6 +177,30 @@ keywords = [ "clojars", ] +[[rules]] +id = "cloudflare-api-key" +description = "Detected a Cloudflare API Key, potentially compromising cloud application deployments and operational security." +regex = '''(?i)(?:cloudflare)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9_-]{40})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +keywords = [ + "cloudflare", +] + +[[rules]] +id = "cloudflare-global-api-key" +description = "Detected a Cloudflare Global API Key, potentially compromising cloud application deployments and operational security." +regex = '''(?i)(?:cloudflare)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-f0-9]{37})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +keywords = [ + "cloudflare", +] + +[[rules]] +id = "cloudflare-origin-ca-key" +description = "Detected a Cloudflare Origin CA Key, potentially compromising cloud application deployments and operational security." +regex = '''\b(v1\.0-[a-f0-9]{24}-[a-f0-9]{146})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +keywords = [ + "cloudflare","v1.0-", +] + [[rules]] id = "codecov-access-token" description = "Found a pattern resembling a Codecov Access Token, posing a risk of unauthorized access to code coverage reports and sensitive data." From 247f423a395e36761d4b571f810f48b585fb63c0 Mon Sep 17 00:00:00 2001 From: "Baruch Odem (Rothkoff)" Date: Mon, 29 Apr 2024 21:45:32 +0300 Subject: [PATCH 09/11] add real (test) standard and restricted keys (#1375) Co-authored-by: Baruch Odem --- cmd/generate/config/rules/stripe.go | 12 ++++++++++-- config/gitleaks.toml | 4 ++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/cmd/generate/config/rules/stripe.go b/cmd/generate/config/rules/stripe.go index b1a2713ff..96606f373 100644 --- a/cmd/generate/config/rules/stripe.go +++ b/cmd/generate/config/rules/stripe.go @@ -10,15 +10,23 @@ func StripeAccessToken() *config.Rule { r := config.Rule{ Description: "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.", RuleID: "stripe-access-token", - Regex: generateUniqueTokenRegex(`(sk)_(test|live)_[0-9a-z]{10,32}`, true), + Regex: generateUniqueTokenRegex(`(sk|rk)_(test|live|prod)_[0-9a-z]{10,99}`, true), Keywords: []string{ "sk_test", "sk_live", + "sk_prod", + "rk_test", + "rk_live", + "rk_prod", }, } // validate - tps := []string{"stripeToken := \"sk_test_" + secrets.NewSecret(alphaNumeric("30")) + "\""} + tps := []string{ + "stripeToken := \"sk_test_" + secrets.NewSecret(alphaNumeric("30")) + "\"", + "sk_test_51OuEMLAlTWGaDypq4P5cuDHbuKeG4tAGPYHJpEXQ7zE8mKK3jkhTFPvCxnSSK5zB5EQZrJsYdsatNmAHGgb0vSKD00GTMSWRHs", // gitleaks:allow + "rk_prod_51OuEMLAlTWGaDypquDn9aZigaJOsa9NR1w1BxZXs9JlYsVVkv5XDu6aLmAxwt5Tgun5WcSwQMKzQyqV16c9iD4sx00BRijuoon", // gitleaks:allow + } fps := []string{"nonMatchingToken := \"task_test_" + secrets.NewSecret(alphaNumeric("30")) + "\""} return validate(r, tps, fps) } diff --git a/config/gitleaks.toml b/config/gitleaks.toml index 02e0cd090..d5246a7b1 100644 --- a/config/gitleaks.toml +++ b/config/gitleaks.toml @@ -2725,9 +2725,9 @@ keywords = [ [[rules]] id = "stripe-access-token" description = "Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data." -regex = '''(?i)\b((sk)_(test|live)_[0-9a-z]{10,32})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +regex = '''(?i)\b((sk|rk)_(test|live|prod)_[0-9a-z]{10,99})(?:['|\"|\n|\r|\s|\x60|;]|$)''' keywords = [ - "sk_test","sk_live", + "sk_test","sk_live","sk_prod","rk_test","rk_live","rk_prod", ] [[rules]] From 79cac73f7267f4a48f4bc73db11e105a6098a836 Mon Sep 17 00:00:00 2001 From: "Baruch Odem (Rothkoff)" Date: Mon, 29 Apr 2024 21:46:16 +0300 Subject: [PATCH 10/11] tests: scalingo validation consistent test (#1359) * Refactor Scalingo API token regex and add sample token * improve docs for allowlist I didn't know it when I made #1358 --------- Co-authored-by: Baruch Odem --- cmd/generate/config/rules/scalingo.go | 5 ++--- config/allowlist.go | 8 +++++++- config/gitleaks.toml | 2 +- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/cmd/generate/config/rules/scalingo.go b/cmd/generate/config/rules/scalingo.go index 945e061a1..bcc5f79f6 100644 --- a/cmd/generate/config/rules/scalingo.go +++ b/cmd/generate/config/rules/scalingo.go @@ -1,8 +1,6 @@ package rules import ( - "regexp" - "github.com/zricethezav/gitleaks/v8/cmd/generate/secrets" "github.com/zricethezav/gitleaks/v8/config" ) @@ -12,13 +10,14 @@ func ScalingoAPIToken() *config.Rule { r := config.Rule{ Description: "Found a Scalingo API token, posing a risk to cloud platform services and application deployment security.", RuleID: "scalingo-api-token", - Regex: regexp.MustCompile(`\btk-us-[a-zA-Z0-9-_]{48}\b`), + Regex: generateUniqueTokenRegex(`tk-us-[a-zA-Z0-9-_]{48}`, false), Keywords: []string{"tk-us-"}, } // validate tps := []string{ generateSampleSecret("scalingo", "tk-us-"+secrets.NewSecret(alphaNumericExtendedShort("48"))), + `scalingo_api_token = "tk-us-loys7ib9yrxcys_ta2sq85mjar6lgcsspkd9x61s7h5epf_-"`, // gitleaks:allow } return validate(r, tps, nil) } diff --git a/config/allowlist.go b/config/allowlist.go index 6716be56f..e72db8377 100644 --- a/config/allowlist.go +++ b/config/allowlist.go @@ -14,7 +14,13 @@ type Allowlist struct { // Regexes is slice of content regular expressions that are allowed to be ignored. Regexes []*regexp.Regexp - // RegexTarget + // Can be `match` or `line`. + // + // If `match` the _Regexes_ will be tested against the match of the _Rule.Regex_. + // + // If `line` the _Regexes_ will be tested against the entire line. + // + // If RegexTarget is empty, it will be tested against the found secret. RegexTarget string // Paths is a slice of path regular expressions that are allowed to be ignored. diff --git a/config/gitleaks.toml b/config/gitleaks.toml index d5246a7b1..3b4d04d29 100644 --- a/config/gitleaks.toml +++ b/config/gitleaks.toml @@ -2524,7 +2524,7 @@ keywords = [ [[rules]] id = "scalingo-api-token" description = "Found a Scalingo API token, posing a risk to cloud platform services and application deployment security." -regex = '''\btk-us-[a-zA-Z0-9-_]{48}\b''' +regex = '''\b(tk-us-[a-zA-Z0-9-_]{48})(?:['|\"|\n|\r|\s|\x60|;]|$)''' keywords = [ "tk-us-", ] From 6587196c739b6b311a2b4bf20c2ff1509d328195 Mon Sep 17 00:00:00 2001 From: "aikido[bot]" Date: Fri, 21 Jun 2024 08:50:19 +0000 Subject: [PATCH 11/11] fix(security): update gopkg.in/yaml.v3 from 3.0.0-20210107192922-49654 to 3.0.0-20220521103104-8f96da9f5d5e --- go.mod | 2 +- go.sum | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 9f05076b8..5da45cf82 100644 --- a/go.mod +++ b/go.mod @@ -44,5 +44,5 @@ require ( golang.org/x/text v0.3.8 // indirect gopkg.in/ini.v1 v1.62.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect - gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect + gopkg.in/yaml.v3 v3.0.0-20220521103104-8f96da9f5d5e // indirect ) diff --git a/go.sum b/go.sum index 34696f161..ef60efc24 100644 --- a/go.sum +++ b/go.sum @@ -624,8 +624,9 @@ gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0-20220521103104-8f96da9f5d5e h1:3i3ny04XV6HbZ2N1oIBw1UBYATHAOpo4tfTF83JM3Z0= +gopkg.in/yaml.v3 v3.0.0-20220521103104-8f96da9f5d5e/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=