From 8ff574e3f732e5b94651431591bf18d6d497cf02 Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Sun, 26 Nov 2023 11:12:06 +0600 Subject: [PATCH] fix(secret): add `sec` and space to secret prefix for `aws-secret-access-key` (#5647) --- pkg/fanal/secret/builtin-rules.go | 4 +-- pkg/fanal/secret/scanner_test.go | 33 ++++++++++++++++++++++- pkg/fanal/secret/testdata/aws-secrets.txt | 3 ++- 3 files changed, 36 insertions(+), 4 deletions(-) diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go index fa9b622eb492..b868967b6696 100644 --- a/pkg/fanal/secret/builtin-rules.go +++ b/pkg/fanal/secret/builtin-rules.go @@ -73,7 +73,7 @@ var ( // Reusable regex patterns const ( quote = `["']?` - connect = `\s*(:|=>|=)\s*` + connect = `\s*(:|=>|=)?\s*` startSecret = `(^|\s+)` endSecret = `(\s+|$)` @@ -105,7 +105,7 @@ var builtinRules = []Rule{ Category: CategoryAWS, Severity: "CRITICAL", Title: "AWS Secret Access Key", - Regex: MustCompile(fmt.Sprintf(`(?i)%s%s%s(secret)?_?(access)?_?key%s%s%s(?P[A-Za-z0-9\/\+=]{40})%s%s`, startSecret, quote, aws, quote, connect, quote, quote, endSecret)), + Regex: MustCompile(fmt.Sprintf(`(?i)%s%s%s(sec(ret)?)?_?(access)?_?key%s%s%s(?P[A-Za-z0-9\/\+=]{40})%s%s`, startSecret, quote, aws, quote, connect, quote, quote, endSecret)), SecretGroupName: "secret", Keywords: []string{"key"}, }, diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go index 4cde82f2aee1..659b1f91a179 100644 --- a/pkg/fanal/secret/scanner_test.go +++ b/pkg/fanal/secret/scanner_test.go @@ -401,6 +401,37 @@ func TestSecretScanner(t *testing.T) { }, }, } + wantFinding10 := types.SecretFinding{ + RuleID: "aws-secret-access-key", + Category: secret.CategoryAWS, + Title: "AWS Secret Access Key", + Severity: "CRITICAL", + StartLine: 5, + EndLine: 5, + Match: `aws_sec_key "****************************************"`, + Code: types.Code{ + Lines: []types.Line{ + { + Number: 3, + Content: "\"aws_account_ID\":'1234-5678-9123'", + Highlighted: "\"aws_account_ID\":'1234-5678-9123'", + }, + { + Number: 4, + Content: "AWS_example=AKIAIOSFODNN7EXAMPLE", + Highlighted: "AWS_example=AKIAIOSFODNN7EXAMPLE", + }, + { + Number: 5, + Content: "aws_sec_key \"****************************************\"", + Highlighted: "aws_sec_key \"****************************************\"", + IsCause: true, + FirstCause: true, + LastCause: true, + }, + }, + }, + } wantFindingAsymmetricPrivateKeyJson := types.SecretFinding{ RuleID: "private-key", Category: secret.CategoryAsymmetricPrivateKey, @@ -548,7 +579,7 @@ func TestSecretScanner(t *testing.T) { inputFilePath: filepath.Join("testdata", "aws-secrets.txt"), want: types.Secret{ FilePath: filepath.Join("testdata", "aws-secrets.txt"), - Findings: []types.SecretFinding{wantFinding5, wantFinding9}, + Findings: []types.SecretFinding{wantFinding5, wantFinding9, wantFinding10}, }, }, { diff --git a/pkg/fanal/secret/testdata/aws-secrets.txt b/pkg/fanal/secret/testdata/aws-secrets.txt index c0f387ecb8ce..7739ce9bfb79 100644 --- a/pkg/fanal/secret/testdata/aws-secrets.txt +++ b/pkg/fanal/secret/testdata/aws-secrets.txt @@ -1,4 +1,5 @@ 'AWS_secret_KEY'="12ASD34qwe56CXZ78tyH10Tna543VBokN85RHCas" AWS_ACCESS_KEY_ID=AKIA0123456789ABCDEF "aws_account_ID":'1234-5678-9123' -AWS_example=AKIAIOSFODNN7EXAMPLE \ No newline at end of file +AWS_example=AKIAIOSFODNN7EXAMPLE +aws_sec_key "KEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYK" \ No newline at end of file