-
Notifications
You must be signed in to change notification settings - Fork 0
/
patterns.yml
164 lines (150 loc) · 4.72 KB
/
patterns.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
name: Configuration Secrets
patterns:
- name: Hardcoded Database Passwords
type: hardcoded_database_passwords
comments:
- "Only support for Postgres and MySQL password strings"
- "Checks if the password is null / length of 0"
- "Supports quoted passwords"
- "Not case sensative"
regex:
version: 0.1
pattern: |
[^\r\n\p{Cc}]+
start: |
(?:[^0-9A-Za-z]|\A)(?i)(?:postgres|mysql|mysql_root)_password[\t ]*[=:][\t ]*['"]
end: |
\z|[\r\n'"]
- name: Hardcoded Spring SQL passwords
description: |
Hardcoded JDBC / Spring datasource passwords which typically are in property files or passed in at runtime
type: hardcoded_spring_sql_passwords
regex:
version: 0.1
pattern: |
[^\r\n'"\p{Cc}]+
start: |
(?:spring\.datasource|jdbc)\.password[ \t]*=[ \t]*['"]?
end: |
\z|['"\r\n]
expected:
- name: application.properties
start_offset: 314
end_offset: 318
- name: application.properties
start_offset: 358
end_offset: 375
- name: application.properties
start_offset: 422
end_offset: 442
- name: application.properties
start_offset: 836
end_offset: 843
- name: application.properties
start_offset: 1078
end_offset: 1085
- name: application.properties
start_offset: 1346
end_offset: 1353
- name: application.properties
start_offset: 1633
end_offset: 1640
- name: Django Secret Key
type: django_secret_key
regex:
version: 0.1
pattern: |
[^\r\n"']+
start: |
\bSECRET_KEY[ \t]*=[ \t]*["']
end: |
['"]
comments:
- "_If the secret is at the start of the file, its not picked up_"
expected:
- name: global_settings.py
start_offset: 59
end_offset: 109
# Experimental
- name: YAML Static Password Fields
type: yaml_static_password_fields
description: |
Pattern to find Static passwords in YAML configuration files
experimental: true
regex:
version: 0.1
pattern: |
[^\r\n'"]+
start: |
(?:\n|\A)[ \t]*(?:secret|service_pass(wd|word|code|phrase)|pass(?:wd|word|code|phrase)?|key)[ \t]*:[ \t]*['"]?
end: |
['"\r\n]|\z
additional_not_match:
- ^(?:keyPassphrase|password|key|[ \t]+|\$\{[A-Za-z0-9_-]+\}|(?:str|string|int|bool)( +#.*)?),?$
- ^(?:.* = )?(?:None|[Tt]rue|[Ff]alse|[Nn]ull|Default(?:Type)?|Event|[A-Z]+_KEY|VERSION|NAME|update|destroy|(?:dis|en)ableEventListeners|\.\.\.),?$
- ^(?:(?:this|self|obj)\.)(?:[A-Za-z_]+\,|[A-Za-z_].*)$
- ^(?:[a-zA-Z_]+(?:\(\))?\.)*[a-zA-Z_]+\(\)$
- ^\s*(?:typing\.)?(?:[Tt]uple|[Ll]ist|[Dd]ict|Callable|Iterable|Sequence|Optional|Union)\[.*$
comments:
- "The hardcoded password is between 12 and 32 chars long"
- "Some false positives in Code might appear"
- "The pattern only checks for certain key words to begin the pattern (`secret`, `password`, etc.)"
expected:
- name: example.yml
start_offset: 57
end_offset: 80
- name: example.yml
start_offset: 57
end_offset: 80
- name: GitHub Actions SHA Checker
type: github_actions_sha_checker
comments:
- "Checks for all github action susing a version that isn't a pinned SHA-1 commit hash"
- "Checks for uses: org name / repo name @ string under 40 characters"
- "Not case sensative"
- "exclude all actions in actions, github and advanced-security repo"
regex:
version: 0.1
pattern: |
[a-z0-9_-]{1,39}\/[a-z0-9_-]{1,100}@[a-z0-9._-]{1,39}
start: |
\buses:[ \t]{1,5}
end: |
\s|\z
additional_not_match:
- ^(actions|github|advanced-security)/
- name: .NET Configuration file
type: dotnet_configuration
regex:
version: 0.1
pattern: |
[^"\x00\x08]+
start: |
<add\s+key="[^"]*(?i)(password|secret|pass(?:wd|word|code|phrase)?|key|token)"\s+value="
end: |
\"
comments:
- XML key/value format, <add key="key name" value="value of key" />
expected:
- name: app.config
start_offset: 59
end_offset: 84
- name: .NET MachineKey
type: dotnet_machinekey
regex:
version: 0.1
pattern: |
[A-Fa-f0-9]+
start: |
<machineKey\s+[^>]*(validation|decryption)Key="
end: |
\"
comments:
- contents of the validationKey or decryptionKey of a machineKey XML element
expected:
- name: web.config
start_offset: 27
end_offset: 154
- name: web.config
start_offset: 171
end_offset: 234