Add PHPMailer rule; tweak postgres connection URI rule

CHANGELOG.md

@@ -22,9 +22,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 - New rules have been added:
 
-  - `Credentials in PostgreSQL Connection URI`
+  - `Credentials in PostgreSQL Connection URI` ([#227](https://github.com/praetorian-inc/noseyparker/pull/227))
   - `HTTP Basic Authentication`
   - `HTTP Bearer Token`
+  - `PHPMailer Credentials` ([#227](https://github.com/praetorian-inc/noseyparker/pull/227))
 
 
 ## [v0.20.0](https://github.com/praetorian-inc/noseyparker/releases/v0.20.0) (2024-10-04)

README.md

@@ -6,7 +6,7 @@ Nosey Parker is a command-line tool that finds secrets and sensitive information
 
 **Key features:**
 - It natively scans files, directories, and Git repository history
-- It uses regular expression matching with a set of [148 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high signal-to-noise based on experience and feedback from offensive security engagements
+- It uses regular expression matching with a set of [149 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high signal-to-noise based on experience and feedback from offensive security engagements
 - It deduplicates its findings, grouping matches together that share the same secret, which in practice can reduce review burden by 100x or more compared to other tools
 - It is fast: it can scan at hundreds of megabytes per second on a single core, and is able to scan 100GB of Linux kernel source history in less than 2 minutes on an older MacBook Pro
 - It scales: it has scanned inputs as large as 20TiB during security engagements

crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap

@@ -2,4 +2,4 @@
 source: crates/noseyparker-cli/tests/rules/mod.rs
 expression: stdout
 ---
-148 rules and 3 rulesets: no issues detected
+149 rules and 3 rulesets: no issues detected

crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap

@@ -2481,14 +2481,35 @@ expression: stdout
         ]
       }
     },
+    {
+      "id": "np.phpmailer.1",
+      "structural_id": "afcb1b528dcec338f828917ea4678ff321c701d8",
+      "name": "PHPMailer Credentials",
+      "syntax": {
+        "name": "PHPMailer Credentials",
+        "id": "np.phpmailer.1",
+        "pattern": "(?x)\n\\$mail->Host     \\s* = \\s* '([^'\\n]{5,})'; \\s* (?: //.* )?\n\\s* .* \\s*\n\\$mail->Username \\s* = \\s* '([^'\\n]{5,})'; \\s* (?: //.* )?\n\\s* .* \\s*\n\\$mail->Password \\s* = \\s* '([^'\\n]{5,})';\n",
+        "examples": [
+          "//Server settings\n$mail->SMTPDebug = SMTP::DEBUG_SERVER;                      //Enable verbose debug output\n$mail->isSMTP();                                            //Send using SMTP\n$mail->Host       = 'smtp.example.com';                     //Set the SMTP server to send through\n$mail->SMTPAuth   = true;                                   //Enable SMTP authentication\n$mail->Username   = 'user@example.com';                     //SMTP username\n$mail->Password   = 'secret';                               //SMTP password\n$mail->SMTPSecure = PHPMailer::ENCRYPTION_SMTPS;            //Enable implicit TLS encryption\n$mail->Port       = 465;                                    //TCP port to connect to; use 587 if you have set `SMTPSecure = PHPMailer::ENCRYPTION_STARTTLS`\n"
+        ],
+        "negative_examples": [],
+        "references": [
+          "https://github.com/PHPMailer/PHPMailer"
+        ],
+        "categories": [
+          "fuzzy",
+          "secret"
+        ]
+      }
+    },
     {
       "id": "np.postgres.1",
-      "structural_id": "300f740ecacef15f3e529f976f3db2e60a5cc6d8",
+      "structural_id": "d1b558227cf1fa521f2db96bac75c1914554d667",
       "name": "Credentials in PostgreSQL Connection URI",
       "syntax": {
         "name": "Credentials in PostgreSQL Connection URI",
         "id": "np.postgres.1",
-        "pattern": "(?x)\n(?: postgres | postgresql ) ://                         (?# URI scheme )\n  ([a-zA-Z0-9.-~]{3,32})                                (?# username)\n: ([a-zA-Z0-9.-~]{3,32})                                (?# password)\n@ ([^:/]{3,64} (?: :\\d{1,5})?)                          (?# hostname)\n(/[^/?]{2,64})                                          (?# database)\n(?: [/?] | $ )\n",
+        "pattern": "(?x)\n(?: postgres | postgresql ) ://                         (?# URI scheme )\n  ([a-zA-Z0-9.-~]{3,})                                  (?# username)\n: ([a-zA-Z0-9.-~]{3,})                                  (?# password)\n@ ([a-zA-Z0-9_.-]{3,} (?: :\\d{1,5})?)                   (?# hostname and port)\n(/[a-zA-Z0-9_.-]{2,})                                   (?# database)\n(?: \\? [a-zA-Z0-9.-~]+ = [a-zA-Z0-9.-~]+\n       (?: & [a-zA-Z0-9.-~]+ = [a-zA-Z0-9.-~]+ )* )?    (?# query params )\n(?: [^a-zA-Z0-9.-~] | $ )\n",
         "examples": [
           "\"REDSHIFT\": \"postgres://spot_app:Pseg2020@calling-mr-bones.c0qsadyxbf4k.us-east-1.redshift.amazonaws.com:5439/datalakespotprod\",",
           "postgresql://user:secret@localhost/database",
@@ -3580,7 +3601,7 @@ expression: stdout
     {
       "id": "default",
       "name": "Nosey Parker default rules",
-      "num_rules": 127
+      "num_rules": 128
     },
     {
       "id": "np.assets",

crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap

@@ -107,6 +107,7 @@ expression: stdout
  np.particleio.2      particle.io Access Token                                  api, secret 
  np.pem.1             PEM-Encoded Private Key                                   secret 
  np.pem.2             Base64-PEM-Encoded Private Key                            secret 
+ np.phpmailer.1       PHPMailer Credentials                                     fuzzy, secret 
  np.postgres.1        Credentials in PostgreSQL Connection URI                  secret 
  np.postman.1         Postman API Key                                           api, secret 
  np.psexec.1          Credentials in PsExec                                     fuzzy, secret 
@@ -155,6 +156,6 @@ expression: stdout
 
  Ruleset ID   Ruleset Name                         Rules 
 ─────────────────────────────────────────────────────────
- default      Nosey Parker default rules             127 
+ default      Nosey Parker default rules             128 
  np.assets    Nosey Parker asset detection rules      15 
  np.hashes    Nosey Parker password hash rules         6

crates/noseyparker/data/default/builtin/rules/postgres.yml

@@ -7,11 +7,13 @@ rules:
   pattern: |
     (?x)
     (?: postgres | postgresql ) ://                         (?# URI scheme )
-      ([a-zA-Z0-9.-~]{3,32})                                (?# username)
-    : ([a-zA-Z0-9.-~]{3,32})                                (?# password)
-    @ ([^:/]{3,64} (?: :\d{1,5})?)                          (?# hostname)
-    (/[^/?]{2,64})                                          (?# database)
-    (?: [/?] | $ )
+      ([a-zA-Z0-9.-~]{3,})                                  (?# username)
+    : ([a-zA-Z0-9.-~]{3,})                                  (?# password)
+    @ ([a-zA-Z0-9_.-]{3,} (?: :\d{1,5})?)                   (?# hostname and port)
+    (/[a-zA-Z0-9_.-]{2,})                                   (?# database)
+    (?: \? [a-zA-Z0-9.-~]+ = [a-zA-Z0-9.-~]+
+           (?: & [a-zA-Z0-9.-~]+ = [a-zA-Z0-9.-~]+ )* )?    (?# query params )
+    (?: [^a-zA-Z0-9.-~] | $ )
 
   categories: [secret]
 

crates/noseyparker/data/default/builtin/rulesets/default.yml

@@ -104,6 +104,7 @@ rulesets:
   - np.particleio.2   # particle.io Access Token
   - np.pem.1          # PEM-Encoded Private Key
   - np.pem.2          # Base64-PEM-Encoded Private Key
+  - np.phpmailer.1    # PHPMailer Credentials
   - np.postgres.1     # Credentials in PostgreSQL Connection URI
   - np.postman.1      # Postman API Key
   - np.psexec.1       # Credentials in PsExec

crates/noseyparker/src/matcher.rs

@@ -241,6 +241,7 @@ impl<'a> Matcher<'a> {
                 let end_idx: usize = end_idx.try_into().unwrap();
                 let rule = &rules[rule_id];
                 let re = &anchored_regexes[rule_id];
+
                 // second-stage regex match
                 let captures = match re.captures(&blob.bytes[start_idx..end_idx]) {
                     None => {