From 201647e9042cb0e7e0f35e253a31f1e9e4c62280 Mon Sep 17 00:00:00 2001
From: "r2c-argo[bot]" <89167470+r2c-argo[bot]@users.noreply.github.com>
Date: Fri, 7 Jun 2024 09:10:29 +0200
Subject: [PATCH] Merge Gitleaks rules 2024-06-07 # 00:30 (#3395)

Co-authored-by: Security Research (r2c-argo) <securityresearch@r2c.dev>
---
 .../gitleaks/facebook-access-token.yaml       |  2 +-
 .../gitleaks/intra42-client-secret.yaml       | 26 +++++++++++++++++++
 .../gitleaks/new-relic-insert-key.yaml        | 26 +++++++++++++++++++
 .../gitleaks/telegram-bot-api-token.yaml      |  2 +-
 4 files changed, 54 insertions(+), 2 deletions(-)
 create mode 100644 generic/secrets/gitleaks/intra42-client-secret.yaml
 create mode 100644 generic/secrets/gitleaks/new-relic-insert-key.yaml

diff --git a/generic/secrets/gitleaks/facebook-access-token.yaml b/generic/secrets/gitleaks/facebook-access-token.yaml
index 2a1a657f83..2344c7643e 100644
--- a/generic/secrets/gitleaks/facebook-access-token.yaml
+++ b/generic/secrets/gitleaks/facebook-access-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)\b(\d{15,16}\|[0-9a-z\-_]{27})(?:['|\"|\n|\r|\s|\x60|;]|$)
+    - pattern-regex: (?i)\b(\d{15,16}(\||%)[0-9a-z\-_]{27,40})(?:['|\"|\n|\r|\s|\x60|;]|$)
diff --git a/generic/secrets/gitleaks/intra42-client-secret.yaml b/generic/secrets/gitleaks/intra42-client-secret.yaml
new file mode 100644
index 0000000000..08a2cc575d
--- /dev/null
+++ b/generic/secrets/gitleaks/intra42-client-secret.yaml
@@ -0,0 +1,26 @@
+rules:
+- id: intra42-client-secret
+  message: A gitleaks intra42-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
+  languages:
+    - regex
+  severity: INFO
+  metadata:
+      likelihood: LOW
+      impact: MEDIUM
+      confidence: LOW
+      category: security
+      cwe:
+        - "CWE-798: Use of Hard-coded Credentials"
+      cwe2021-top25: true
+      cwe2022-top25: true
+      owasp:
+        - A07:2021 - Identification and Authentication Failures
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+      source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
+      subcategory:
+        - vuln
+      technology:
+        - gitleaks
+  patterns:
+    - pattern-regex: (?i)\b(s-s4t2(?:ud|af)-[abcdef0123456789]{64})(?:['|\"|\n|\r|\s|\x60|;]|$)
diff --git a/generic/secrets/gitleaks/new-relic-insert-key.yaml b/generic/secrets/gitleaks/new-relic-insert-key.yaml
new file mode 100644
index 0000000000..42f411f528
--- /dev/null
+++ b/generic/secrets/gitleaks/new-relic-insert-key.yaml
@@ -0,0 +1,26 @@
+rules:
+- id: new-relic-insert-key
+  message: A gitleaks new-relic-insert-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
+  languages:
+    - regex
+  severity: INFO
+  metadata:
+      likelihood: LOW
+      impact: MEDIUM
+      confidence: LOW
+      category: security
+      cwe:
+        - "CWE-798: Use of Hard-coded Credentials"
+      cwe2021-top25: true
+      cwe2022-top25: true
+      owasp:
+        - A07:2021 - Identification and Authentication Failures
+      references:
+        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
+      source-rule-url: https://github.com/zricethezav/gitleaks/tree/master/cmd/generate/config/rules
+      subcategory:
+        - vuln
+      technology:
+        - gitleaks
+  patterns:
+    - pattern-regex: (?i)(?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}(NRII-[a-z0-9-]{32})(?:['|\"|\n|\r|\s|\x60|;]|$)
diff --git a/generic/secrets/gitleaks/telegram-bot-api-token.yaml b/generic/secrets/gitleaks/telegram-bot-api-token.yaml
index a94d287ca6..4755a79308 100644
--- a/generic/secrets/gitleaks/telegram-bot-api-token.yaml
+++ b/generic/secrets/gitleaks/telegram-bot-api-token.yaml
@@ -23,4 +23,4 @@ rules:
       technology:
         - gitleaks
   patterns:
-    - pattern-regex: (?i)(?:^|[^0-9])([0-9]{5,16}:A[a-zA-Z0-9_\-]{34})(?:$|[^a-zA-Z0-9_\-])
+    - pattern-regex: (?i)(?:^|\b|bot)([0-9]{5,16}:A[a-z0-9_\-]{34})(?:$|\b[^_\-])