From 6b0c303b262d3914b9609c882b7e1c6354aa021f Mon Sep 17 00:00:00 2001 From: Caleb Jasik Date: Tue, 14 Mar 2023 14:46:45 -0500 Subject: [PATCH] Add Defined Networking API Tokens (#1096) Adds detection support for Defined Networking tokens (https://docs.defined.net/guides/automating-host-creation/) I added a fixture in addition to the generator, I think I may be able to use the `generateUniqueToken` instead of the semi-generic option? Let me know if I should update accordingly. Remove testing fixture --- cmd/generate/config/main.go | 1 + .../config/rules/definednetworking.go | 32 +++++++++++++++++++ config/gitleaks.toml | 9 ++++++ 3 files changed, 42 insertions(+) create mode 100644 cmd/generate/config/rules/definednetworking.go diff --git a/cmd/generate/config/main.go b/cmd/generate/config/main.go index 68354f7fd..3c350f6b1 100644 --- a/cmd/generate/config/main.go +++ b/cmd/generate/config/main.go @@ -41,6 +41,7 @@ func main() { configRules = append(configRules, rules.Contentful()) configRules = append(configRules, rules.Databricks()) configRules = append(configRules, rules.DatadogtokenAccessToken()) + configRules = append(configRules, rules.DefinedNetworkingAPIToken()) configRules = append(configRules, rules.DigitalOceanPAT()) configRules = append(configRules, rules.DigitalOceanOAuthToken()) configRules = append(configRules, rules.DigitalOceanRefreshToken()) diff --git a/cmd/generate/config/rules/definednetworking.go b/cmd/generate/config/rules/definednetworking.go new file mode 100644 index 000000000..93ba0b501 --- /dev/null +++ b/cmd/generate/config/rules/definednetworking.go @@ -0,0 +1,32 @@ +package rules + +import ( + "github.com/zricethezav/gitleaks/v8/cmd/generate/secrets" + "github.com/zricethezav/gitleaks/v8/config" +) + +func DefinedNetworkingAPIToken() *config.Rule { + // Define Rule + r := config.Rule{ + // Human redable description of the rule + Description: "Defined Networking API token", + + // Unique ID for the rule + RuleID: "defined-networking-api-token", + + // Regex capture group for the actual secret + SecretGroup: 1, + + // Regex used for detecting secrets. See regex section below for more details + Regex: generateSemiGenericRegex([]string{"dnkey"}, `dnkey-[a-z0-9=_\-]{26}-[a-z0-9=_\-]{52}`), + + // Keywords used for string matching on fragments (think of this as a prefilter) + Keywords: []string{"dnkey"}, + } + + // validate + tps := []string{ + generateSampleSecret("dnkey", "dnkey-"+secrets.NewSecret(alphaNumericExtended("26"))+"-"+secrets.NewSecret(alphaNumericExtended("52"))), + } + return validate(r, tps, nil) +} diff --git a/config/gitleaks.toml b/config/gitleaks.toml index c2a2870bf..f91ecf1cf 100644 --- a/config/gitleaks.toml +++ b/config/gitleaks.toml @@ -242,6 +242,15 @@ keywords = [ "datadog", ] +[[rules]] +description = "Defined Networking API token" +id = "defined-networking-api-token" +regex = '''(?i)(?:dnkey)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(dnkey-[a-z0-9=_\-]{26}-[a-z0-9=_\-]{52})(?:['|\"|\n|\r|\s|\x60|;]|$)''' +secretGroup = 1 +keywords = [ + "dnkey", +] + [[rules]] description = "DigitalOcean OAuth Access Token" id = "digitalocean-access-token"