Feature/add sidekiq rules (gitleaks#933)

* Add sidekiq rules * Added two new rules for sidekiq * Other: Add keywords to square rules per Zach's instructions * Validate now works, but test suite is failing * Tests are now passing * Add Sidekiq Rules: Ran go fmt * * After resolving conflicts, had to rerun the rule generator to add back the semicolon char * After running tests, had to fix one line in testdata/expected/report/sarif_simple.sarif * * Added keywords to simple.toml for sidekiq-sensitive-url so that the rule matches what is in gitleaks.toml Co-authored-by: Andrew Weiner <aweiner@frontrush.com>
AikidoSec · Aug 3, 2022 · cd52267 · cd52267
1 parent afc89f9
commit cd52267
Show file tree

Hide file tree

Showing 8 changed files with 284 additions and 104 deletions.
diff --git a/cmd/generate/config/main.go b/cmd/generate/config/main.go
@@ -126,6 +126,8 @@ func main() {
 	configRules = append(configRules, rules.ShopifyCustomAccessToken())
 	configRules = append(configRules, rules.ShopifyPrivateAppAccessToken())
 	configRules = append(configRules, rules.ShopifySharedSecret())
+	configRules = append(configRules, rules.SidekiqSecret())
+	configRules = append(configRules, rules.SidekiqSensitiveUrl())
 	configRules = append(configRules, rules.SlackAccessToken())
 	configRules = append(configRules, rules.SlackWebHook())
 	configRules = append(configRules, rules.StripeAccessToken())

diff --git a/cmd/generate/config/rules/rule.go b/cmd/generate/config/rules/rule.go
@@ -25,7 +25,7 @@ const (
 	// \x60 = `
 	secretPrefixUnique = `\b(`
 	secretPrefix       = `(?:'|\"|\s|=|\x60){0,5}(`
-	secretSuffix       = `)(?:['|\"|\n|\r|\s|\x60]|$)`
+	secretSuffix       = `)(?:['|\"|\n|\r|\s|\x60|;]|$)`
 )
 
 func generateSemiGenericRegex(identifiers []string, secretRegex string) *regexp.Regexp {
@@ -70,12 +70,12 @@ func validate(r config.Rule, truePositives []string, falsePositives []string) *c
 	})
 	for _, tp := range truePositives {
 		if len(d.DetectString(tp)) != 1 {
-			log.Fatal().Msgf("Failed to validate (tp) %s %s", r.RuleID, tp)
+			log.Fatal().Msgf("Failed to validate. For rule ID [%s], true positive [%s] was not detected by regexp [%s]", r.RuleID, tp, r.Regex)
 		}
 	}
 	for _, fp := range falsePositives {
 		if len(d.DetectString(fp)) != 0 {
-			log.Fatal().Msgf("Failed to validate (fp) %s", r.RuleID)
+			log.Fatal().Msgf("Failed to validate (fp) [%s]", r.RuleID)
 		}
 	}
 	return &r

diff --git a/cmd/generate/config/rules/sidekiq.go b/cmd/generate/config/rules/sidekiq.go
@@ -0,0 +1,60 @@
+package rules
+
+import (
+	"regexp"
+
+	"github.com/zricethezav/gitleaks/v8/config"
+)
+
+func SidekiqSecret() *config.Rule {
+	// define rule
+	r := config.Rule{
+		Description: "Sidekiq Secret",
+		RuleID:      "sidekiq-secret",
+		SecretGroup: 1,
+		Regex: generateSemiGenericRegex([]string{"BUNDLE_ENTERPRISE__CONTRIBSYS__COM", "BUNDLE_GEMS__CONTRIBSYS__COM"},
+			`[a-f0-9]{8}:[a-f0-9]{8}`),
+		Keywords: []string{"BUNDLE_ENTERPRISE__CONTRIBSYS__COM", "BUNDLE_GEMS__CONTRIBSYS__COM"},
+	}
+
+	// validate
+	tps := []string{
+		"BUNDLE_ENTERPRISE__CONTRIBSYS__COM: cafebabe:deadbeef",
+		"export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=cafebabe:deadbeef",
+		"export BUNDLE_ENTERPRISE__CONTRIBSYS__COM = cafebabe:deadbeef",
+		"BUNDLE_GEMS__CONTRIBSYS__COM: \"cafebabe:deadbeef\"",
+		"export BUNDLE_GEMS__CONTRIBSYS__COM=\"cafebabe:deadbeef\"",
+		"export BUNDLE_GEMS__CONTRIBSYS__COM = \"cafebabe:deadbeef\"",
+		"export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=cafebabe:deadbeef;",
+		"export BUNDLE_ENTERPRISE__CONTRIBSYS__COM=cafebabe:deadbeef && echo 'hello world'",
+	}
+	return validate(r, tps, nil)
+}
+
+func SidekiqSensitiveUrl() *config.Rule {
+	// define rule
+	r := config.Rule{
+		Description: "Sidekiq Sensitive URL",
+		RuleID:      "sidekiq-sensitive-url",
+		SecretGroup: 2,
+		Regex:       regexp.MustCompile(`(?i)\b(http(?:s??):\/\/)([a-f0-9]{8}:[a-f0-9]{8})@(?:gems.contribsys.com|enterprise.contribsys.com)(?:[\/|\#|\?|:]|$)`),
+		Keywords:    []string{"gems.contribsys.com", "enterprise.contribsys.com"},
+	}
+
+	// validate
+	tps := []string{
+		"https://cafebabe:deadbeef@gems.contribsys.com/",
+		"https://cafebabe:deadbeef@gems.contribsys.com",
+		"https://cafeb4b3:d3adb33f@enterprise.contribsys.com/",
+		"https://cafeb4b3:d3adb33f@enterprise.contribsys.com",
+		"http://cafebabe:deadbeef@gems.contribsys.com/",
+		"http://cafebabe:deadbeef@gems.contribsys.com",
+		"http://cafeb4b3:d3adb33f@enterprise.contribsys.com/",
+		"http://cafeb4b3:d3adb33f@enterprise.contribsys.com",
+		"http://cafeb4b3:d3adb33f@enterprise.contribsys.com#heading1",
+		"http://cafeb4b3:d3adb33f@enterprise.contribsys.com?param1=true&param2=false",
+		"http://cafeb4b3:d3adb33f@enterprise.contribsys.com:80",
+		"http://cafeb4b3:d3adb33f@enterprise.contribsys.com:80/path?param1=true&param2=false#heading1",
+	}
+	return validate(r, tps, nil)
+}
diff --git a/cmd/generate/config/rules/square.go b/cmd/generate/config/rules/square.go
@@ -11,6 +11,7 @@ func SquareAccessToken() *config.Rule {
 		RuleID:      "square-access-token",
 		Description: "Square Access Token",
 		Regex:       generateUniqueTokenRegex(`sq0atp-[0-9A-Za-z\-_]{22}`),
+		Keywords:    []string{"sq0atp-"},
 	}
 
 	// validate
@@ -26,6 +27,7 @@ func SquareSecret() *config.Rule {
 		RuleID:      "square-secret",
 		Description: "Square Secret",
 		Regex:       generateUniqueTokenRegex(`sq0csp-[0-9A-Za-z\\-_]{43}`),
+		Keywords:    []string{"sq0csp-"},
 	}
 
 	// validate