New Artifactory / Slack Patterns

The modifications in this PR are twofold: 1. Add ability to detect Slack Webhooks 2. Improved the artifactory password regex to catch passwords of different lengths and rotated passwords (Third char increments after user rotates password). Restore slack token secret type
Yelp · Jun 19, 2019 · b34dda6 · b34dda6
1 parent eadaabe
commit b34dda6
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 4 deletions.
diff --git a/detect_secrets/plugins/artifactory.py b/detect_secrets/plugins/artifactory.py
@@ -11,7 +11,7 @@ class ArtifactoryDetector(RegexBasedDetector):
 
     denylist = [
         # artifactory tokens begin with AKC
-        re.compile(r'(?:\s|=|:|"|^)AKC\w{10,}'),    # api token
-        # artifactory encrypted passwords begin with AP6
-        re.compile(r'(?:\s|=|:|"|^)AP6\w{10,}'),    # password
+        re.compile(r'(?:\s|=|:|"|^)AKC[a-zA-Z0-9]{10,}'),    # api token
+        # artifactory encrypted passwords begin with AP[A-Z]
+        re.compile(r'(?:\s|=|:|"|^)AP[\dABCDEF][a-zA-Z0-9]{8,}'),    # password
     ]
diff --git a/detect_secrets/plugins/slack.py b/detect_secrets/plugins/slack.py
@@ -13,5 +13,13 @@ class SlackDetector(RegexBasedDetector):
     secret_type = 'Slack Token'
 
     denylist = (
+        # Slack Token
         re.compile(r'xox(?:a|b|p|o|s|r)-(?:\d+-)+[a-z0-9]+', flags=re.IGNORECASE),
+        # Slack Webhooks
+        re.compile(
+            r"""
+            https://hooks.slack.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}
+            """,
+            flags=re.IGNORECASE | re.VERBOSE,
+        ),
     )
diff --git a/tests/plugins/artifactory_test.py b/tests/plugins/artifactory_test.py
@@ -11,6 +11,11 @@ class TestArtifactoryDetector(object):
         'payload, should_flag',
         [
             ('AP6xxxxxxxxxx', True),
+            ('AP2xxxxxxxxxx', True),
+            ('AP3xxxxxxxxxx', True),
+            ('AP5xxxxxxxxxx', True),
+            ('APAxxxxxxxxxx', True),
+            ('APBxxxxxxxxxx', True),
             ('AKCxxxxxxxxxx', True),
             (' AP6xxxxxxxxxx', True),
             (' AKCxxxxxxxxxx', True),
@@ -28,7 +33,7 @@ class TestArtifactoryDetector(object):
             ('testAP6withinsomeirrelevantstring', False),
             ('X-JFrog-Art-Api: $API_KEY', False),
             ('X-JFrog-Art-Api: $PASSWORD', False),
-            ('artifactory:_password=AP6xxxxxxxx', False),
+            ('artifactory:_password=AP6xxxxxx', False),
             ('artifactory:_password=AKCxxxxxxxx', False),
         ],
     )

diff --git a/tests/plugins/slack_test.py b/tests/plugins/slack_test.py
@@ -33,6 +33,9 @@ class TestSlackDetector(object):
             (
                 'xoxb-34532454-e039d02840a0b9379c'
             ),
+            (
+                'https://hooks.slack.com/services/Txxxxxxxx/Bxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxx'
+            ),
         ],
     )
     def test_analyze(self, file_content):
-Original file line number
+Diff line change
@@ Expand Up / @@ -33,6 +33,9 @@ class TestSlackDetector(object): @@
                 (
                     'xoxb-34532454-e039d02840a0b9379c'
                 ),
+                (
+                    'https://hooks.slack.com/services/Txxxxxxxx/Bxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxx'
+                ),
             ],
         )
         def test_analyze(self, file_content):
@@ Expand Down @@