From 8d6963a805d5e1e2501291ad53ec4dd2c2b47dab Mon Sep 17 00:00:00 2001 From: Brad Larsen Date: Fri, 6 Dec 2024 14:04:26 -0500 Subject: [PATCH] Refine the `Slack Bot Token` rule --- CHANGELOG.md | 3 +++ .../test_noseyparker__rules__rules_list_json-2.snap | 9 +++++---- crates/noseyparker/data/default/builtin/rules/slack.yml | 7 ++++++- 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3d494e0de..812d4b65e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), This fixes a bug in v0.20.0 where provenance entries from an extensible enumerator could _only_ be JSON objects, instead of arbitrary JSON values as claimed by the documentation. +### Changes +- The `Slack Bot Token` rule has been modified to match additional cases. + ### Additions - New rules have been added: diff --git a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap index 565808df1..d0f02b923 100644 --- a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap +++ b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap @@ -3503,15 +3503,16 @@ expression: stdout }, { "id": "np.slack.2", - "structural_id": "0ea5b5cda83ab3b0c33554d7f0d85314bfa9fe5c", + "structural_id": "5414df5832199b9114ba2581d9c0859c0503623a", "name": "Slack Bot Token", "syntax": { "name": "Slack Bot Token", "id": "np.slack.2", - "pattern": "\\b(xoxb-[0-9]{12}-[0-9]{12}-[a-zA-Z0-9]{24})\\b", - "description": null, + "pattern": "\\b(xoxb-[0-9]{10,12}-[0-9]{10,12}-[a-zA-Z0-9]{23,25})\\b", + "description": "A Slack Bot Token was found. An attacker could use the token to impersonate or control the corresponding Slack bot.\n", "examples": [ - "SLACK_API_TOKEN=xoxb-893582989554-899326518131-JRHeVv1o9Cf99fwDpuortR2D" + "SLACK_API_TOKEN=xoxb-893582989554-899326518131-JRHeVv1o9Cf99fwDpuortR2D", + "REM SET SLACK_TOKEN=xoxb-31446298938-537092655923-AeFmqVRV5nS3q028kmmHUFm3" ], "negative_examples": [ "python log_announce.py xoxp-513768634356-513201028496-513937500594-185e196ace562dd6443b5d29b1d817c2 \"This is a test run. Ignore\"", diff --git a/crates/noseyparker/data/default/builtin/rules/slack.yml b/crates/noseyparker/data/default/builtin/rules/slack.yml index 5e60b5493..4285f6724 100644 --- a/crates/noseyparker/data/default/builtin/rules/slack.yml +++ b/crates/noseyparker/data/default/builtin/rules/slack.yml @@ -7,7 +7,7 @@ rules: - name: Slack Bot Token id: np.slack.2 - pattern: '\b(xoxb-[0-9]{12}-[0-9]{12}-[a-zA-Z0-9]{24})\b' + pattern: '\b(xoxb-[0-9]{10,12}-[0-9]{10,12}-[a-zA-Z0-9]{23,25})\b' references: - https://api.slack.com/authentication @@ -18,8 +18,13 @@ rules: - api - secret + description: > + A Slack Bot Token was found. + An attacker could use the token to impersonate or control the corresponding Slack bot. + examples: - 'SLACK_API_TOKEN=xoxb-893582989554-899326518131-JRHeVv1o9Cf99fwDpuortR2D' + - 'REM SET SLACK_TOKEN=xoxb-31446298938-537092655923-AeFmqVRV5nS3q028kmmHUFm3' negative_examples: - 'python log_announce.py xoxp-513768634356-513201028496-513937500594-185e196ace562dd6443b5d29b1d817c2 "This is a test run. Ignore"'