11 месяцев назад · 3fa5a3a954
--- a/cmd/generate/config/base/config.go
+++ b/cmd/generate/config/base/config.go
@@ -53,6 +53,11 @@ func CreateGlobalConfig() config.Config {
 
				 				regexp.MustCompile(`^@(?:[A-Z_]+|[a-z_]+)@$`),
			
 
				 
			
 
				 				// ----------- Miscellaneous -----------
			
 
				+				// File paths
			
 
				+				regexp.MustCompile(`^/Users/(?i)[a-z0-9]+/[\w .-/]+$`),              // MacOS
			
 
				+				regexp.MustCompile(`^/(?:bin|etc|home|opt|tmp|usr|var)/[\w ./-]+$`), // Linux
			
 
				+				// 11980 Jps -Dapplication.home=D:\develop_tools\jdk\jdk1.8.0_131 -Xms8m
			
 
				+				//regexp.MustCompile(`^$`), // Windows
			
 
				 			},
			
 
				 			Paths: []*regexp.Regexp{
			
 
				 				regexp.MustCompile(`gitleaks\.toml`),
			
--- a/cmd/generate/config/base/config_test.go
+++ b/cmd/generate/config/base/config_test.go
@@ -62,6 +62,15 @@ var allowlistRegexTests = map[string]struct {
 
				 		invalid: []string{`@password@`, `@LDAP_PASS@`},
			
 
				 		valid:   []string{`@username@mastodon.example`},
			
 
				 	},
			
 
				+	"miscellaneous - file paths": {
			
 
				+		invalid: []string{
			
 
				+			// MacOS
			
 
				+			`/Users/james/Projects/SwiftCode/build/Release`,
			
 
				+			// Linux
			
 
				+			`/tmp/screen-exchange`,
			
 
				+		},
			
 
				+		valid: []string{},
			
 
				+	},
			
 
				 }
			
 
				 
			
 
				 func TestConfigAllowlistRegexes(t *testing.T) {
			
--- a/cmd/generate/config/rules/generic.go
+++ b/cmd/generate/config/rules/generic.go
@@ -66,7 +66,7 @@ func GenericCredential() *config.Rule {
 
				 						`|(?:credentials?[_.-]?id|withCredentials)` + // Jenkins plugins
			
 
				 						// Key
			
 
				 						`|(?:bucket|foreign|hot|idx|natural|primary|pub(?:lic)?|schema|sequence)[_.-]?key` +
			
 
				-						`|key[_.-]?(?:alias|board|code|frame|id|length|mesh|name|pair|ring|selector|signature|size|stone|storetype|word|up|down|left|right)` +
			
 
				+						`|key[_.-]?(?:alias|board|code|frame|id|length|mesh|name|pair|press(?:ed)?|ring|selector|signature|size|stone|storetype|word|up|down|left|right)` +
			
 
				 						// Azure KeyVault
			
 
				 						`|key[_.-]?vault[_.-]?(?:id|name)|keyVaultToStoreSecrets` +
			
 
				 						`|key(?:store|tab)[_.-]?(?:file|path)` +
			
@@ -207,6 +207,7 @@ _LIBCPP_CONSTEXPR_AFTER_CXX11 `,
 
				 		`KeyPair = X25519.KeyPair`,
			
 
				 		`BlindKeySignatures = Ed25519.BlindKeySignatures`,
			
 
				 		`AVEncVideoMaxKeyframeDistance, "2987123a-ba93-4704-b489-ec1e5f25292c"`,
			
 
				+		`            keyPressed = kVK_Return.u16`,
			
 
				 		// `<add key="SchemaTable" value="G:\SchemaTable.xml" />`,
			
 
				 		//`    { key: '9df21e95-3848-409d-8f94-c675cdfee839', value: 'Americas' },`,
			
 
				 		// `<TAR key="REF_ID_923.properties" value="/opts/config/alias/"/>`,
			
--- a/cmd/generate/config/rules/privatekey.go
+++ b/cmd/generate/config/rules/privatekey.go
@@ -11,23 +11,32 @@ func PrivateKey() *config.Rule {
 
				 	r := config.Rule{
			
 
				 		RuleID:      "private-key",
			
 
				 		Description: "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.",
			
 
				-		Regex:       regexp.MustCompile(`(?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY(?: BLOCK)?-----[\s\S-]*?KEY(?: BLOCK)?-----`),
			
 
				+		Regex:       regexp.MustCompile(`(?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY(?: BLOCK)?-----[\s\S-]{64,}?KEY(?: BLOCK)?-----`),
			
 
				 		Keywords:    []string{"-----BEGIN"},
			
 
				 	}
			
 
				 
			
 
				 	// validate
			
 
				 	tps := []string{`-----BEGIN PRIVATE KEY-----
			
 
				-anything
			
 
				+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDAC4AWkdwKYSd8
			
 
				+Ks14IReLcYgADhoXk56ZzXI=
			
 
				 -----END PRIVATE KEY-----`,
			
 
				 		`-----BEGIN RSA PRIVATE KEY-----
			
 
				-abcdefghijksmnopqrstuvwxyz
			
 
				+MIIEpQIBAAKCAQEAn6/O8li+SX4m98LLYt/PKSzEmQ++ZBD7Loh9P13f4yQ92EF3
			
 
				+yxR5MsXFu9PRsrYQA7/4UTPHiC4y2sAVCBg4C2yyBpUEtMQjyCESi6Y=
			
 
				 -----END RSA PRIVATE KEY-----
			
 
				 `,
			
 
				-		`-----BEGIN PRIVATE KEY BLOCK-----
			
 
				-anything
			
 
				------END PRIVATE KEY BLOCK-----`,
			
 
				+		`-----BEGIN PGP PRIVATE KEY BLOCK-----
			
 
				+lQWGBGSVV4YBDAClvRnxezIRy2Yv7SFlzC0iFiRF/O/jePSw+XYhvcrTaqSYTGic
			
 
				+=8xQN
			
 
				+-----END PGP PRIVATE KEY BLOCK-----`,
			
 
				 	} // gitleaks:allow
			
 
				-	return utils.Validate(r, tps, nil)
			
 
				+	fps := []string{
			
 
				+		`-----BEGIN PRIVATE KEY-----
			
 
				+anything
			
 
				+-----END PRIVATE KEY-----`,
			
 
				+		`-----BEGIN OPENSSH PRIVATE KEY----------END OPENSSH PRIVATE KEY-----`,
			
 
				+	}
			
 
				+	return utils.Validate(r, tps, fps)
			
 
				 }
			
 
				 
			
 
				 func PrivateKeyPKCS12File() *config.Rule {
			
--- a/cmd/generate/config/rules/sentry.go
+++ b/cmd/generate/config/rules/sentry.go
@@ -43,7 +43,7 @@ func SentryOrgToken() *config.Rule {
 
				 	r := config.Rule{
			
 
				 		RuleID:      "sentry-org-token",
			
 
				 		Description: "Found a Sentry.io Organization Token, risking unauthorized access to error tracking services and sensitive application data.",
			
 
				-		Regex:       regexp.MustCompile(`\bsntrys_eyJpYXQiO[a-zA-Z0-9+/]{10,200}(?:LCJyZWdpb25fdXJs|InJlZ2lvbl91cmwi|cmVnaW9uX3VybCI6)[a-zA-Z0-9+/]{10,200}={0,2}_[a-zA-Z0-9+/]{43}\b`),
			
 
				+		Regex:       regexp.MustCompile(`\bsntrys_eyJpYXQiO[a-zA-Z0-9+/]{10,200}(?:LCJyZWdpb25fdXJs|InJlZ2lvbl91cmwi|cmVnaW9uX3VybCI6)[a-zA-Z0-9+/]{10,200}={0,2}_[a-zA-Z0-9+/]{43}(?:[^a-zA-Z0-9+/]|\z)`),
			
 
				 		Entropy:     4.5,
			
 
				 		Keywords:    []string{"sntrys_eyJpYXQiO"},
			
 
				 	}
			
@@ -52,6 +52,9 @@ func SentryOrgToken() *config.Rule {
 
				 	tps := utils.GenerateSampleSecrets("sentry",
			
 
				 		`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`, // gitleaks:allow
			
 
				 	)
			
 
				+	tps = append(tps, utils.GenerateSampleSecrets("sentry",
			
 
				+		`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`, // gitleaks:allow
			
 
				+	)...)
			
 
				 	tps = append(tps,
			
 
				 		` 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`, // gitleaks:allow
			
 
				 	)
			
--- a/config/gitleaks.toml
+++ b/config/gitleaks.toml
@@ -24,6 +24,8 @@ regexes = [
 
				     '''^%[+\-# 0]?[bcdeEfFgGoOpqstTUvxX]$''',
			
 
				     '''^\{\d{0,2}}$''',
			
 
				     '''^@(?:[A-Z_]+|[a-z_]+)@$''',
			
 
				+    '''^/Users/(?i)[a-z0-9]+/[\w .-/]+$''',
			
 
				+    '''^/(?:bin|etc|home|opt|tmp|usr|var)/[\w ./-]+$''',
			
 
				 ]
			
 
				 paths = [
			
 
				     '''gitleaks\.toml''',
			
@@ -586,7 +588,7 @@ regexes = [
 
				 [[rules.allowlists]]
			
 
				 regexTarget = "match"
			
 
				 regexes = [
			
 
				-    '''(?i)(?:access(?:ibility|or)|access[_.-]?id|random[_.-]?access|api[_.-]?(?:id|name|version)|rapid|capital|[a-z0-9-]*?api[a-z0-9-]*?:jar:|author|X-MS-Exchange-Organization-Auth|Authentication-Results|(?:credentials?[_.-]?id|withCredentials)|(?:bucket|foreign|hot|idx|natural|primary|pub(?:lic)?|schema|sequence)[_.-]?key|key[_.-]?(?:alias|board|code|frame|id|length|mesh|name|pair|ring|selector|signature|size|stone|storetype|word|up|down|left|right)|key[_.-]?vault[_.-]?(?:id|name)|keyVaultToStoreSecrets|key(?:store|tab)[_.-]?(?:file|path)|issuerkeyhash|(?-i:[DdMm]onkey|[DM]ONKEY)|keying|(?:secret)[_.-]?(?:length|name|size)|UserSecretsId|(?:io\.jsonwebtoken[ \t]?:[ \t]?[\w-]+)|(?:api|credentials|token)[_.-]?(?:endpoint|ur[il])|public[_.-]?token|(?:key|token)[_.-]?file|(?-i:(?:[A-Z_]+=\n[A-Z_]+=|[a-z_]+=\n[a-z_]+=)(?:\n|\z))|(?-i:(?:[A-Z.]+=\n[A-Z.]+=|[a-z.]+=\n[a-z.]+=)(?:\n|\z)))''',
			
 
				+    '''(?i)(?:access(?:ibility|or)|access[_.-]?id|random[_.-]?access|api[_.-]?(?:id|name|version)|rapid|capital|[a-z0-9-]*?api[a-z0-9-]*?:jar:|author|X-MS-Exchange-Organization-Auth|Authentication-Results|(?:credentials?[_.-]?id|withCredentials)|(?:bucket|foreign|hot|idx|natural|primary|pub(?:lic)?|schema|sequence)[_.-]?key|key[_.-]?(?:alias|board|code|frame|id|length|mesh|name|pair|press(?:ed)?|ring|selector|signature|size|stone|storetype|word|up|down|left|right)|key[_.-]?vault[_.-]?(?:id|name)|keyVaultToStoreSecrets|key(?:store|tab)[_.-]?(?:file|path)|issuerkeyhash|(?-i:[DdMm]onkey|[DM]ONKEY)|keying|(?:secret)[_.-]?(?:length|name|size)|UserSecretsId|(?:io\.jsonwebtoken[ \t]?:[ \t]?[\w-]+)|(?:api|credentials|token)[_.-]?(?:endpoint|ur[il])|public[_.-]?token|(?:key|token)[_.-]?file|(?-i:(?:[A-Z_]+=\n[A-Z_]+=|[a-z_]+=\n[a-z_]+=)(?:\n|\z))|(?-i:(?:[A-Z.]+=\n[A-Z.]+=|[a-z.]+=\n[a-z.]+=)(?:\n|\z)))''',
			
 
				 ]
			
 
				 stopwords = [
			
 
				     "000000",
			
@@ -2683,7 +2685,7 @@ keywords = ["pnu_"]
 
				 [[rules]]
			
 
				 id = "private-key"
			
 
				 description = "Identified a Private Key, which may compromise cryptographic security and sensitive data encryption."
			
 
				-regex = '''(?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY(?: BLOCK)?-----[\s\S-]*?KEY(?: BLOCK)?-----'''
			
 
				+regex = '''(?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY(?: BLOCK)?-----[\s\S-]{64,}?KEY(?: BLOCK)?-----'''
			
 
				 keywords = ["-----begin"]
			
 
				 
			
 
				 [[rules]]
			
@@ -2774,7 +2776,7 @@ keywords = ["sentry"]
 
				 [[rules]]
			
 
				 id = "sentry-org-token"
			
 
				 description = "Found a Sentry.io Organization Token, risking unauthorized access to error tracking services and sensitive application data."
			
 
				-regex = '''\bsntrys_eyJpYXQiO[a-zA-Z0-9+/]{10,200}(?:LCJyZWdpb25fdXJs|InJlZ2lvbl91cmwi|cmVnaW9uX3VybCI6)[a-zA-Z0-9+/]{10,200}={0,2}_[a-zA-Z0-9+/]{43}\b'''
			
 
				+regex = '''\bsntrys_eyJpYXQiO[a-zA-Z0-9+/]{10,200}(?:LCJyZWdpb25fdXJs|InJlZ2lvbl91cmwi|cmVnaW9uX3VybCI6)[a-zA-Z0-9+/]{10,200}={0,2}_[a-zA-Z0-9+/]{43}(?:[^a-zA-Z0-9+/]|\z)'''
			
 
				 entropy = 4.5
			
 
				 keywords = ["sntrys_eyjpyxqio"]