Home Explore Help
Sign In
LBP
/
gitleaks
mirror of https://github.com/gitleaks/gitleaks.git
4
0
Fork 0
Files Issues 0 Wiki
Browse Source

working on filetype filtering

zach rice 6 years ago
parent
87d6c588a6
commit
cb74386ef0
4 changed files with 67 additions and 3 deletions
Unified View Show Diff Stats
  1. 16 1
      src/config.go
  2. 16 0
      src/constants.go
  3. 21 0
      src/repo.go
  4. 14 2
      src/utils.go

+ 16 - 1
src/config.go
View File 

@@ -26,6 +26,7 @@ type Rule struct {
 
 	tags        []string
 
 	tags        []string
 
 	entropies   []*entropyRange
 
 	entropies   []*entropyRange
 
 	entropyROI  string
 
 	entropyROI  string
 
+	fileTypes   []*regexp.Regexp
 
 }
 
 }
 
 
 
 // TomlConfig is used for loading gitleaks configs from a toml file
 
 // TomlConfig is used for loading gitleaks configs from a toml file
 
@@ -37,6 +38,7 @@ type TomlConfig struct {
 
 		Tags        []string
 
 		Tags        []string
 
 		Severity    string
 
 		Severity    string
 
 		EntropyROI  string
 
 		EntropyROI  string
 
+		FileTypes   []string
 
 	}
 
 	}
 
 	Whitelist struct {
 
 	Whitelist struct {
 
 		Files   []string
 
 		Files   []string
 
@@ -55,7 +57,8 @@ type Config struct {
 
 		commits map[string]bool
 
 		commits map[string]bool
 
 		repos   []*regexp.Regexp
 
 		repos   []*regexp.Regexp
 
 	}
 
 	}
 
-	sshAuth *ssh.PublicKeys
 
+	FileRules []*Rule
 
+	sshAuth   *ssh.PublicKeys
 
 }
 
 }
 
 
 
 // loadToml loads of the toml config containing regexes and whitelists.
 
 // loadToml loads of the toml config containing regexes and whitelists.
 
@@ -109,10 +112,16 @@ func (config *Config) update(tomlConfig TomlConfig) error {
 
 	for _, rule := range tomlConfig.Rules {
 
 	for _, rule := range tomlConfig.Rules {
 
 		re := regexp.MustCompile(rule.Regex)
 
 		re := regexp.MustCompile(rule.Regex)
 
 		ranges, err := getEntropyRanges(rule.Entropies)
 
 		ranges, err := getEntropyRanges(rule.Entropies)
 
+		var fileTypes = []*regexp.Regexp{}
 
+		for _, regex := range rule.FileTypes {
 
+			fileTypes = append(fileTypes, regexp.MustCompile(regex))
 
+		}
 
+
 
 		if err != nil {
 
 		if err != nil {
 
 			log.Errorf("could not create entropy range for %s, skipping rule", rule.Description)
 
 			log.Errorf("could not create entropy range for %s, skipping rule", rule.Description)
 
 			continue
 
 			continue
 
 		}
 
 		}
 
+
 
 		r := &Rule{
 
 		r := &Rule{
 
 			description: rule.Description,
 
 			description: rule.Description,
 
 			regex:       re,
 
 			regex:       re,
 
@@ -120,8 +129,14 @@ func (config *Config) update(tomlConfig TomlConfig) error {
 
 			tags:        rule.Tags,
 
 			tags:        rule.Tags,
 
 			entropies:   ranges,
 
 			entropies:   ranges,
 
 			entropyROI:  rule.EntropyROI,
 
 			entropyROI:  rule.EntropyROI,
 
+			fileTypes:   fileTypes,
 
+		}
 
+
 
+		if len(rule.Entropies) == 0 && rule.Regex == "" && len(fileTypes) != 0 {
 
+			config.FileRules = append(config.FileRules, r)
 
 		}
 
 		}
 
 		config.Rules = append(config.Rules, r)
 
 		config.Rules = append(config.Rules, r)
 
+
 
 	}
 
 	}
 
 
 
 	// set whitelists
 
 	// set whitelists

+ 16 - 0
src/constants.go
View File 

@@ -22,6 +22,7 @@ title = "gitleaks config"
 
 description = "AWS Key"
 
 description = "AWS Key"
 
 regex = '''AKIA[0-9A-Z]{16}'''
 
 regex = '''AKIA[0-9A-Z]{16}'''
 
 tags = ["key", "AWS"]
 
 tags = ["key", "AWS"]
 
+severity = "high"
 
 
 
 [[rules]]
 
 [[rules]]
 
 description = "PKCS8"
 
 description = "PKCS8"
 
@@ -63,6 +64,21 @@ description = "Slack"
 
 regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?'''
 
 regex = '''xox[baprs]-([0-9a-zA-Z]{10,48})?'''
 
 tags = ["key", "Slack"]
 
 tags = ["key", "Slack"]
 
 
 
+[[rules]]
 
+description = "Generic Key"
 
+regex = '''(?i)key(.{0,6})?(:|=|=>|:=)'''
 
+entropies = ["4.1-4.3"]
 
+filetypes = [".gee"]
 
+entropyROI = "line"
 
+tags = ["key"]
 
+severity = "medium"
 
+
 
+[[rules]]
 
+description = "Any go file"
 
+filetypes = [".go"]
 
+tags = ["go files"]
 
+severity = "low"
 
+
 
 [whitelist]
 
 [whitelist]
 
 files = [
 
 files = [
 
   "(.*?)(jpg|gif|doc|pdf|bin)$"
 
   "(.*?)(jpg|gif|doc|pdf|bin)$"

+ 21 - 0
src/repo.go
View File 

@@ -241,6 +241,27 @@ func (repoInfo *RepoInfo) audit() ([]Leak, error) {
 
 					} else if to != nil {
 
 					} else if to != nil {
 
 						filePath = to.Path()
 
 						filePath = to.Path()
 
 					}
 
 					}
 
+
 
+					for _, fr := range config.FileRules {
 
+						for _, r := range fr.fileTypes {
 
+							if r.FindString(filePath) != "" {
 
+								commitInfo := &commitInfo{
 
+									repoName: repoInfo.name,
 
+									filePath: filePath,
 
+									sha:      c.Hash.String(),
 
+									author:   c.Author.Name,
 
+									email:    c.Author.Email,
 
+									message:  strings.Replace(c.Message, "\n", " ", -1),
 
+									date:     c.Author.When,
 
+								}
 
+								leak := *newLeak("N/A", fmt.Sprintf("filetype %s found", r.String()), r.String(), fr, commitInfo)
 
+								mutex.Lock()
 
+								leaks = append(leaks, leak)
 
+								mutex.Unlock()
 
+							}
 
+						}
 
+					}
 
+
 
 					for _, re := range config.WhiteList.files {
 
 					for _, re := range config.WhiteList.files {
 
 						if re.FindString(filePath) != "" {
 
 						if re.FindString(filePath) != "" {
 
 							log.Debugf("skipping whitelisted file (matched regex '%s'): %s", re.String(), filePath)
 
 							log.Debugf("skipping whitelisted file (matched regex '%s'): %s", re.String(), filePath)

+ 14 - 2
src/utils.go
View File 

@@ -41,9 +41,9 @@ func writeReport(leaks []Leak) error {
 
 		}
 
 		}
 
 		defer f.Close()
 
 		defer f.Close()
 
 		w := csv.NewWriter(f)
 
 		w := csv.NewWriter(f)
 
-		w.Write([]string{"repo", "line", "commit", "offender", "rule", "info", "tags", "commitMsg", "author", "email", "file", "date"})
 
+		w.Write([]string{"repo", "line", "commit", "offender", "rule", "info", "tags", "severity", "commitMsg", "author", "email", "file", "date"})
 
 		for _, leak := range leaks {
 
 		for _, leak := range leaks {
 
-			w.Write([]string{leak.Repo, leak.Line, leak.Commit, leak.Offender, leak.Rule, leak.Info, leak.Tags, leak.Message, leak.Author, leak.Email, leak.File, leak.Date.Format(time.RFC3339)})
 
+			w.Write([]string{leak.Repo, leak.Line, leak.Commit, leak.Offender, leak.Rule, leak.Info, leak.Tags, leak.Severity, leak.Message, leak.Author, leak.Email, leak.File, leak.Date.Format(time.RFC3339)})
 
 		}
 
 		}
 
 		w.Flush()
 
 		w.Flush()
 
 	} else {
 
 	} else {
 
@@ -86,10 +86,22 @@ func writeReport(leaks []Leak) error {
 
 func (rule *Rule) check(line string, commit *commitInfo) (*Leak, error) {
 
 func (rule *Rule) check(line string, commit *commitInfo) (*Leak, error) {
 
 	var (
 
 	var (
 
 		match       string
 
 		match       string
 
+		fileMatch   string
 
 		entropy     float64
 
 		entropy     float64
 
 		entropyWord string
 
 		entropyWord string
 
 	)
 
 	)
 
 
 
+	for _, f := range rule.fileTypes {
 
+		fileMatch = f.FindString(commit.filePath)
 
+		if fileMatch != "" {
 
+			break
 
+		}
 
+	}
 
+
 
+	if fileMatch == "" && len(rule.fileTypes) != 0 {
 
+		return nil, nil
 
+	}
 
+
 
 	if rule.entropies != nil {
 
 	if rule.entropies != nil {
 
 		if rule.entropyROI == "line" {
 
 		if rule.entropyROI == "line" {
 
 			_entropy := getShannonEntropy(line)
 
 			_entropy := getShannonEntropy(line)