package rules import ( "fmt" "github.com/zricethezav/gitleaks/v8/cmd/generate/config/utils" "github.com/zricethezav/gitleaks/v8/config" "github.com/zricethezav/gitleaks/v8/regexp" ) // https://curl.se/docs/manpage.html#-u func CurlBasicAuth() *config.Rule { r := config.Rule{ RuleID: "curl-auth-user", Description: "Discovered a potential basic authorization token provided in a curl command, which could compromise the curl accessed resource.", Regex: regexp.MustCompile(`\bcurl\b(?:.*|.*(?:[\r\n]{1,2}.*){1,5})[ \t\n\r](?:-u|--user)(?:=|[ \t]{0,5})("(:[^"]{3,}|[^:"]{3,}:|[^:"]{3,}:[^"]{3,})"|'([^:']{3,}:[^']{3,})'|((?:"[^"]{3,}"|'[^']{3,}'|[\w$@.-]+):(?:"[^"]{3,}"|'[^']{3,}'|[\w${}@.-]+)))(?:\s|\z)`), Keywords: []string{"curl"}, Entropy: 2, Allowlists: []*config.Allowlist{ { Regexes: []*regexp.Regexp{ regexp.MustCompile(`[^:]+:(?:change(?:it|me)|pass(?:word)?|pwd|test|token|\*+|x+)`), // common placeholder passwords regexp.MustCompile(`['"]?<[^>]+>['"]?:['"]?<[^>]+>|<[^:]+:[^>]+>['"]?`), // regexp.MustCompile(`[^:]+:\[[^]]+]`), // [placeholder] regexp.MustCompile(`['"]?[^:]+['"]?:['"]?\$(?:\d|\w+|\{(?:\d|\w+)})['"]?`), // $1 or $VARIABLE regexp.MustCompile(`\$\([^)]+\):\$\([^)]+\)`), // $(cat login.txt) regexp.MustCompile(`['"]?\$?{{[^}]+}}['"]?:['"]?\$?{{[^}]+}}['"]?`), // ${{ secrets.FOO }} or {{ .Values.foo }} }, }, }, } // validate tps := []string{ // short `curl --cacert ca.crt -u elastic:P@ssw0rd$1 https://localhost:9200`, // same lines, no quotes `sh-5.0$ curl -k -X POST https://infinispan:11222/rest/v2/caches/default/hello \ -H 'Content-type: text/plain' \ -d 'world' \ -u developer:yqDVtkqPECriaLRi`, // different line `curl -u ":d2LkV78zLx!t" https://localhost:9200`, // empty username `curl -u "d2LkV78zLx!t:" https://localhost:9200`, // empty password // long `curl -sw '%{http_code}' -X POST --user 'johns:h0pk1ns~21s' $GItHUB_API_URL/$GIT_COMMIT --data`, `curl --user roger23@gmail.com:pQ9wTxu4Fg https://www.dropbox.com/cli_link?host_id=abcdefg -v`, // same line, no quotes `curl -s --user 'api:d2LkV78zLx!t' \ https://api.mailgun.net/v2/sandbox91d3515882ecfaa1c65be642.mailgun.org/messages`, // same line, single quotes `curl -s -v --user "j.smith:dB2yF6@qL9vZm1P#4J" "https://api.contoso.org/user/me"`, // same line, double quotes `curl -X POST --user "{acd3c08b-74e8-4f44-a2d0-80694le24f46}":"{ZqL5kVrX1n8tA2}" --header "Accept: application/json" --data "{\"text\":\"Hello, world\",\"source\":\"en\",\"target\":\"es\"}" https://gateway.watsonplatform.net/language-translator/api`, `curl --user kevin:'pRf7vG2h1L8nQkW9' -iX PATCH -H "Content-Type: application/json" -d`, // same line, mixed quoting `$ curl https://api.dropbox.com/oauth2/token \ --user c28wlsosanujy2z:qgsnai0xokrw4j1 --data grant_type=authorization_code`, // different line // TODO //` curl -s --insecure --url "imaps://whatever.imap.server" --user\ //"myuserid:mypassword" --request "STATUS INBOX (UNSEEN)"`, } fps := []string{ // short `curl -i -u 'test:test'`, ` curl -sL --user "$1:$2" "$3" > "$4"`, // environment variable `curl -u https://test.com/endpoint`, // placeholder `curl --user neo4j:[PASSWORD] http://[IP]:7474/db/data/`, // placeholder `curl -u "myusername" http://localhost:15130/api/check_user/`, // no password `curl -u username:token`, `curl -u "${_username}:${_password}"`, `curl -u "${username}":"${password}"`, `curl -k -X POST -I -u "SRVC_JENKINS:${APPID}"`, `curl -u ":" https://localhost:9200`, // empty username and password // long `curl -sw '%{http_code}' -X POST --user '$USERNAME:$PASSWORD' $GItHUB_API_URL/$GIT_COMMIT --data`, `curl --user "xxx:yyy"`, ` curl -sL --user "$GITHUB_USERNAME:$GITHUB_PASSWORD" "$GITHUB_URL" > "$TESTS_PATH"`, // environment variable // variable interpolation `curl --silent --fail {{- if and $.Values.username $.Values.password }} --user "{{ $.Values.username }}:{{ $.Values.password }}"`, `curl -XGET -i -u "${{ env.ELK_ID }}:${{ build.env.ELK_PASS }}"`, `curl -XGET -i -u "${{needs.vault.outputs.account_id}}:${{needs.vault.outputs.account_password}}"`, `curl -XGET -i -u "${{ steps.vault.outputs.account_id }}:${{ steps.vault.outputs.account_password }}"`, `curl -X POST --user "$(cat ./login.txt):$(cat ./password.txt)"`, // command `curl http://127.0.0.1:5000/file --user user:pass --digest # digest auth`, // placeholder ` curl -X GET --insecure --user "username:password" \`, // placeholder `curl --silent --insecure --user ${f5user}:${f5pass} \`, // placeholder `curl --insecure --ssl-reqd "smtps://smtp.gmail.com" --mail-from "src@gmail.com" --mail-rcpt "dst@gmail.com" --user "src@gmail.com" --upload-file out.txt`, // no password // different command `#HTTP command line test curl -X POST -H "Content-Type: application/json" -d '{"id":12345,"geo":{"latitude":28.50,"longitude":-81.14}}' http://:8080/serve #UDP command line test echo -n '{"type":"serve","channel":"/","data":{"site_id":8,"post_id":12345,"geo":{"lat":28.50,"long":-81.14}}}' >/dev/udp/127.0.0.1/41234 #UDP Listener (for confirmation) nc -u -l 41234`, } return utils.Validate(r, tps, fps) } // https://curl.se/docs/manpage.html#-H func CurlHeaderAuth() *config.Rule { // language=regexp authPat := `(?i)(?:Authorization:[ \t]{0,5}(?:Basic[ \t]([a-z0-9+/]{8,}={0,3})|(?:Bearer|(?:Api-)?Token)[ \t]([\w=~@.+/-]{8,})|([\w=~@.+/-]{8,}))|(?:(?:X-(?:[a-z]+-)?)?(?:Api-?)?(?:Key|Token)):[ \t]{0,5}([\w=~@.+/-]{8,}))` r := config.Rule{ RuleID: "curl-auth-header", Description: "Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.", Regex: regexp.MustCompile( // language=regexp fmt.Sprintf(`\bcurl\b(?:.*?|.*?(?:[\r\n]{1,2}.*?){1,5})[ \t\n\r](?:-H|--header)(?:=|[ \t]{0,5})(?:"%s"|'%s')(?:\B|\s|\z)`, authPat, authPat)), Entropy: 2.75, Keywords: []string{"curl"}, //Allowlists: []*config.Allowlist{ // { // Regexes: []*regexp.Regexp{}, // }, //}, } tps := []string{ `curl --header 'Authorization: 5eb4223e-5008-46e5-be67-c7b8f2732305'`, // Short flag. `curl -H 'Authorization: Basic YnJvd3Nlcjo=' \`, // same line, single quotes // TODO: Handle short flags combined. //`TOKEN=$(curl -sH "Authorization: Basic $BASIC_TOKEN" "https://$REGISTRY/oauth2/token?service=$REGISTRY&scope=repository:$REPO:pull" | jq -r .access_token)`, // Long flag. `curl -k -X POST --header "Authorization: Basic djJlNEpYa0NJUHZ5a2FWT0VRXzRqZmZUdDkwYTp2emNBZGFzZWpmlWZiUDc2VUJjNDNNVDExclVh" "https://api-qa.example.com:8243/token" -d "grant_type=client_credentials"`, // same line, double quotes // Basic auth. `curl -X POST -H "Content-Type: application/json" \ -H "Authorization: Basic MzUzYjMwMmM0NDU3NGY1NjUwNDU2ODdlNTM0ZTdkNmE6Mjg2OTI0Njk3ZTYxNWE2NzJhNjQ2YTQ5MzU0NTY0NmM=" \ -d '{"user":{"emailAddress":"test@example.com"}, "password":"password"}' \ 'http://localhost:8080/oauth2-provider/v1.0/users'`, // different line, double quotes `#curl -X POST \ # https://api.mailgun.net/v3/sandbox7dbcabccd4314c123e8b23599d35f5b6.mailgun.org/messages \ # -H 'Authorization: Basic YXBpOmtleS1hN2MzNDJ3MzNhNWQxLTU2M2U3MjlwLTZhYjI3YzYzNzM0Ng==' \ # -F from='Excited User ' \ # -F to='joe@example.com' \ # -F subject='Hello' \ # -F text='Testing some Mailgun awesomness!'`, // different line, single quotes // Bearer auth `# curl -X GET "http://localhost:3000/api/cron/status" -H "Authorization: Bearer cfcabd11c7ed9a41b1a3e063c32d5114"`, // same line, double quotes `curl -X PUT -H 'Authorization: Bearer jC+6TUUjCNHcVtAXpcqBCgxnA8r+qD6MatnYaf/+289y7HWpK0BWPyLHv/K4DMN32fufwmeVVjlo8zjgBh8kx3GfS6IqO70w1DVMSCTwX7fhEpiXaxzv0mhSMHDX9Kw63Q6DkavUWUV+MDNhCF5wGQrcdQNncVRF3YkuDHDT/xw2YWyZ/DX8k+gAYiC8gcD8Ueg0ljBVS1IDwPjuGoFPESJVxYr0MDPF2D8Pn2S5rq692U4D9ZLuluS46VA4DK6ig5P7QM5XVXi4V7vXM8qpN/zqneyz+w4PUh6NIX7QG6JczMhYd9maWRWVat5jDdyII63P6sNAy9QZjw+ClW211Q==' -d 'user={"account":"user@domain.com", "roles":["user"]}' http://127.0.0.1:8443/desks/1/occupy`, // same line, single quotes `curl https://api.openai.com/v1/chat/completions \ -H "Content-Type: application/json" \ -H "Authorization: Bearer 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" \`, // different line, double quotes `curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \ -H "Authorization: Bearer _FXNljbSRYMWx3TWrd7lgKhLtVZX6iskC8Wcbb4b" \ -H "Content-Type:application/json"`, `curl -H "Authorization: Bearer sha256~bRLFnzd59Z3XpZH5_seJPHALOuvbWiKwbFKSsoALkgp"`, // Token auth `curl -H "Authorization: Api-Token 22cb987851bc5659l29114c62e60c79abd0d2c08" --request PUT https://appsecclass.report/api/use/635`, // token `curl -H "Authorization: Token 22cb987851bc5659229114c62e60c79abd0d2c08" --request PUT https://appsecclass.report/api/use/635`, // token // Nothing `curl -L -H "Authorization:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25maWRlbmNlIjowLjh9.kvRPfjAhLhtRTczoRgctVGp7KY1QVH3UBZM-gM0x8ec" service1.local -> correct jwt `, // no prefix `curl -L -H "Authorization: sha256~bRLFnzd5@=-.a+/hgdS"`, // no prefix // Non-authorization headers. `curl -X GET \ -H "apikey: c4ed6c21-9dd5-4a05-8e3f-c56d1151cce8" \ -H "Accept: application/json" \`, // apikey `curl -X POST --header "Api-Token: Sk94HG7f6KB"`, // api-token `curl -XPOST http://localhost:8080/api/tasks -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" -H "Token: 3fea6af1349166ea" -d "content=hello-curl"`, // token `curl -X GET https://octopus.corp.net/ -H "X-Octopus-ApiKey: 3a16750d-d363-41a4-8ebd-035408f7730f" \`, // X-$thing-ApiKey } fps := []string{ // Placeholders `curl https://example.com/micropub -d h=entry -d "content=Hello World" -H "Authorization: Bearer XXXXXXXXXXXX"`, `curl -X POST https://accounts.spotify.com/api/token -d grant_type=client_credentials --header "Authorization: Basic ..."`, `curl \ -H "Authorization: Bearer " \ "https://api.openverse.org/v1/audio/?q=test"`, `curl -v -v -v -X POST https://domain/api/v1/authentication/sso/login-url/ \ -H 'Content-Type: application/json' \ -H "Authorization: Token **********" \ -d '{"username": "test", "next": "/luna/"}'`, // Variables `curl -XPOST http://localhost:8080/api/token -H "Authorization: basic {base64(email:password[\n])}" => token`, // same line, invalid base64 `curl -X GET \ -H "apikey: $API_KEY" \ -H "Accept: $FORMAT" \ "$API_URL/rest/v1/stats_derniere_labellisation"`, // API Key placeholder `$ curl -X POST "http://localhost:8000/v1/chat/completions" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $API_KEY" \ -d '{ "model": "chatglm3-6b-32k", "messages": [{"role": "system", "content": "You are a helpful assistant."}, {"role": "user", "content": "Hello!"}] }'`, // different line, placeholder `curl -X GET -H "Content-Type: application/json" -H "Authorization: Bearer $(gcloud auth print-access-token)" https://workflowexecutions.googleapis.com/v1/projects/244283331594/locations/us-central1/workflows/sample-workflow/executions/43c925aa-514a-44c1-a0a4-a9f8f26fd2cb/callbacks/1705791f-d446-4e92-a6d0-a13622422e80_31864a51-8c13-4b03-ad4d-945cdc8d0631`, // script // Not valid BASIC `curl -X POST -H "Content-Type: application/json" -H "Authorization: Basic eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb25maWRlbmNlIjowLjh9.kvRPfjAhLhtRTczoRgctVGp7KY1QVH3UBZM-gM0x8ec" \`, } return utils.Validate(r, tps, fps) }