Acasă Explorează Ajutor
Autentificare
LBP
/
gitleaks
oglindă de https://github.com/gitleaks/gitleaks.git
4
0
Bifurcare 0
Fisiere Probleme 0 Wiki
Arbore: 0874ebcc3f
Ramuri Etichete
gitleaks
/
cmd
/
generate
/
config
/
rules
/
kubernetes.go

kubernetes.go 4.3 KB
Istoric Crud

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869 
  1. package rules
    2. 

  2. 

  3. import (
    4. 

  4. 	"github.com/zricethezav/gitleaks/v8/cmd/generate/config/utils"
    5. 

  5. 	"regexp"
    6. 

  6. 

  7. 	"github.com/zricethezav/gitleaks/v8/config"
    8. 

  8. )
    9. 

  9. 

  10. // The kubernetes rules are split into two functions to make the complex proximity matching of the data-key and the kind-identifier more readable and testable
    11. 

  11. 

  12. // KubernetesSecretWithDataBefore validates if we detected a kubernetes secret which contains data, before the resource identifier!
    13. 

  13. func KubernetesSecretWithDataBefore() *config.Rule {
    14. 

  14. 	// define rule
    15. 

  15. 	r := config.Rule{
    16. 

  16. 		RuleID:      "kubernetes-secret-with-data-before",
    17. 

  17. 		Description: "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments",
    18. 

  18. 		// We try to match secrets by looking if we have the keyword
    19. 

  19. 		Regex: utils.GenerateUniqueTokenRegex(`(?i)(?:\b(?:data:))(\W+(?:\w+\W+){0,200}?)\bkind:.{0,10}Secret\b`, true),
    20. 

  20. 

  21. 		Keywords: []string{
    22. 

  22. 			"Secret",
    23. 

  23. 		},
    24. 

  24. 		// Kubernetes secrets are always yaml files, we limit to common yaml-endings to make this rule more safe!
    25. 

  25. 		Path: regexp.MustCompile(`(?i)\.ya?ml$`),
    26. 

  26. 	}
    27. 

  27. 

  28. 	// validate
    29. 

  29. 	tps := map[string]string{
    30. 

  30. 		// Sample Kubernetes Secret from https://kubernetes.io/docs/concepts/configuration/secret/
    31. 

  31. 		// These secrets contain the "data"-key before the actual identifier "kind: Secret"
    32. 

  32. 		"kubernetes.yaml": "apiVersion: v1'\n' data:'\n' extra: YmFyCg=='\n' kind: secret'\n' metadata:'\n' name: secret-sa-sample'\n' annotations:'\n' kubernetes.io/service-account.name: 'sa-name'",                                                  // gitleaks:allow
    33. 

  33. 		"kubernetes.yml":  "apiVersion: v1'\n' data:'\n' password: UyFCXCpkJHpEc2I9'\n' username: YWRtaW4='\n' kind: Secret'\n' metadata:'\n' creationTimestamp: '2022-06-28T17:44:13Z''\n' name: db-user-pass'\n' namespace: default'\n' type: Opaque", // gitleaks:allow
    34. 

  34. 		// Quoted Test Cases
    35. 

  35. 		"kubernetes-quoted-1.yaml": "apiVersion: v1'\n' data:'\n' extra: YmFyCg=='\n' kind: 'Secret''\n' metadata:'\n' name: 'secret-sa-sample''\n' annotations:'\n' kubernetes.io/service-account.name: 'sa-name'", // gitleaks:allow
    36. 

  36. 		"kubernetes-quoted-2.yaml": "apiVersion: v1'\n' data:'\n' extra: YmFyCg=='\n' kind: 'secret''\n' metadata:'\n' name: 'secret-sa-sample''\n' annotations:'\n' kubernetes.io/service-account.name: 'sa-name'", // gitleaks:allow
    37. 

  37. 	}
    38. 

  38. 	return utils.ValidateWithPaths(r, tps, nil)
    39. 

  39. }
    40. 

  40. 

  41. // KubernetesSecretWithDataAfter validates if we detected a kubernetes secret which contains data, after the resource identifier!
    42. 

  42. func KubernetesSecretWithDataAfter() *config.Rule {
    43. 

  43. 	// define rule
    44. 

  44. 	r := config.Rule{
    45. 

  45. 		RuleID:      "kubernetes-secret-with-data-after",
    46. 

  46. 		Description: "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments",
    47. 

  47. 		// We try to match secrets by looking if we have the keyword
    48. 

  48. 		Regex: utils.GenerateUniqueTokenRegex(`(?i)(?:\bkind:.{0,10}Secret\b)(?:.|\s){0,200}?\b(?:data:)\s*(.+)`, true),
    49. 

  49. 

  50. 		Keywords: []string{
    51. 

  51. 			"Secret",
    52. 

  52. 		},
    53. 

  53. 		// Kubernetes secrets are always yaml files, we limit to common yaml-endings to make this rule more safe!
    54. 

  54. 		Path: regexp.MustCompile(`(?i)\.ya?ml$`),
    55. 

  55. 	}
    56. 

  56. 

  57. 	// validate
    58. 

  58. 	tps := map[string]string{
    59. 

  59. 		// Sample Kubernetes Secret from https://kubernetes.io/docs/concepts/configuration/secret/
    60. 

  60. 		// These secrets contain the data after the  actual identifier "kind: Secret"
    61. 

  61. 		"kubernetes.yaml": "apiVersion: v1'\n' kind: secret'\n' data:'\n' extra: YmFyCg=='\n' metadata:'\n' name: secret-sa-sample'\n' annotations:'\n' kubernetes.io/service-account.name: 'sa-name'",                                                  // gitleaks:allow
    62. 

  62. 		"kubernetes.yml":  "apiVersion: v1'\n' kind: Secret'\n' data:'\n' password: UyFCXCpkJHpEc2I9'\n' username: YWRtaW4='\n' metadata:'\n' creationTimestamp: '2022-06-28T17:44:13Z''\n' name: db-user-pass'\n' namespace: default'\n' type: Opaque", // gitleaks:allow
    63. 

  63. 		// Quoted Test Cases
    64. 

  64. 		"kubernetes-quoted-1.yaml": "apiVersion: v1'\n' kind: 'Secret''\n' data:'\n' password: UyFCXCpkJHpEc2I9'\n' username: YWRtaW4='\n' metadata:'\n' name: db-user-pass'\n' namespace: default'\n' type: Opaque", // gitleaks:allow
    65. 

  65. 		"kubernetes-quoted-2.yaml": "apiVersion: v1'\n' kind: 'secret''\n' data:'\n' password: UyFCXCpkJHpEc2I9'\n' username: YWRtaW4='\n' metadata:'\n' name: db-user-pass'\n' namespace: default'\n' type: Opaque", // gitleaks:allow
    66. 

  66. 	}
    67. 

  67. 

  68. 	return utils.ValidateWithPaths(r, tps, nil)
    69. 

  69. }
    70.