Inicio Explorar Axuda
Iniciar sesión
LBP
/
gitleaks
réplica de https://github.com/gitleaks/gitleaks.git
4
0
Fork 0
Ficheiros Incidencias 0 Wiki
Árbore: 3be7faa1ff
Ramas Etiquetas
gitleaks
/
cmd
/
generate
/
config
/
rules
/
kubernetes.go

kubernetes.go 4.2 KB
Histórico Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768 
  1. package rules
    2. 

  2. 

  3. import (
    4. 

  4. 	"regexp"
    5. 

  5. 

  6. 	"github.com/zricethezav/gitleaks/v8/config"
    7. 

  7. )
    8. 

  8. 

  9. // The kubernetes rules are split into two functions to make the complex proximity matching of the data-key and the kind-identifier more readable and testable
    10. 

  10. 

  11. // KubernetesSecretWithDataBefore validates if we detected a kubernetes secret which contains data, before the resource identifier!
    12. 

  12. func KubernetesSecretWithDataBefore() *config.Rule {
    13. 

  13. 	// define rule
    14. 

  14. 	r := config.Rule{
    15. 

  15. 		RuleID:      "kubernetes-secret-with-data-before",
    16. 

  16. 		Description: "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments",
    17. 

  17. 		// We try to match secrets by looking if we have the keyword
    18. 

  18. 		Regex: generateUniqueTokenRegex(`(?i)(?:\b(?:data:))(\W+(?:\w+\W+){0,200}?)\bkind:.{0,10}Secret\b`, true),
    19. 

  19. 

  20. 		Keywords: []string{
    21. 

  21. 			"Secret",
    22. 

  22. 		},
    23. 

  23. 		// Kubernetes secrets are always yaml files, we limit to common yaml-endings to make this rule more safe!
    24. 

  24. 		Path: regexp.MustCompile(`(?i)\.ya?ml$`),
    25. 

  25. 	}
    26. 

  26. 

  27. 	// validate
    28. 

  28. 	tps := map[string]string{
    29. 

  29. 		// Sample Kubernetes Secret from https://kubernetes.io/docs/concepts/configuration/secret/
    30. 

  30. 		// These secrets contain the "data"-key before the actual identifier "kind: Secret"
    31. 

  31. 		"kubernetes.yaml": "apiVersion: v1'\n' data:'\n' extra: YmFyCg=='\n' kind: secret'\n' metadata:'\n' name: secret-sa-sample'\n' annotations:'\n' kubernetes.io/service-account.name: 'sa-name'",                                                  // gitleaks:allow
    32. 

  32. 		"kubernetes.yml":  "apiVersion: v1'\n' data:'\n' password: UyFCXCpkJHpEc2I9'\n' username: YWRtaW4='\n' kind: Secret'\n' metadata:'\n' creationTimestamp: '2022-06-28T17:44:13Z''\n' name: db-user-pass'\n' namespace: default'\n' type: Opaque", // gitleaks:allow
    33. 

  33. 		// Quoted Test Cases
    34. 

  34. 		"kubernetes-quoted-1.yaml": "apiVersion: v1'\n' data:'\n' extra: YmFyCg=='\n' kind: 'Secret''\n' metadata:'\n' name: 'secret-sa-sample''\n' annotations:'\n' kubernetes.io/service-account.name: 'sa-name'", // gitleaks:allow
    35. 

  35. 		"kubernetes-quoted-2.yaml": "apiVersion: v1'\n' data:'\n' extra: YmFyCg=='\n' kind: 'secret''\n' metadata:'\n' name: 'secret-sa-sample''\n' annotations:'\n' kubernetes.io/service-account.name: 'sa-name'", // gitleaks:allow
    36. 

  36. 	}
    37. 

  37. 	return validateWithPaths(r, tps, nil)
    38. 

  38. }
    39. 

  39. 

  40. // KubernetesSecretWithDataAfter validates if we detected a kubernetes secret which contains data, after the resource identifier!
    41. 

  41. func KubernetesSecretWithDataAfter() *config.Rule {
    42. 

  42. 	// define rule
    43. 

  43. 	r := config.Rule{
    44. 

  44. 		RuleID:      "kubernetes-secret-with-data-after",
    45. 

  45. 		Description: "Possible Kubernetes Secret detected, posing a risk of leaking credentials/tokens from your deployments",
    46. 

  46. 		// We try to match secrets by looking if we have the keyword
    47. 

  47. 		Regex: generateUniqueTokenRegex(`(?i)(?:\bkind:.{0,10}Secret\b)(?:.|\s){0,200}?\b(?:data:)\s*(.+)`, true),
    48. 

  48. 

  49. 		Keywords: []string{
    50. 

  50. 			"Secret",
    51. 

  51. 		},
    52. 

  52. 		// Kubernetes secrets are always yaml files, we limit to common yaml-endings to make this rule more safe!
    53. 

  53. 		Path: regexp.MustCompile(`(?i)\.ya?ml$`),
    54. 

  54. 	}
    55. 

  55. 

  56. 	// validate
    57. 

  57. 	tps := map[string]string{
    58. 

  58. 		// Sample Kubernetes Secret from https://kubernetes.io/docs/concepts/configuration/secret/
    59. 

  59. 		// These secrets contain the data after the  actual identifier "kind: Secret"
    60. 

  60. 		"kubernetes.yaml": "apiVersion: v1'\n' kind: secret'\n' data:'\n' extra: YmFyCg=='\n' metadata:'\n' name: secret-sa-sample'\n' annotations:'\n' kubernetes.io/service-account.name: 'sa-name'",                                                  // gitleaks:allow
    61. 

  61. 		"kubernetes.yml":  "apiVersion: v1'\n' kind: Secret'\n' data:'\n' password: UyFCXCpkJHpEc2I9'\n' username: YWRtaW4='\n' metadata:'\n' creationTimestamp: '2022-06-28T17:44:13Z''\n' name: db-user-pass'\n' namespace: default'\n' type: Opaque", // gitleaks:allow
    62. 

  62. 		// Quoted Test Cases
    63. 

  63. 		"kubernetes-quoted-1.yaml": "apiVersion: v1'\n' kind: 'Secret''\n' data:'\n' password: UyFCXCpkJHpEc2I9'\n' username: YWRtaW4='\n' metadata:'\n' name: db-user-pass'\n' namespace: default'\n' type: Opaque", // gitleaks:allow
    64. 

  64. 		"kubernetes-quoted-2.yaml": "apiVersion: v1'\n' kind: 'secret''\n' data:'\n' password: UyFCXCpkJHpEc2I9'\n' username: YWRtaW4='\n' metadata:'\n' name: db-user-pass'\n' namespace: default'\n' type: Opaque", // gitleaks:allow
    65. 

  65. 	}
    66. 

  66. 

  67. 	return validateWithPaths(r, tps, nil)
    68. 

  68. }
    69.