صفحهٔ اصلی گشت‌و‌گذار راهنما
ورود
LBP
/
gitleaks
mirrorاز https://github.com/gitleaks/gitleaks.git
4
0
انشعاب 0
پرونده‌ها مشکلات 0 ویکی
درخت: 3f4d91fc22
شاخه‌ها تگ‌ها
gitleaks
/
cmd
/
generate
/
config
/
rules
/
hashicorp.go

hashicorp.go 2.2 KB
تاريخچه خام

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758 
  1. package rules
    2. 

  2. 

  3. import (
    4. 

  4. 	"fmt"
    5. 

  5. 

  6. 	"github.com/zricethezav/gitleaks/v8/cmd/generate/config/utils"
    7. 

  7. 	"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
    8. 

  8. 	"github.com/zricethezav/gitleaks/v8/config"
    9. 

  9. 	"github.com/zricethezav/gitleaks/v8/regexp"
    10. 

  10. )
    11. 

  11. 

  12. func HashiCorpTerraform() *config.Rule {
    13. 

  13. 	// define rule
    14. 

  14. 	r := config.Rule{
    15. 

  15. 		RuleID:      "hashicorp-tf-api-token",
    16. 

  16. 		Description: "Uncovered a HashiCorp Terraform user/org API token, which may lead to unauthorized infrastructure management and security breaches.",
    17. 

  17. 		Regex:       regexp.MustCompile(`(?i)[a-z0-9]{14}\.(?-i:atlasv1)\.[a-z0-9\-_=]{60,70}`),
    18. 

  18. 		Entropy:     3.5,
    19. 

  19. 		Keywords:    []string{"atlasv1"},
    20. 

  20. 	}
    21. 

  21. 

  22. 	// validate
    23. 

  23. 	tps := utils.GenerateSampleSecrets("hashicorpToken", secrets.NewSecret(utils.Hex("14"))+".atlasv1."+secrets.NewSecret(utils.AlphaNumericExtended("60,70")))
    24. 

  24. 	tps = append(tps,
    25. 

  25. 		`#token = "hE1hlYILrSqpqh.atlasv1.ARjZuyzl33F71WR55s6ln5GQ1HWIwTDDH3MiRjz7OnpCfaCb1RCF5zGaSncCWmJdcYA"`,
    26. 

  26. 	)
    27. 

  27. 	fps := []string{
    28. 

  28. 		`token        = "xxxxxxxxxxxxxx.atlasv1.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"`, // low entropy
    29. 

  29. 	}
    30. 

  30. 	return utils.Validate(r, tps, fps)
    31. 

  31. }
    32. 

  32. 

  33. func HashicorpField() *config.Rule {
    34. 

  34. 	keywords := []string{"administrator_login_password", "password"}
    35. 

  35. 	// define rule
    36. 

  36. 	r := config.Rule{
    37. 

  37. 		RuleID:      "hashicorp-tf-password",
    38. 

  38. 		Description: "Identified a HashiCorp Terraform password field, risking unauthorized infrastructure configuration and security breaches.",
    39. 

  39. 		Regex:       utils.GenerateSemiGenericRegex(keywords, fmt.Sprintf(`"%s"`, utils.AlphaNumericExtended("8,20")), true),
    40. 

  40. 		Entropy:     2,
    41. 

  41. 		Path:        regexp.MustCompile(`(?i)\.(?:tf|hcl)$`),
    42. 

  42. 		Keywords:    keywords,
    43. 

  43. 	}
    44. 

  44. 

  45. 	tps := map[string]string{
    46. 

  46. 		// Example from: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server.html
    47. 

  47. 		"file.tf": "administrator_login_password = " + `"thisIsDog11"`,
    48. 

  48. 		// https://registry.terraform.io/providers/petoju/mysql/latest/docs
    49. 

  49. 		"file.hcl": "password       = " + `"rootpasswd"`,
    50. 

  50. 	}
    51. 

  51. 	fps := map[string]string{
    52. 

  52. 		"file.tf":      "administrator_login_password = var.db_password",
    53. 

  53. 		"file.hcl":     `password = "${aws_db_instance.default.password}"`,
    54. 

  54. 		"unrelated.js": "password       = " + `"rootpasswd"`,
    55. 

  55. 	}
    56. 

  56. 

  57. 	return utils.ValidateWithPaths(r, tps, fps)
    58. 

  58. }
    59.