ホーム エクスプローラ ヘルプ
サインイン
LBP
/
gitleaks
同期ミラー https://github.com/gitleaks/gitleaks.git
4
0
フォーク 0
ファイル 課題 0 Wiki
ツリー: 4e8d7d3790
ブランチ タグ
gitleaks
/
cmd
/
generate
/
config
/
rules
/
telegram.go

telegram.go 4.4 KB
履歴 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081 
  1. package rules
    2. 

  2. 

  3. import (
    4. 

  4. 	"github.com/zricethezav/gitleaks/v8/cmd/generate/config/utils"
    5. 

  5. 	"regexp"
    6. 

  6. 

  7. 	"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
    8. 

  8. 	"github.com/zricethezav/gitleaks/v8/config"
    9. 

  9. )
    10. 

  10. 

  11. func TelegramBotToken() *config.Rule {
    12. 

  12. 	// define rule
    13. 

  13. 	r := config.Rule{
    14. 

  14. 		Description: "Detected a Telegram Bot API Token, risking unauthorized bot operations and message interception on Telegram.",
    15. 

  15. 		RuleID:      "telegram-bot-api-token",
    16. 

  16. 

  17. 		Regex: regexp.MustCompile(`(?i:telegr(?:[0-9a-z\(-_\t .\\]{0,40})(?:[\s|']|[\s|"]){0,3})(?:=|\|\|:|<=|=>|:|\?=|\()(?:'|\"|\s|=|\x60){0,5}([0-9]{5,16}:A[a-z0-9_\-]{34})(?:['|\"|\n|\r|\s|\x60|;|\\]|$)`),
    18. 

  18. 		Keywords: []string{
    19. 

  19. 			"telegr",
    20. 

  20. 		},
    21. 

  21. 	}
    22. 

  22. 

  23. 	// validate
    24. 

  24. 	var (
    25. 

  25. 		validToken = secrets.NewSecret(utils.Numeric("8") + ":A" + utils.AlphaNumericExtendedShort("34"))
    26. 

  26. 		minToken   = secrets.NewSecret(utils.Numeric("5") + ":A" + utils.AlphaNumericExtendedShort("34"))
    27. 

  27. 		maxToken   = secrets.NewSecret(utils.Numeric("16") + ":A" + utils.AlphaNumericExtendedShort("34"))
    28. 

  28. 		// xsdWithToken = secrets.NewSecret(`<xsd:element name="AgencyIdentificationCode" type="` + Numeric("5") + `:A` + AlphaNumericExtendedShort("34") + `"/>`)
    29. 

  29. 	)
    30. 

  30. 	tps := []string{
    31. 

  31. 		// variable assignment
    32. 

  32. 		utils.GenerateSampleSecret("telegram", validToken),
    33. 

  33. 		// URL containing token TODO add another url based rule
    34. 

  34. 		// GenerateSampleSecret("url", "https://api.telegram.org/bot"+validToken+"/sendMessage"),
    35. 

  35. 		// object constructor
    36. 

  36. 		`const bot = new Telegraf("` + validToken + `")`,
    37. 

  37. 		// .env
    38. 

  38. 		`TELEGRAM_API_TOKEN = ` + validToken,
    39. 

  39. 		// YAML
    40. 

  40. 		`telegram bot: ` + validToken,
    41. 

  41. 		// Token with min bot_id
    42. 

  42. 		utils.GenerateSampleSecret("telegram", minToken),
    43. 

  43. 		// Token with max bot_id
    44. 

  44. 		utils.GenerateSampleSecret("telegram", maxToken),
    45. 

  45. 		// Valid token in XSD document TODO separate rule for this
    46. 

  46. 		// GenerateSampleSecret("telegram", xsdWithToken),
    47. 

  47. 	}
    48. 

  48. 

  49. 	var (
    50. 

  50. 		tooSmallToken                = secrets.NewSecret(utils.Numeric("4") + ":A" + utils.AlphaNumericExtendedShort("34"))
    51. 

  51. 		tooBigToken                  = secrets.NewSecret(utils.Numeric("17") + ":A" + utils.AlphaNumericExtendedShort("34"))
    52. 

  52. 		xsdAgencyIdentificationCode1 = secrets.NewSecret(`<xsd:element name="AgencyIdentificationCode" type="clm`+utils.Numeric("5")+":AgencyIdentificationCodeContentType") + `"/>`
    53. 

  53. 		xsdAgencyIdentificationCode2 = secrets.NewSecret(`token:"clm` + utils.Numeric("5") + `:AgencyIdentificationCodeContentType"`)
    54. 

  54. 		xsdAgencyIdentificationCode3 = secrets.NewSecret(`<xsd:element name="AgencyIdentificationCode" type="clm` + utils.Numeric("8") + `:AgencyIdentificationCodeContentType"/>`)
    55. 

  55. 		prefixedToken1               = secrets.NewSecret(`telegram_api_token = \"` + utils.Numeric("8") + `:Ahello` + utils.AlphaNumericExtendedShort("34") + `\"`)
    56. 

  56. 		prefixedToken2               = secrets.NewSecret(`telegram_api_token = \"` + utils.Numeric("8") + `:A-some-other-thing-` + utils.AlphaNumericExtendedShort("34") + `\"`)
    57. 

  57. 		prefixedToken3               = secrets.NewSecret(`telegram_api_token = \"` + utils.Numeric("8") + `:A_` + utils.AlphaNumericExtendedShort("34") + `\"`)
    58. 

  58. 		suffixedToken1               = secrets.NewSecret(`telegram_api_token = \"` + utils.Numeric("8") + `:A` + utils.AlphaNumericExtendedShort("34") + `hello\"`)
    59. 

  59. 		suffixedToken2               = secrets.NewSecret(`telegram_api_token = \"` + utils.Numeric("8") + `:A` + utils.AlphaNumericExtendedShort("34") + `-some-other-thing\"`)
    60. 

  60. 		suffixedToken3               = secrets.NewSecret(`telegram_api_token = \"` + utils.Numeric("8") + `:A_` + utils.AlphaNumericExtendedShort("34") + `_\"`)
    61. 

  61. 	)
    62. 

  62. 	fps := []string{
    63. 

  63. 		// Token with too small bot_id
    64. 

  64. 		utils.GenerateSampleSecret("telegram", tooSmallToken),
    65. 

  65. 		// Token with too big bot_id
    66. 

  66. 		utils.GenerateSampleSecret("telegram", tooBigToken),
    67. 

  67. 		// XSD file containing the string AgencyIdentificationCodeContentType
    68. 

  68. 		utils.GenerateSampleSecret("telegram", xsdAgencyIdentificationCode1),
    69. 

  69. 		utils.GenerateSampleSecret("telegram", xsdAgencyIdentificationCode2),
    70. 

  70. 		utils.GenerateSampleSecret("telegram", xsdAgencyIdentificationCode3),
    71. 

  71. 		// Prefix and suffix variations that shouldn't match
    72. 

  72. 		utils.GenerateSampleSecret("telegram", prefixedToken1),
    73. 

  73. 		utils.GenerateSampleSecret("telegram", prefixedToken2),
    74. 

  74. 		utils.GenerateSampleSecret("telegram", prefixedToken3),
    75. 

  75. 		utils.GenerateSampleSecret("telegram", suffixedToken1),
    76. 

  76. 		utils.GenerateSampleSecret("telegram", suffixedToken2),
    77. 

  77. 		utils.GenerateSampleSecret("telegram", suffixedToken3),
    78. 

  78. 	}
    79. 

  79. 

  80. 	return utils.Validate(r, tps, fps)
    81. 

  81. }
    82.