Главная Обзор Помощь
Вход
LBP
/
gitleaks
зеркало из https://github.com/gitleaks/gitleaks.git
4
0
Ответвить 0
Файлы Задачи 0 Вики
Дерево: fe94ef9ca3
Ветки Метки
gitleaks
/
cmd
/
generate
/
config
/
rules
/
telegram.go

telegram.go 3.9 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384 
  1. package rules
    2. 

  2. 

  3. import (
    4. 

  4. 	"regexp"
    5. 

  5. 

  6. 	"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
    7. 

  7. 	"github.com/zricethezav/gitleaks/v8/config"
    8. 

  8. )
    9. 

  9. 

  10. func TelegramBotToken() *config.Rule {
    11. 

  11. 	// define rule
    12. 

  12. 	r := config.Rule{
    13. 

  13. 		Description: "Detected a Telegram Bot API Token, risking unauthorized bot operations and message interception on Telegram.",
    14. 

  14. 		RuleID:      "telegram-bot-api-token",
    15. 

  15. 

  16. 		Regex: regexp.MustCompile(`(?i)(?:^|\b|bot)([0-9]{5,16}:A[a-z0-9_\-]{34})(?:$|\b[^_\-])`),
    17. 

  17. 		Keywords: []string{
    18. 

  18. 			"telegram",
    19. 

  19. 			"api",
    20. 

  20. 			"bot",
    21. 

  21. 			"token",
    22. 

  22. 			"url",
    23. 

  23. 		},
    24. 

  24. 	}
    25. 

  25. 

  26. 	// validate
    27. 

  27. 	var (
    28. 

  28. 		validToken   = secrets.NewSecret(numeric("8") + ":A" + alphaNumericExtendedShort("34"))
    29. 

  29. 		minToken     = secrets.NewSecret(numeric("5") + ":A" + alphaNumericExtendedShort("34"))
    30. 

  30. 		maxToken     = secrets.NewSecret(numeric("16") + ":A" + alphaNumericExtendedShort("34"))
    31. 

  31. 		xsdWithToken = secrets.NewSecret(`<xsd:element name="AgencyIdentificationCode" type="` + numeric("5") + `:A` + alphaNumericExtendedShort("34") + `"/>`)
    32. 

  32. 	)
    33. 

  33. 	tps := []string{
    34. 

  34. 		// variable assignment
    35. 

  35. 		generateSampleSecret("telegram", validToken),
    36. 

  36. 		// URL containing token
    37. 

  37. 		generateSampleSecret("url", "https://api.telegram.org/bot"+validToken+"/sendMessage"),
    38. 

  38. 		// object constructor
    39. 

  39. 		`const bot = new Telegraf("` + validToken + `")`,
    40. 

  40. 		// .env
    41. 

  41. 		`API_TOKEN = ` + validToken,
    42. 

  42. 		// YAML
    43. 

  43. 		`bot: ` + validToken,
    44. 

  44. 		// Token with min bot_id
    45. 

  45. 		generateSampleSecret("telegram", minToken),
    46. 

  46. 		// Token with max bot_id
    47. 

  47. 		generateSampleSecret("telegram", maxToken),
    48. 

  48. 		// Valid token in XSD document
    49. 

  49. 		generateSampleSecret("telegram", xsdWithToken),
    50. 

  50. 	}
    51. 

  51. 

  52. 	var (
    53. 

  53. 		tooSmallToken                = secrets.NewSecret(numeric("4") + ":A" + alphaNumericExtendedShort("34"))
    54. 

  54. 		tooBigToken                  = secrets.NewSecret(numeric("17") + ":A" + alphaNumericExtendedShort("34"))
    55. 

  55. 		xsdAgencyIdentificationCode1 = secrets.NewSecret(`<xsd:element name="AgencyIdentificationCode" type="clm`+numeric("5")+":AgencyIdentificationCodeContentType") + `"/>`
    56. 

  56. 		xsdAgencyIdentificationCode2 = secrets.NewSecret(`token:"clm` + numeric("5") + `:AgencyIdentificationCodeContentType"`)
    57. 

  57. 		xsdAgencyIdentificationCode3 = secrets.NewSecret(`<xsd:element name="AgencyIdentificationCode" type="clm` + numeric("8") + `:AgencyIdentificationCodeContentType"/>`)
    58. 

  58. 		prefixedToken1               = secrets.NewSecret(`telegram_api_token = \"` + numeric("8") + `:Ahello` + alphaNumericExtendedShort("34") + `\"`)
    59. 

  59. 		prefixedToken2               = secrets.NewSecret(`telegram_api_token = \"` + numeric("8") + `:A-some-other-thing-` + alphaNumericExtendedShort("34") + `\"`)
    60. 

  60. 		prefixedToken3               = secrets.NewSecret(`telegram_api_token = \"` + numeric("8") + `:A_` + alphaNumericExtendedShort("34") + `\"`)
    61. 

  61. 		suffixedToken1               = secrets.NewSecret(`telegram_api_token = \"` + numeric("8") + `:A` + alphaNumericExtendedShort("34") + `hello\"`)
    62. 

  62. 		suffixedToken2               = secrets.NewSecret(`telegram_api_token = \"` + numeric("8") + `:A` + alphaNumericExtendedShort("34") + `-some-other-thing\"`)
    63. 

  63. 		suffixedToken3               = secrets.NewSecret(`telegram_api_token = \"` + numeric("8") + `:A_` + alphaNumericExtendedShort("34") + `_\"`)
    64. 

  64. 	)
    65. 

  65. 	fps := []string{
    66. 

  66. 		// Token with too small bot_id
    67. 

  67. 		generateSampleSecret("telegram", tooSmallToken),
    68. 

  68. 		// Token with too big bot_id
    69. 

  69. 		generateSampleSecret("telegram", tooBigToken),
    70. 

  70. 		// XSD file containing the string AgencyIdentificationCodeContentType
    71. 

  71. 		generateSampleSecret("telegram", xsdAgencyIdentificationCode1),
    72. 

  72. 		generateSampleSecret("telegram", xsdAgencyIdentificationCode2),
    73. 

  73. 		generateSampleSecret("telegram", xsdAgencyIdentificationCode3),
    74. 

  74. 		// Prefix and suffix variations that shouldn't match
    75. 

  75. 		generateSampleSecret("telegram", prefixedToken1),
    76. 

  76. 		generateSampleSecret("telegram", prefixedToken2),
    77. 

  77. 		generateSampleSecret("telegram", prefixedToken3),
    78. 

  78. 		generateSampleSecret("telegram", suffixedToken1),
    79. 

  79. 		generateSampleSecret("telegram", suffixedToken2),
    80. 

  80. 		generateSampleSecret("telegram", suffixedToken3),
    81. 

  81. 	}
    82. 

  82. 

  83. 	return validate(r, tps, fps)
    84. 

  84. }
    85.