Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
LBP
/
gitleaks
-ын хуулбар https://github.com/gitleaks/gitleaks.git
4
0
Салаа 0
Файлууд Асуудлууд 0 Мэдлэгийн сан
Салаа: master
Салаанууд Тагууд
gitleaks
/
cmd
/
generate
/
config
/
rules
/
1password.go

1password.go 5.9 KB
Байнгын холболт Түүх Анхны өгөгдөл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081 
  1. package rules
    2. 

  2. 

  3. import (
    4. 

  4. 	"github.com/zricethezav/gitleaks/v8/cmd/generate/config/utils"
    5. 

  5. 	"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
    6. 

  6. 	"github.com/zricethezav/gitleaks/v8/config"
    7. 

  7. 	"github.com/zricethezav/gitleaks/v8/regexp"
    8. 

  8. )
    9. 

  9. 

  10. // https://developer.1password.com/docs/service-accounts/security/?token-example=encoded
    11. 

  11. func OnePasswordServiceAccountToken() *config.Rule {
    12. 

  12. 	// define rule
    13. 

  13. 	r := config.Rule{
    14. 

  14. 		RuleID:      "1password-service-account-token",
    15. 

  15. 		Description: "Uncovered a possible 1Password service account token, potentially compromising access to secrets in vaults.",
    16. 

  16. 		Regex:       regexp.MustCompile(`ops_eyJ[a-zA-Z0-9+/]{250,}={0,3}`),
    17. 

  17. 		Entropy:     4,
    18. 

  18. 		Keywords:    []string{"ops_"},
    19. 

  19. 	}
    20. 

  20. 

  21. 	// validate
    22. 

  22. 	tps := []string{
    23. 

  23. 		utils.GenerateSampleSecret("1password", secrets.NewSecret(`ops_eyJ[a-zA-Z0-9+/]{250,}={0,3}`)),
    24. 

  24. 		`### 1Password System Vault Name
    25. 

  25. export OP_SERVICE_ACCOUNT_TOKEN=ops_eyJzaWduSW5BZGRyZXNzIjoibXkuMXBhc3N3b3JkLmNvbSIsInVzZXJBdXRoIjp7Im1ldGhvZCI6IlNSUGctNDA5NiIsImFsZyI6IlBCRVMyZy1IUzI1NiIsIml0ZXJhdGlvbnMiOjY1MdAwMCwic2FsdCI6InE2dE0tYzNtRDhiNUp2OHh1YVzsUmcifSwiZW1haWwiOiJ5Z3hmcm0zb21oY3NtQDFwYXNzd29yZHNlcnZpY2VhY2NvdW50cy5jb20iLCJzcnBYIjoiM2E5NDdhZmZhMDQ5NTAxZjkxYzk5MGFiY2JiYWRlZjFjMjM5Y2Q3YTMxYmI1MmQyZjUzOTA2Y2UxOTA1OTYwYiIsIm11ayI6eyJhbGciOiJBMjU2R0NNIiwiZXh0Ijp0cnVlLCJrIjoiVVpleERsLVgyUWxpa0VqRjVUUjRoODhOd29ZcHRqSHptQmFTdlNrWGZmZyIsImtleV9vcHMiOlsiZW5jcnlwdCIsImRlY3J5cHQiXSwia3R5Ijoib2N0Iiwia2lkIjoibXAifSwic2VjcmV0S2V5IjoiQTMtNDZGUUVNLUVZS1hTQS1NUU0yUy04U0JSUS01QjZGUC1HS1k2ViIsInRocm90dGxlU2VjcmV0Ijp7InNlZWQiOiJjZmU2ZTU0NGUxZTlmY2NmZjJlYjBhYWZmYTEzNjZlMmE2ZmUwZDVlZGI2ZTUzOTVkZTljZmY0NDY3NDUxOGUxIiwidXVpZCI6IjNVMjRMNVdCNkpFQ0pEQlhJNFZOSTRCUzNRIn0sImRldmljZVV1aWQiOiJqaGVlY3F4cm41YTV6ZzRpMnlkbjRqd3U3dSJ9
    26. 

  26. `,
    27. 

  27. 		`PYTEST_SVC_ACCT_TOKEN=ops_eyJzaWduSW5BZGRyZXNzIjoiemFjaC1hbmQtbGVhbm5lLjFwYXNzd29yZC5jb20iLCJ1c2VyQXV0aCI6eyJtZXRob2QiOiJTUlBnLTQwOTYiLCJhbGciOiJQQkVLMmctSFMyNTYiLCJpdGVyYXRpb25zIjo2NTAwMDAsInNhbHQiOiJlYUZRQmNVemJyTHhnM2d4bHFQLVVBIn0sImVtYWlsIjoiMm9iNGRpeDdiNTdrYUAxcGFzc3dvcmRzZXJ2aWNlYWNjb3VudHMuY29tIiwic3JwWCI6ImVmZDY4YjNhZTkwMmRjZjRiMzEzYjE5MjYwZmY0OGUzMjU2ZDlhOGNkM2JmMmY3YzI2YzU1ZWJkNjZlZGU4NWEiLCJtdWsiOnsiYWxnIjoiQTI1NkdDTSIsImV4dCI6dHJ1ZSwiayI6IlMwaGE0SDhqbEhRblJCWmxvYnBmR1BneERmbS1pRGNkZWY0bFdYU0VSbmMiLCJrZXlfb3BzIjpbImRlY3J5cHQiLCJlbmNyeXB0Il0sImt0eSI6Im9jdCIsImtpZCI6Im1wIn0sInNlY3JldEtleSI6IkEzLUdHOUVRNi1LUzQ0QVctQU5QVkYtUkdQTDktQlNKUTMtR1NHR0giLCJ0aHJvdHRsZVNlY3JldCI6eyJzZWVkIjoiN2I0OTMxMmJiOTlkZTFiNjU5ODZkYzIzOWU4YWNmZWMxMTU0M2E2OGQxYmYwMjZmZTgzMjg3NWYxNmJlOWY2NiIsInV1aWQiOiJDV1RHQ0hMNlNWRkdSTlg0SzNENUJVSDZDSSJ9LCJkZXZpY2VVdWlkIjoiMnFld3JpaGtqbmt1Zmh6ZGdmZ2hnNmM1cGUifQ`,
    28. 

  28. 		`    "sourceContent": "ops_eyJlbWFpbCI6ImVqd2U2NHFtbHhocmlAMXBhc3N3b3Jkc2VydmljZWFjY291bnRzLmxjbCIsIm11ayI6eyJhbGciOiJBMjU2R0NNIiwiZXh0Ijp0cnVlLCJrIjoiTThWUGZJYzhWRWZUaGNNWExhS0NLRjhzTWg1Sk1ac1BBdHU5MmZRTmItbyIsImtleV9vcHMiOlsiZW5jcnlwdCIsImRlY3J5cHQiXSwia3R5Ijoib2N0Iiwia2lkIjoibXAifSwic2VjcmV0S2V5IjoiQTMtQzRaSk1OLVBRVFpUTC1IR0w4NC1HNjRNNy1LVlpSTi00WlZQNiIsInNycFgiOiI4NzBkNjdhOWU2MjY2MjVkOWUzNjg1MDc4MDRjOWMzMmU2NjFjNTdlN2U1NTg3NzgyOTFiZjI5ZDVhMjc5YWUxIiwic2lnbkluQWRkcmVzcyI6ImdvdGhhbS5iNWxvY2FsLmNvbTo0MDAwIiwidXNlckF1dGgiOnsibWV0aG9kIjoiU1JQZy00MDk2IiwiYWxnIjoiUEJFUzJnLUhTMjU2IiwiaXRlcmF0aW9ucyI6MTAwMDAwLCJzYWx0IjoiRk1SVVBpeXJONFhmXzhIb2g2WVJYUSJ9fQ\n\nops_token is secret.\n",`,
    29. 

  29. 	}
    30. 

  30. 	fps := []string{
    31. 

  31. 		// Invalid
    32. 

  32. 		`        login:
    33. 

  33.           serviceAccountToken:
    34. 

  34.             fn::secret: ops_eyJzaWduSW5B..[Redacted]`,
    35. 

  35. 		`: To start using this service account, run the following command:
    36. 

  36. :
    37. 

  37. : export OP_SERVICE_ACCOUNT_TOKEN=ops_eyJzaWduSW5BZGRyZXNzIjoiaHR0cHM6...`,
    38. 

  38. 		// Low entropy.
    39. 

  39. 		`ops_eyJxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx`,
    40. 

  40. 	}
    41. 

  41. 	return utils.Validate(r, tps, fps)
    42. 

  42. }
    43. 

  43. 

  44. // Reference:
    45. 

  45. // - https://1passwordstatic.com/files/security/1password-white-paper.pdf
    46. 

  46. func OnePasswordSecretKey() *config.Rule {
    47. 

  47. 	// 1Password secret keys include several hyphens but these are only for readability
    48. 

  48. 	// and are stripped during 1Password login. This means that the following are technically
    49. 

  49. 	// the same valid key:
    50. 

  50. 	//   - A3ASWWYB798JRYLJVD423DC286TVMH43EB
    51. 

  51. 	//   - A-3-A-S-W-W-Y-B-7-9-8-J-R-Y-L-J-V-D-4-2-3-D-C-2-8-6-T-V-M-H-4-3-E-B
    52. 

  52. 	// But in practice, when these keys are added to a vault, exported in an emergency kit, or
    53. 

  53. 	// copied, they have hyphens that follow one of two patterns I can find:
    54. 

  54. 	//   - A3-ASWWYB-798JRY-LJVD4-23DC2-86TVM-H43EB (every key I've generated has this pattern)
    55. 

  55. 	//   - A3-ASWWYB-798JRYLJVD4-23DC2-86TVM-H43EB  (the whitepaper includes this example, which could just be a typo)
    56. 

  56. 	// To avoid a complicated regex that checks for every possible situation it's probably best
    57. 

  57. 	// to scan for the these two patterns.
    58. 

  58. 	r := config.Rule{
    59. 

  59. 		Description: "Uncovered a possible 1Password secret key, potentially compromising access to secrets in vaults.",
    60. 

  60. 		RuleID:      "1password-secret-key",
    61. 

  61. 		Regex:       regexp.MustCompile(`\bA3-[A-Z0-9]{6}-(?:(?:[A-Z0-9]{11})|(?:[A-Z0-9]{6}-[A-Z0-9]{5}))-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}\b`),
    62. 

  62. 		Entropy:     3.8,
    63. 

  63. 		Keywords:    []string{"A3-"},
    64. 

  64. 	}
    65. 

  65. 

  66. 	// validate
    67. 

  67. 	tps := utils.GenerateSampleSecrets("1password", secrets.NewSecret(`A3-[A-Z0-9]{6}-[A-Z0-9]{11}-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}`))
    68. 

  68. 	tps = append(tps, utils.GenerateSampleSecrets("1password", secrets.NewSecret(`A3-[A-Z0-9]{6}-[A-Z0-9]{6}-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}-[A-Z0-9]{5}`))...)
    69. 

  69. 	tps = append(tps,
    70. 

  70. 		// from whitepaper
    71. 

  71. 		`A3-ASWWYB-798JRYLJVD4-23DC2-86TVM-H43EB`,
    72. 

  72. 		`A3-ASWWYB-798JRY-LJVD4-23DC2-86TVM-H43EB`,
    73. 

  73. 	)
    74. 

  74. 	fps := []string{
    75. 

  75. 		// low entropy
    76. 

  76. 		`A3-XXXXXX-XXXXXXXXXXX-XXXXX-XXXXX-XXXXX`,
    77. 

  77. 		// lowercase
    78. 

  78. 		`A3-xXXXXX-XXXXXX-XXXXX-XXXXX-XXXXX-XXXXX`,
    79. 

  79. 	}
    80. 

  80. 	return utils.Validate(r, tps, fps)
    81. 

  81. }
    82.