Home Explore Help
Sign In
LBP
/
gitleaks
mirror of https://github.com/gitleaks/gitleaks.git
4
0
Fork 0
Files Issues 0 Wiki
Tree: v8.23.2
Branches Tags
gitleaks
/
cmd
/
generate
/
config
/
rules
/
telegram.go

telegram.go 4.3 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879 
  1. package rules
    2. 

  2. 

  3. import (
    4. 

  4. 	"github.com/zricethezav/gitleaks/v8/cmd/generate/config/utils"
    5. 

  5. 	"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
    6. 

  6. 	"github.com/zricethezav/gitleaks/v8/config"
    7. 

  7. )
    8. 

  8. 

  9. func TelegramBotToken() *config.Rule {
    10. 

  10. 	// define rule
    11. 

  11. 	r := config.Rule{
    12. 

  12. 		Description: "Detected a Telegram Bot API Token, risking unauthorized bot operations and message interception on Telegram.",
    13. 

  13. 		RuleID:      "telegram-bot-api-token",
    14. 

  14. 

  15. 		Regex: utils.GenerateSemiGenericRegex([]string{"telegr"}, "[0-9]{5,16}:(?-i:A)[a-z0-9_\\-]{34}", true),
    16. 

  16. 		Keywords: []string{
    17. 

  17. 			"telegr",
    18. 

  18. 		},
    19. 

  19. 	}
    20. 

  20. 

  21. 	// validate
    22. 

  22. 	var (
    23. 

  23. 		validToken = secrets.NewSecret(utils.Numeric("8") + ":A" + utils.AlphaNumericExtendedShort("34"))
    24. 

  24. 		minToken   = secrets.NewSecret(utils.Numeric("5") + ":A" + utils.AlphaNumericExtendedShort("34"))
    25. 

  25. 		maxToken   = secrets.NewSecret(utils.Numeric("16") + ":A" + utils.AlphaNumericExtendedShort("34"))
    26. 

  26. 		// xsdWithToken = secrets.NewSecret(`<xsd:element name="AgencyIdentificationCode" type="` + Numeric("5") + `:A` + AlphaNumericExtendedShort("34") + `"/>`)
    27. 

  27. 	)
    28. 

  28. 	// variable assignment
    29. 

  29. 	tps := utils.GenerateSampleSecrets("telegram", validToken)
    30. 

  30. 	// Token with min bot_id
    31. 

  31. 	tps = append(tps, utils.GenerateSampleSecrets("telegram", minToken)...)
    32. 

  32. 	// Token with max bot_id
    33. 

  33. 	tps = append(tps, utils.GenerateSampleSecrets("telegram", maxToken)...)
    34. 

  34. 	tps = append(tps,
    35. 

  35. 		// URL containing token TODO add another url based rule
    36. 

  36. 		// GenerateSampleSecret("url", "https://api.telegram.org/bot"+validToken+"/sendMessage"),
    37. 

  37. 		// object constructor
    38. 

  38. 		//TODO: `const bot = new Telegraf("`+validToken+`")`,
    39. 

  39. 		// .env
    40. 

  40. 		`TELEGRAM_API_TOKEN = `+validToken,
    41. 

  41. 		// YAML
    42. 

  42. 		`telegram bot: `+validToken,
    43. 

  43. 		// Valid token in XSD document TODO separate rule for this
    44. 

  44. 		// generateSampleSecret("telegram", xsdWithToken),
    45. 

  45. 	)
    46. 

  46. 

  47. 	var (
    48. 

  48. 		tooSmallToken                = secrets.NewSecret(utils.Numeric("4") + ":A" + utils.AlphaNumericExtendedShort("34"))
    49. 

  49. 		tooBigToken                  = secrets.NewSecret(utils.Numeric("17") + ":A" + utils.AlphaNumericExtendedShort("34"))
    50. 

  50. 		xsdAgencyIdentificationCode1 = secrets.NewSecret(`<xsd:element name="AgencyIdentificationCode" type="clm`+utils.Numeric("5")+":AgencyIdentificationCodeContentType") + `"/>`
    51. 

  51. 		xsdAgencyIdentificationCode2 = secrets.NewSecret(`token:"clm` + utils.Numeric("5") + `:AgencyIdentificationCodeContentType"`)
    52. 

  52. 		xsdAgencyIdentificationCode3 = secrets.NewSecret(`<xsd:element name="AgencyIdentificationCode" type="clm` + utils.Numeric("8") + `:AgencyIdentificationCodeContentType"/>`)
    53. 

  53. 		prefixedToken1               = secrets.NewSecret(`telegram_api_token = \"` + utils.Numeric("8") + `:Ahello` + utils.AlphaNumericExtendedShort("34") + `\"`)
    54. 

  54. 		prefixedToken2               = secrets.NewSecret(`telegram_api_token = \"` + utils.Numeric("8") + `:A-some-other-thing-` + utils.AlphaNumericExtendedShort("34") + `\"`)
    55. 

  55. 		prefixedToken3               = secrets.NewSecret(`telegram_api_token = \"` + utils.Numeric("8") + `:A_` + utils.AlphaNumericExtendedShort("34") + `\"`)
    56. 

  56. 		suffixedToken1               = secrets.NewSecret(`telegram_api_token = \"` + utils.Numeric("8") + `:A` + utils.AlphaNumericExtendedShort("34") + `hello\"`)
    57. 

  57. 		suffixedToken2               = secrets.NewSecret(`telegram_api_token = \"` + utils.Numeric("8") + `:A` + utils.AlphaNumericExtendedShort("34") + `-some-other-thing\"`)
    58. 

  58. 		suffixedToken3               = secrets.NewSecret(`telegram_api_token = \"` + utils.Numeric("8") + `:A_` + utils.AlphaNumericExtendedShort("34") + `_\"`)
    59. 

  59. 	)
    60. 

  60. 	fps := []string{
    61. 

  61. 		// Token with too small bot_id
    62. 

  62. 		utils.GenerateSampleSecret("telegram", tooSmallToken),
    63. 

  63. 		// Token with too big bot_id
    64. 

  64. 		utils.GenerateSampleSecret("telegram", tooBigToken),
    65. 

  65. 		// XSD file containing the string AgencyIdentificationCodeContentType
    66. 

  66. 		utils.GenerateSampleSecret("telegram", xsdAgencyIdentificationCode1),
    67. 

  67. 		utils.GenerateSampleSecret("telegram", xsdAgencyIdentificationCode2),
    68. 

  68. 		utils.GenerateSampleSecret("telegram", xsdAgencyIdentificationCode3),
    69. 

  69. 		// Prefix and suffix variations that shouldn't match
    70. 

  70. 		utils.GenerateSampleSecret("telegram", prefixedToken1),
    71. 

  71. 		utils.GenerateSampleSecret("telegram", prefixedToken2),
    72. 

  72. 		utils.GenerateSampleSecret("telegram", prefixedToken3),
    73. 

  73. 		utils.GenerateSampleSecret("telegram", suffixedToken1),
    74. 

  74. 		utils.GenerateSampleSecret("telegram", suffixedToken2),
    75. 

  75. 		utils.GenerateSampleSecret("telegram", suffixedToken3),
    76. 

  76. 	}
    77. 

  77. 

  78. 	return utils.Validate(r, tps, fps)
    79. 

  79. }
    80.