Почетна Преглед Помоћ
Пријавите се
LBP
/
gitleaks
огледало од https://github.com/gitleaks/gitleaks.git
4
0
Креирај огранак 0
Датотеке Дискусије 0 Вики
Дрво: v8.25.0
Гране Ознаке
gitleaks
/
cmd
/
generate
/
config
/
utils
/
generate_test.go

generate_test.go 7.3 KB
Пермалинк Историја Датотека

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235 
  1. package utils
    2. 

  2. 

  3. import (
    4. 

  4. 	"testing"
    5. 

  5. )
    6. 

  6. 

  7. func TestGenerateSemiGenericRegex(t *testing.T) {
    8. 

  8. 	tests := []struct {
    9. 

  9. 		name              string
    10. 

  10. 		identifiers       []string
    11. 

  11. 		secretRegex       string
    12. 

  12. 		isCaseInsensitive []bool
    13. 

  13. 		validStrings      []string
    14. 

  14. 		invalidStrings    []string
    15. 

  15. 	}{
    16. 

  16. 		{
    17. 

  17. 			name:              "secret is case sensitive, if isCaseInsensitive is false",
    18. 

  18. 			identifiers:       []string{"api_key"},
    19. 

  19. 			secretRegex:       `[a-z]{3}`,
    20. 

  20. 			isCaseInsensitive: []bool{false},
    21. 

  21. 			validStrings:      []string{"api_key=xxx"},
    22. 

  22. 			invalidStrings:    []string{"api_key=XXX", "api_key=xXx"},
    23. 

  23. 		},
    24. 

  24. 		{
    25. 

  25. 			name:              "secret is case insensitive, if isCaseInsensitive is true",
    26. 

  26. 			identifiers:       []string{"api_key"},
    27. 

  27. 			secretRegex:       `[a-z]{3}`,
    28. 

  28. 			isCaseInsensitive: []bool{true},
    29. 

  29. 			validStrings:      []string{"api_key=xxx", "api_key=XXX", "api_key=xXx"},
    30. 

  30. 			invalidStrings:    []string{"api_key=x!x"},
    31. 

  31. 		},
    32. 

  32. 		{
    33. 

  33. 			name:              "identifier is case insensitive, regardless of isCaseInsensitive",
    34. 

  34. 			identifiers:       []string{"api_key"},
    35. 

  35. 			secretRegex:       `[a-z]{3}`,
    36. 

  36. 			isCaseInsensitive: []bool{true, false},
    37. 

  37. 			validStrings:      []string{"api_key=xxx", "ApI_KeY=xxx", "aPi_kEy=xxx", "API_KEY=xxx"},
    38. 

  38. 			invalidStrings:    []string{"api!key=xxx"},
    39. 

  39. 		},
    40. 

  40. 		{
    41. 

  41. 			name:              "identifier can be case sensitive",
    42. 

  42. 			identifiers:       []string{"(?-i:[Aa]pi_?[Kk]ey|API_?KEY)"},
    43. 

  43. 			secretRegex:       `[a-z]{3}`,
    44. 

  44. 			isCaseInsensitive: []bool{true, false},
    45. 

  45. 			validStrings:      []string{"apikey=xxx", "ApiKey=xxx", "Apikey=xxx", "APIKEY=xxx", "api_key=xxx"},
    46. 

  46. 			invalidStrings:    []string{"ApIKeY=xxx", "aPikEy=xxx"},
    47. 

  47. 		},
    48. 

  48. 		{
    49. 

  49. 			name:              "identifier can be part of a longer word",
    50. 

  50. 			identifiers:       []string{"key"},
    51. 

  51. 			secretRegex:       `[a-z]{3}`,
    52. 

  52. 			isCaseInsensitive: []bool{true, false},
    53. 

  53. 			validStrings:      []string{"mykey=xxx", "keys=xxx", "key1=xxx", "keystore=xxx", "monkey=xxx"},
    54. 

  54. 			invalidStrings:    []string{},
    55. 

  55. 		},
    56. 

  56. 		{
    57. 

  57. 			name:              "identifier may be followed by specific characters",
    58. 

  58. 			identifiers:       []string{"api_key"},
    59. 

  59. 			secretRegex:       `[a-z]{3}`,
    60. 

  60. 			isCaseInsensitive: []bool{true, false},
    61. 

  61. 			validStrings: []string{
    62. 

  62. 				"api_key-----=xxx",
    63. 

  63. 				"api_key.....=xxx",
    64. 

  64. 				"api_key_____=xxx",
    65. 

  65. 				"'''api_key'''=xxx",
    66. 

  66. 				`"""api_key"""=xxx`,
    67. 

  67. 				"api_key          =xxx",
    68. 

  68. 				"api_key\t\t\t\t\t=xxx",
    69. 

  69. 				"api_key\n\n\n=xxx", // potentially invalid?,
    70. 

  70. 				"api_key\r\n=xxx",
    71. 

  71. 				// "api_key|||=xxx",
    72. 

  72. 			},
    73. 

  73. 			invalidStrings: []string{
    74. 

  74. 				"api_key&=xxx",
    75. 

  75. 				"$api_key$=xxx",
    76. 

  76. 				"%api_key%=xxx",
    77. 

  77. 				"api_key[0]=xxx",
    78. 

  78. 				"api_key/*REMOVE*/=xxx",
    79. 

  79. 			},
    80. 

  80. 		},
    81. 

  81. 		{
    82. 

  82. 			name:              "identifier and secret must be separated by specific operators",
    83. 

  83. 			identifiers:       []string{"api_key"},
    84. 

  84. 			secretRegex:       `[a-z]{3}`,
    85. 

  85. 			isCaseInsensitive: []bool{true, false},
    86. 

  86. 			validStrings: []string{
    87. 

  87. 				"api_key=xxx",
    88. 

  88. 				"api_key: xxx",
    89. 

  89. 				"<api_key>xxx",
    90. 

  90. 				"api_key:=xxx",
    91. 

  91. 				"api_key:::=xxx",
    92. 

  92. 				// "api_key||:=xxx", // this isn't anything
    93. 

  93. 				// "api_key <= xxx",
    94. 

  94. 				"api_key => xxx",
    95. 

  95. 				"api_key ?= xxx",
    96. 

  96. 				"api_key, xxx",
    97. 

  97. 			},
    98. 

  98. 			invalidStrings: []string{
    99. 

  99. 				"api_keyxxx",
    100. 

  100. 				"api_key\txxx", // potentially valid in a tab-separated file
    101. 

  101. 				"api_key; xxx",
    102. 

  102. 				"api_key<xxx>",
    103. 

  103. 				"api_key&xxx",
    104. 

  104. 				"api_key = true ? 'xxx' : 'yyy'",
    105. 

  105. 			},
    106. 

  106. 		},
    107. 

  107. 		{
    108. 

  108. 			name:              "secret is limited by specific boundaries",
    109. 

  109. 			identifiers:       []string{"api_key"},
    110. 

  110. 			secretRegex:       `[a-z]{3}`,
    111. 

  111. 			isCaseInsensitive: []bool{true, false},
    112. 

  112. 			validStrings: []string{
    113. 

  113. 				"api_key=    xxx ",
    114. 

  114. 				"api_key=xxx\n",
    115. 

  115. 				"api_key=xxx\r\n",
    116. 

  116. 				"api_key=\n\n\n\n\nxxx", // potentially invalid (e.g. .env.example)
    117. 

  117. 				"api_key=\r\n\r\nxxx",
    118. 

  118. 				"api_key=\t\t\t\txxx\t",
    119. 

  119. 				"api_key======xxx;",
    120. 

  120. 				"api_key='''xxx'''",
    121. 

  121. 				`api_key="""xxx"""`,
    122. 

  122. 				"api_key=```xxx```",
    123. 

  123. 				`api_key="xxx'`, // could try to match only same opening and closing quotes, might not be worth the complexity
    124. 

  124. 				`api_key="don't do it!"`,
    125. 

  125. 				`api_key="xxx;notpartofthematch"`,
    126. 

  126. 			},
    127. 

  127. 			invalidStrings: []string{
    128. 

  128. 				"api_key=_xxx",
    129. 

  129. 				"api_key=xxx_",
    130. 

  130. 				"api_key=$xxx",
    131. 

  131. 				"api_key=%xxx%",
    132. 

  132. 				"api_key=[xxx]",
    133. 

  133. 				"api_key=(xxx)",
    134. 

  134. 				"api_key=<xxx>",
    135. 

  135. 				"api_key={xxx}",
    136. 

  136. 				"<api_key>xxx</api_key>",            // potentially valid
    137. 

  137. 				"example.com?api_key=xxx&other=yyy", // potentially valid
    138. 

  138. 			},
    139. 

  139. 		},
    140. 

  140. 		// Note: these test cases do not necessarily prescribe the expected behavior of the function,
    141. 

  141. 		// but rather document the current behavior, to ensure that future changes are intentional.
    142. 

  142. 	}
    143. 

  143. 

  144. 	for _, tt := range tests {
    145. 

  145. 		t.Run(tt.name, func(t *testing.T) {
    146. 

  146. 			for _, isCaseInsensitive := range tt.isCaseInsensitive {
    147. 

  147. 				regex := GenerateSemiGenericRegex(tt.identifiers, tt.secretRegex, isCaseInsensitive)
    148. 

  148. 				for _, validString := range tt.validStrings {
    149. 

  149. 					if !regex.MatchString(validString) {
    150. 

  150. 						t.Errorf("Expected match, but got none, \nfor GenerateSemiGenericRegex(%v, /%v/, caseInsensitive=%v).MatchString(`%v`)\n%v",
    151. 

  151. 							tt.identifiers, tt.secretRegex, isCaseInsensitive, validString, regex)
    152. 

  152. 					}
    153. 

  153. 				}
    154. 

  154. 				for _, invalidString := range tt.invalidStrings {
    155. 

  155. 					if regex.MatchString(invalidString) {
    156. 

  156. 						t.Errorf("Expected no match, but got one, \nfor GenerateSemiGenericRegex(%v, /%v/, caseInsensitive=%v).MatchString(`%v`)\n%v",
    157. 

  157. 							tt.identifiers, tt.secretRegex, isCaseInsensitive, invalidString, regex)
    158. 

  158. 					}
    159. 

  159. 				}
    160. 

  160. 			}
    161. 

  161. 		})
    162. 

  162. 	}
    163. 

  163. }
    164. 

  164. 

  165. func TestGenerateUniqueTokenRegex(t *testing.T) {
    166. 

  166. 	tests := []struct {
    167. 

  167. 		name              string
    168. 

  168. 		secretRegex       string
    169. 

  169. 		isCaseInsensitive bool
    170. 

  170. 		validStrings      []string
    171. 

  171. 		invalidStrings    []string
    172. 

  172. 	}{
    173. 

  173. 		{
    174. 

  174. 			name:              "case sensitive secret",
    175. 

  175. 			secretRegex:       `[a-c]{3}`,
    176. 

  176. 			isCaseInsensitive: false,
    177. 

  177. 			validStrings:      []string{"abc"},
    178. 

  178. 			invalidStrings:    []string{"ABC", "Abc"},
    179. 

  179. 		},
    180. 

  180. 		{
    181. 

  181. 			name:              "case insensitive secret",
    182. 

  182. 			secretRegex:       `[a-c]{3}`,
    183. 

  183. 			isCaseInsensitive: true,
    184. 

  184. 			validStrings:      []string{"abc", "ABC", "Abc"},
    185. 

  185. 			invalidStrings:    []string{"123"},
    186. 

  186. 		},
    187. 

  187. 		{
    188. 

  188. 			name:              "allowed boundaries",
    189. 

  189. 			secretRegex:       `[a-c]{3}`,
    190. 

  190. 			isCaseInsensitive: false,
    191. 

  191. 			validStrings: []string{
    192. 

  192. 				"abc",
    193. 

  193. 				" abc ",
    194. 

  194. 				"\nabc\n",
    195. 

  195. 				"\r\nabc\r\n",
    196. 

  196. 				"\tabc\t",
    197. 

  197. 				"'abc'",
    198. 

  198. 				`"abc"`,
    199. 

  199. 				"```abc```",
    200. 

  200. 				"my abc's",
    201. 

  201. 				".com?abc",
    202. 

  202. 			},
    203. 

  203. 			invalidStrings: []string{
    204. 

  204. 				"abcabc",
    205. 

  205. 				"_abc_",
    206. 

  206. 				".com?abc&def", // potentially valid
    207. 

  207. 				"/*abc*/",
    208. 

  208. 				"<abc>",
    209. 

  209. 				"<str>abc</str>", // potentially valid
    210. 

  210. 				"{{{abc}}}",
    211. 

  211. 				"abc, d",
    212. 

  212. 			},
    213. 

  213. 		},
    214. 

  214. 		// Note: these test cases do not necessarily prescribe the expected behavior of the function,
    215. 

  215. 		// but rather document the current behavior, to ensure that future changes are intentional.
    216. 

  216. 	}
    217. 

  217. 

  218. 	for _, tt := range tests {
    219. 

  219. 		t.Run(tt.name, func(t *testing.T) {
    220. 

  220. 			regex := GenerateUniqueTokenRegex(tt.secretRegex, tt.isCaseInsensitive)
    221. 

  221. 			for _, validString := range tt.validStrings {
    222. 

  222. 				if !regex.MatchString(validString) {
    223. 

  223. 					t.Errorf("Expected match, but got none, \nfor GenerateUniqueTokenRegex(/%v/, caseInsensitive=%v).MatchString(`%v`)\n%v",
    224. 

  224. 						tt.secretRegex, tt.isCaseInsensitive, validString, regex)
    225. 

  225. 				}
    226. 

  226. 			}
    227. 

  227. 			for _, invalidString := range tt.invalidStrings {
    228. 

  228. 				if regex.MatchString(invalidString) {
    229. 

  229. 					t.Errorf("Expected no match, but got one, \nfor GenerateUniqueTokenRegex(/%v/, caseInsensitive=%v).MatchString(`%v`)\n%v",
    230. 

  230. 						tt.secretRegex, tt.isCaseInsensitive, invalidString, regex)
    231. 

  231. 				}
    232. 

  232. 			}
    233. 

  233. 		})
    234. 

  234. 	}
    235. 

  235. }
    236.