Главная Обзор Помощь
Вход
LBP
/
gitleaks
зеркало из https://github.com/gitleaks/gitleaks.git
4
0
Ответвить 0
Файлы Задачи 0 Вики
Дерево: v8.27.1
Ветки Метки
gitleaks
/
cmd
/
generate
/
config
/
rules
/
sentry.go

sentry.go 4.1 KB
Постоянная ссылка История Исходник

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798 
  1. package rules
    2. 

  2. 

  3. import (
    4. 

  4. 	"encoding/base64"
    5. 

  5. 

  6. 	"github.com/zricethezav/gitleaks/v8/cmd/generate/config/utils"
    7. 

  7. 	"github.com/zricethezav/gitleaks/v8/cmd/generate/secrets"
    8. 

  8. 	"github.com/zricethezav/gitleaks/v8/config"
    9. 

  9. 	"github.com/zricethezav/gitleaks/v8/regexp"
    10. 

  10. )
    11. 

  11. 

  12. func SentryAccessToken() *config.Rule {
    13. 

  13. 	// define rule
    14. 

  14. 	r := config.Rule{
    15. 

  15. 		RuleID:      "sentry-access-token",
    16. 

  16. 		Description: "Found a Sentry.io Access Token (old format), risking unauthorized access to error tracking services and sensitive application data.",
    17. 

  17. 		Regex:       utils.GenerateSemiGenericRegex([]string{"sentry"}, utils.Hex("64"), true),
    18. 

  18. 		Entropy:     3,
    19. 

  19. 		Keywords: []string{
    20. 

  20. 			"sentry",
    21. 

  21. 		},
    22. 

  22. 	}
    23. 

  23. 

  24. 	// validate
    25. 

  25. 	tps := utils.GenerateSampleSecrets("sentry", secrets.NewSecret(utils.Hex("64")))
    26. 

  26. 	return utils.Validate(r, tps, nil)
    27. 

  27. }
    28. 

  28. 

  29. func SentryOrgToken() *config.Rule {
    30. 

  30. 

  31. 	// format: sntrys_[base64_json]_[base64_secret]
    32. 

  32. 	// the json contains the following fields : {"iat": ,"url": ,"region_url": ,"org": }
    33. 

  33. 	// Specification: https://github.com/getsentry/rfcs/blob/main/text/0091-ci-upload-tokens.md
    34. 

  34. 	// Some test cases from official parser:
    35. 

  35. 	// https://github.com/getsentry/sentry-cli/blob/693d62167041846e2da823b7f3b0f21b673b5b1f/src/utils/auth_token/test.rs
    36. 

  36. 	// To detect the token, this rule checks for the following base64-encoded json fragments :
    37. 

  37. 	// eyJpYXQiO = `{"iat":`,
    38. 

  38. 	// LCJyZWdpb25fdXJs = `,"region_url`
    39. 

  39. 	// InJlZ2lvbl91cmwi = `"region_url"`
    40. 

  40. 	// cmVnaW9uX3VybCI6 = `region_url":`
    41. 

  41. 

  42. 	// define rule
    43. 

  43. 	r := config.Rule{
    44. 

  44. 		RuleID:      "sentry-org-token",
    45. 

  45. 		Description: "Found a Sentry.io Organization Token, risking unauthorized access to error tracking services and sensitive application data.",
    46. 

  46. 		Regex:       regexp.MustCompile(`\bsntrys_eyJpYXQiO[a-zA-Z0-9+/]{10,200}(?:LCJyZWdpb25fdXJs|InJlZ2lvbl91cmwi|cmVnaW9uX3VybCI6)[a-zA-Z0-9+/]{10,200}={0,2}_[a-zA-Z0-9+/]{43}(?:[^a-zA-Z0-9+/]|\z)`),
    47. 

  47. 		Entropy:     4.5,
    48. 

  48. 		Keywords:    []string{"sntrys_eyJpYXQiO"},
    49. 

  49. 	}
    50. 

  50. 

  51. 	// validate
    52. 

  52. 	tps := utils.GenerateSampleSecrets("sentry",
    53. 

  53. 		`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`, // gitleaks:allow
    54. 

  54. 	)
    55. 

  55. 	tps = append(tps, utils.GenerateSampleSecrets("sentry",
    56. 

  56. 		`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`, // gitleaks:allow
    57. 

  57. 	)...)
    58. 

  58. 	tps = append(tps,
    59. 

  59. 		` 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`, // gitleaks:allow
    60. 

  60. 	)
    61. 

  61. 

  62. 	encodedJson := base64.StdEncoding.EncodeToString([]byte(secrets.NewSecret(
    63. 

  63. 		`\{"iat":[\d\.]{3,6},"url":"https://\w{10,20}","region_url":"https://\w{20,30}","org":"\w{5,10}"\}`)))
    64. 

  64. 	generatedToken := `sntrys_` + encodedJson + `_` + secrets.NewSecret(`[a-zA-Z0-9+/]{43}`)
    65. 

  65. 	tps = append(tps,
    66. 

  66. 		generatedToken,
    67. 

  67. 		"<token>"+generatedToken+"</token>",
    68. 

  68. 		"https://example.com?token="+generatedToken+"&other=stuff",
    69. 

  69. 	)
    70. 

  70. 

  71. 	fps := []string{
    72. 

  72. 		secrets.NewSecret(`sntrys_[a-zA-Z0-9]{90}_[a-zA-Z0-9]{43}`),          // does not contain encoded json
    73. 

  73. 		`sntrys_` + encodedJson + `_` + secrets.NewSecret(`[a-zA-Z0-9]{42}`), // too short
    74. 

  74. 		`sntrys_` + encodedJson + `_` + secrets.NewSecret(`[a-zA-Z0-9]{44}`), // too long
    75. 

  75. 	}
    76. 

  76. 

  77. 	return utils.Validate(r, tps, fps)
    78. 

  78. }
    79. 

  79. 

  80. func SentryUserToken() *config.Rule {
    81. 

  81. 	// define rule
    82. 

  82. 	r := config.Rule{
    83. 

  83. 		RuleID:      "sentry-user-token",
    84. 

  84. 		Description: "Found a Sentry.io User Token, risking unauthorized access to error tracking services and sensitive application data.",
    85. 

  85. 		Regex:       utils.GenerateUniqueTokenRegex(`sntryu_[a-f0-9]{64}`, false),
    86. 

  86. 		Entropy:     3.5,
    87. 

  87. 		Keywords:    []string{"sntryu_"},
    88. 

  88. 	}
    89. 

  89. 

  90. 	// validate
    91. 

  91. 	tps := utils.GenerateSampleSecrets("sentry", secrets.NewSecret(`sntryu_[a-f0-9]{64}`))
    92. 

  92. 	fps := []string{
    93. 

  93. 		secrets.NewSecret(`sntryu_[a-f0-9]{63}`), // too short
    94. 

  94. 		secrets.NewSecret(`sntryu_[a-f0-9]{65}`), // too long
    95. 

  95. 		secrets.NewSecret(`sntryu_[a]{64}`),      // low entropy
    96. 

  96. 	}
    97. 

  97. 	return utils.Validate(r, tps, fps)
    98. 

  98. }
    99.