Merge pull request #30 from ivanolin/fix/valid-one-liners

fix(password-secret): valid regex for one-liner files
americanexpress · Aug 11, 2021 · b63c30b · b63c30b
2 parents 0f519db + a677136
commit b63c30b
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 3 deletions.
diff --git a/config/rules/password-secret.yaml b/config/rules/password-secret.yaml
@@ -572,7 +572,7 @@ rules:
       - CWE-257
       - CWE-259
   - Code: 3065
-    Pattern: heroku.*[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}
+    Pattern: heroku.{0,55}[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}
     Caption: Heroku key
     Category: password-secret
     Example: 'heroku: ''A0AAA0AA-aAaa-AAAA-aaAA-Aa00AaAA0a0A'''
@@ -600,7 +600,7 @@ rules:
       - CWE-257
       - CWE-259
   - Code: 3067
-    Pattern: facebook.*['"'"'"][0-9a-f]{32,255}['"'"'"]
+    Pattern: facebook.{0,55}['"'"'"][0-9a-f]{32,255}['"'"'"]
     Caption: Facebook key
     Category: password-secret
     Example: 'facebook: ''a00000aa0aaa0aa0a00aa00a00000aaa0a000a0a0aaa0a0a0a00aa00a000aaa0'''
@@ -614,7 +614,7 @@ rules:
       - CWE-257
       - CWE-259
   - Code: 3068
-    Pattern: twitter.*['"'"'"][a-zA-Z0-9]{35,44}['"'"'"]
+    Pattern: twitter.{0,55}['"'"'"][a-zA-Z0-9]{35,44}['"'"'"]
     Caption: Twitter key
     Category: password-secret
     Example: 'twitter: ''0aaAaA0AAAA0000a0a0A0a0aaa0AaAA0a0a'''

diff --git a/pkg/scan/scan_test.go b/pkg/scan/scan_test.go
@@ -249,6 +249,26 @@ func Test_scanLine(t *testing.T) {
 			},
 			wantIsHit: false,
 		},
+		{
+			name: "Find twitter API key as a password",
+			args: args{
+				line: Line{
+					LineValue: `twitterApiSecret:"111aAa222bBb333cCc444dDd555eEe666fFf777"`,
+				},
+				fileLines: fileLines,
+			},
+			wantIsHit: true,
+		},
+		{
+			name: "Ignore potential twitter API key separated by too many characters",
+			args: args{
+				line: Line{
+					LineValue: `twitter="twitter";//This LineValue emulates extremely long one-liner code files that can cause false positives "111aAa222bBb333cCc444dDd555eEe666fFf777"`,
+				},
+				fileLines: fileLines,
+			},
+			wantIsHit: false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {