-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: feedback from scs engine (#228)
This pull request fixes the regex pattern in the check_new_rules.go file to include commented rules. It also updates the authenticated_url.go file to ignore variable in passwords.
- Loading branch information
Baruch Odem (Rothkoff)
authored
Apr 2, 2024
1 parent
0f12983
commit b77600c
Showing
15 changed files
with
292 additions
and
29 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,7 @@ | ||
name: New Rules from Gitleaks | ||
|
||
on: | ||
workflow_dispatch: | ||
schedule: | ||
- cron: "0 2 * * 6" # At 02:00 on Saturday | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
package extra | ||
|
||
import ( | ||
"encoding/base64" | ||
"encoding/json" | ||
"fmt" | ||
"strings" | ||
"sync" | ||
|
||
"github.com/checkmarx/2ms/lib/secrets" | ||
) | ||
|
||
type addExtraFunc = func(*secrets.Secret) interface{} | ||
|
||
var ruleIDToFunction = map[string]addExtraFunc{ | ||
"jwt": addExtraJWT, | ||
} | ||
|
||
func AddExtraToSecret(secret *secrets.Secret, wg *sync.WaitGroup) { | ||
defer wg.Done() | ||
if addExtra, ok := ruleIDToFunction[secret.RuleID]; ok { | ||
extraData := addExtra(secret) | ||
if extraData != nil && extraData != "" { | ||
UpdateExtraField(secret, "secretDetails", extraData) | ||
} | ||
} | ||
} | ||
|
||
var mtxs = &NamedMutex{} | ||
|
||
func UpdateExtraField(secret *secrets.Secret, extraName string, extraData interface{}) { | ||
mtxs.Lock(secret.ID) | ||
defer mtxs.Unlock(secret.ID) | ||
|
||
if secret.ExtraDetails == nil { | ||
secret.ExtraDetails = make(map[string]interface{}) | ||
} | ||
secret.ExtraDetails[extraName] = extraData | ||
} | ||
|
||
func addExtraJWT(secret *secrets.Secret) interface{} { | ||
tokenString := secret.Value | ||
|
||
parts := strings.Split(tokenString, ".") | ||
if len(parts) != 3 { | ||
return "Invalid JWT token" | ||
} | ||
|
||
payload, err := base64.RawURLEncoding.DecodeString(parts[1]) | ||
if err != nil { | ||
return fmt.Sprintf("Failed to decode JWT payload: %s", err) | ||
} | ||
|
||
var claims map[string]interface{} | ||
err = json.Unmarshal(payload, &claims) | ||
if err != nil { | ||
return fmt.Sprintf("Failed to unmarshal JWT payload: %s", string(payload)) | ||
} | ||
|
||
return claims | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
package extra | ||
|
||
import ( | ||
"sync" | ||
) | ||
|
||
type NamedMutex struct { | ||
mutexes sync.Map | ||
} | ||
|
||
func (n *NamedMutex) Lock(key string) { | ||
mu, _ := n.mutexes.LoadOrStore(key, &sync.Mutex{}) | ||
mu.(*sync.Mutex).Lock() | ||
} | ||
|
||
func (n *NamedMutex) Unlock(key string) { | ||
mu, ok := n.mutexes.Load(key) | ||
if ok { | ||
mu.(*sync.Mutex).Unlock() | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
package validation | ||
|
||
import ( | ||
"net/http" | ||
) | ||
|
||
func sendValidationRequest(endpoint string, authorization string) (*http.Response, error) { | ||
req, err := http.NewRequest("GET", endpoint, nil) | ||
if err != nil { | ||
return nil, err | ||
} | ||
req.Header.Set("Authorization", authorization) | ||
|
||
client := &http.Client{} | ||
resp, err := client.Do(req) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
return resp, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
package validation | ||
|
||
import ( | ||
"encoding/json" | ||
"io" | ||
"net/http" | ||
"strings" | ||
|
||
"github.com/checkmarx/2ms/lib/secrets" | ||
"github.com/rs/zerolog/log" | ||
) | ||
|
||
type errorResponse struct { | ||
Error struct { | ||
Message string `json:"message"` | ||
Details []struct { | ||
Type string `json:"@type"` | ||
Metadata struct { | ||
Consumer string `json:"consumer"` | ||
} `json:"metadata,omitempty"` | ||
} `json:"details"` | ||
} `json:"error"` | ||
} | ||
|
||
func validateGCP(s *secrets.Secret) (secrets.ValidationResult, string) { | ||
testURL := "https://youtube.googleapis.com/youtube/v3/search?part=snippet&key=" + s.Value | ||
|
||
req, err := http.NewRequest("GET", testURL, nil) | ||
if err != nil { | ||
log.Warn().Err(err).Msg("Failed to validate secret") | ||
return secrets.UnknownResult, "" | ||
} | ||
|
||
client := &http.Client{} | ||
resp, err := client.Do(req) | ||
if err != nil { | ||
log.Warn().Err(err).Msg("Failed to validate secret") | ||
return secrets.UnknownResult, "" | ||
} | ||
|
||
result, extra, err := checkGCPErrorResponse(resp) | ||
if err != nil { | ||
log.Warn().Err(err).Msg("Failed to validate secret") | ||
} | ||
return result, extra | ||
} | ||
|
||
func checkGCPErrorResponse(resp *http.Response) (secrets.ValidationResult, string, error) { | ||
if resp.StatusCode == http.StatusOK { | ||
return secrets.ValidResult, "", nil | ||
} | ||
|
||
if resp.StatusCode != http.StatusForbidden { | ||
return secrets.RevokedResult, "", nil | ||
} | ||
|
||
bodyBytes, err := io.ReadAll(resp.Body) | ||
if err != nil { | ||
return secrets.UnknownResult, "", err | ||
} | ||
|
||
// Unmarshal the response body into the ErrorResponse struct | ||
var errorResponse errorResponse | ||
err = json.Unmarshal(bodyBytes, &errorResponse) | ||
if err != nil { | ||
return secrets.UnknownResult, "", err | ||
} | ||
|
||
if strings.Contains(errorResponse.Error.Message, "YouTube Data API v3 has not been used in project") { | ||
extra := "" | ||
for _, detail := range errorResponse.Error.Details { | ||
if detail.Type == "type.googleapis.com/google.rpc.ErrorInfo" { | ||
extra = detail.Metadata.Consumer | ||
} | ||
} | ||
return secrets.ValidResult, extra, nil | ||
} | ||
|
||
return secrets.UnknownResult, "", nil | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
package validation | ||
|
||
import ( | ||
"encoding/json" | ||
"fmt" | ||
"io" | ||
"net/http" | ||
|
||
"github.com/checkmarx/2ms/lib/secrets" | ||
"github.com/rs/zerolog/log" | ||
) | ||
|
||
type userResponse struct { | ||
WebURL string `json:"web_url"` | ||
} | ||
|
||
func validateGitlab(s *secrets.Secret) (secrets.ValidationResult, string) { | ||
const gitlabURL = "https://gitlab.com/api/v4/user" | ||
|
||
resp, err := sendValidationRequest(gitlabURL, fmt.Sprintf("Bearer %s", s.Value)) | ||
|
||
if err != nil { | ||
log.Warn().Err(err).Msg("Failed to validate secret") | ||
return secrets.UnknownResult, "" | ||
} | ||
|
||
if resp.StatusCode == http.StatusOK { | ||
bodyBytes, err := io.ReadAll(resp.Body) | ||
if err != nil { | ||
log.Warn().Err(err).Msg("Failed to read response body for Gitlab validation") | ||
return secrets.ValidResult, "" | ||
} | ||
|
||
var user userResponse | ||
if err := json.Unmarshal(bodyBytes, &user); err != nil { | ||
log.Warn().Err(err).Msg("Failed to unmarshal response body for Gitlab validation") | ||
return secrets.ValidResult, "" | ||
} | ||
|
||
return secrets.ValidResult, user.WebURL | ||
} | ||
return secrets.RevokedResult, "" | ||
} |
Oops, something went wrong.