Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add additional rules #193

Merged
merged 3 commits into from
Jun 11, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

- AWS API Credentials ([#190](https://github.com/praetorian-inc/noseyparker/pull/190))
- AWS AppSync API Key ([#176](https://github.com/praetorian-inc/noseyparker/pull/176))
- Azure Personal Access Token ([#193](https://github.com/praetorian-inc/noseyparker/pull/193))
- Base64-PEM-Encoded Private Key ([#192](https://github.com/praetorian-inc/noseyparker/pull/192))
- Databricks Personal Access Token ([#187](https://github.com/praetorian-inc/noseyparker/pull/187) from @@tobiasgyoerfi)
- Databricks Personal Access Token ([#187](https://github.com/praetorian-inc/noseyparker/pull/187) from (@tobiasgyoerfi)
- Google OAuth Credentials ([#193](https://github.com/praetorian-inc/noseyparker/pull/193))
- Password Hash (Kerberos 5, etype 23, AS-REP) ([#176](https://github.com/praetorian-inc/noseyparker/pull/176))

- Prebuilt releases now included separate debug symbols (.dSYM or .dwp files) ([#191](https://github.com/praetorian-inc/noseyparker/pull/191)).
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ Nosey Parker is a command-line tool that finds secrets and sensitive information

**Key features:**
- It can natively scan files, directories, and Git repository history
- It uses regular expression matching with a set of [144 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high signal-to-noise based on experience and feedback from offensive security engagements
- It uses regular expression matching with a set of [146 patterns](crates/noseyparker/data/default/builtin/rules) chosen for high signal-to-noise based on experience and feedback from offensive security engagements
- It deduplicates its findings, grouping matches together that share the same secret, which in practice can reduce review burden by 100x or more
- It is fast: it can scan at hundreds of megabytes per second on a single core, and is able to scan 100GB of Linux kernel source history in less than 2 minutes on an older MacBook Pro
- It scales: it has scanned inputs as large as 20TiB during security engagements
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@
source: crates/noseyparker-cli/tests/rules/mod.rs
expression: stdout
---
144 rules and 3 rulesets: no issues detected
146 rules and 3 rulesets: no issues detected
Original file line number Diff line number Diff line change
Expand Up @@ -256,12 +256,12 @@ expression: stdout
},
{
"id": "np.aws.6",
"structural_id": "6081f1aa6f664739d2ca79e7aa1952b862dd32e9",
"structural_id": "39d60c56d8a84ca6ab5999de8fea93657e3cae99",
"name": "AWS API Credentials",
"syntax": {
"name": "AWS API Credentials",
"id": "np.aws.6",
"pattern": "(?x)\n(?m)\n\\b\n((?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}) (?# API key )\n\\b\n(?: (?s) .{0,40} ) (?# Arbitrary intermediate stuff )\n\\b\n([A-Za-z0-9/+=]{40}) (?# secret )\n(?: [^A-Za-z0-9/+=] | $ )\n",
"pattern": "(?x)\n\\b\n((?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}) (?# API key )\n\\b\n(?: (?s) .{0,40} ) (?# Arbitrary intermediate stuff; ?s causes . to match newlines )\n\\b\n([A-Za-z0-9/+=]{40}) (?# secret )\n(?: [^A-Za-z0-9/+=] | $ )\n",
"examples": [
"export AWS_API_KEY='A3T0ABCDEFGHIJKLMNOP'\nexport AWS_SECRET_ACCESS_KEY='ded7db27a4558eea9bbf0bf36e0e8521618f366c'\n",
"export AWS_API_KEY='A3T0ABCDEFGHIJKLMNOP''ded7db27a4558eea9bbf0bf36e0e8521618f366c'"
Expand Down Expand Up @@ -324,6 +324,25 @@ expression: stdout
]
}
},
{
"id": "np.azure.3",
"structural_id": "357a7fb1c99c1d3ab0a7489443a564cd80cf6d67",
"name": "Azure Personal Access Token",
"syntax": {
"name": "Azure Personal Access Token",
"id": "np.azure.3",
"pattern": "(?x)\n(?i: ADO_PAT | pat_token | personal_?access_?token | \\$token )\n\\s* = \\s*\n[\"']\n([a-z0-9]{52})\n[\"']\n",
"examples": [
"var personalAccessToken = \"zpczok4kqgnw5prpfy3ehiylbqvgbjfkdiqkejsxqamy7qbkep7q\"; // Provide a value or retrieve it from configuration\n",
"$token = \"58oo4mvqr2tpw7b4w3loeckwfu5o6nw3sihfckvlwoxgqimlddza\"\n",
"if __name__ == \"__main__\":\n ado_pat = \"iyfmob6xjrfmit67anxbot64umfx2clwx7dz5ynxi4q2z3uqegvq\"\n"
],
"negative_examples": [],
"references": [
"https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate"
]
}
},
{
"id": "np.blynk.1",
"structural_id": "7d7b4a3c990889ccbda6d47ec656719c22f9413c",
Expand Down Expand Up @@ -1271,6 +1290,22 @@ expression: stdout
]
}
},
{
"id": "np.google.6",
"structural_id": "4e3b74e85c70254144b1d2d08289f4d04af98f35",
"name": "Google OAuth Credentials",
"syntax": {
"name": "Google OAuth Credentials",
"id": "np.google.6",
"pattern": "(?x)\n\\b\n([0-9]+-[a-z0-9_]{32}\\.apps\\.googleusercontent\\.com) (?# client ID )\n(?: (?s) .{0,40} ) (?# Arbitrary intermediate stuff; ?s causes . to match newlines )\n\\b\n\n(?: (GOCSPX-[a-zA-Z0-9_-]{28}) (?# prefixed client secret )\n | (?: (?i) client.?secret .{0,10} \\b ([a-zA-Z0-9_-]{24}) ) (?# non-prefixed client secret )\n)\n\n(?:[^a-zA-Z0-9_-] | $)\n",
"examples": [
"const CLIENT_ID = '304167046824-45h8no7j0s38akv998nivvb7i17ckqeh.apps.googleusercontent.com';\nconst CLIENT_SECRET = '1QcFpNjHoAf4_XczYwhYicTl';\n",
"public static GAPIS_CREDENTIALS = {\n // 1. Generate credentials: https://console.cloud.google.com/apis/\n // 2. Create OAuth page and set spreadsheets and drive.metadata.readonly scopes\n client_id: '132261435625-69ubohrvppjr9hcc5t9uighsb7j2cqhv.apps.googleusercontent.com',\n client_secret: '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',\n redirect_uri: `http://localhost:${Config.OAUTH_HTTP_PORT}/oauth2callback`\n};\n"
],
"negative_examples": [],
"references": []
}
},
{
"id": "np.gradle.1",
"structural_id": "a12f90a50f965526bfcf34016b914665483c389d",
Expand Down Expand Up @@ -2882,7 +2917,7 @@ expression: stdout
{
"id": "default",
"name": "Nosey Parker default rules",
"num_rules": 123
"num_rules": 125
},
{
"id": "np.assets",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ expression: stdout
np.aws.6 AWS API Credentials
np.azure.1 Azure Connection String
np.azure.2 Azure App Configuration Connection String
np.azure.3 Azure Personal Access Token
np.blynk.1 Blynk Device Access Token
np.blynk.2 Blynk Organization Access Token (URL first)
np.blynk.3 Blynk Organization Access Token (URL last)
Expand Down Expand Up @@ -68,6 +69,7 @@ expression: stdout
np.google.3 Google OAuth Client Secret
np.google.4 Google OAuth Access Token
np.google.5 Google API Key
np.google.6 Google OAuth Credentials
np.gradle.1 Hardcoded Gradle Credentials
np.grafana.1 Grafana API Token
np.grafana.2 Grafana Cloud API Token
Expand Down Expand Up @@ -151,6 +153,6 @@ expression: stdout

Ruleset ID Ruleset Name Rules
─────────────────────────────────────────────────────────
default Nosey Parker default rules 123
default Nosey Parker default rules 125
np.assets Nosey Parker asset detection rules 15
np.hashes Nosey Parker password hash rules 6
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ expression: read_json(report_json.path()).unwrap()
[
{
"comment": null,
"finding_id": "43ee76ab13531cf63b65f88804fd30dffba01b54",
"finding_id": "4b68f1a2eebf34b00aee81bd944e3403921b8cce",
"groups": [
"QUtJQUpVWlBMVE5NWTJKU1hMWUE=",
"RHZIeEhMTXNPMGZTbk5xSTgyZWZxNHNPOFFlZmRNU3ozbDJxMlhrMQ=="
Expand Down Expand Up @@ -60,7 +60,7 @@ expression: read_json(report_json.path()).unwrap()
}
],
"rule_name": "AWS API Credentials",
"rule_structural_id": "6081f1aa6f664739d2ca79e7aa1952b862dd32e9",
"rule_structural_id": "39d60c56d8a84ca6ab5999de8fea93657e3cae99",
"rule_text_id": "np.aws.6",
"score": null,
"snippet": {
Expand All @@ -69,13 +69,13 @@ expression: read_json(report_json.path()).unwrap()
"matching": "AKIAJUZPLTNMY2JSXLYA\nS3_OBJECT_PREFIX=flathead\nS3_SECRET=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\n"
},
"status": null,
"structural_id": "3826a0168ec2553f84592b57baa55218b004e1cb"
"structural_id": "4514a0252fd7c1d2b57d1e2c8ca9e38cded33685"
}
],
"mean_score": null,
"num_matches": 1,
"rule_name": "AWS API Credentials",
"rule_structural_id": "6081f1aa6f664739d2ca79e7aa1952b862dd32e9",
"rule_structural_id": "39d60c56d8a84ca6ab5999de8fea93657e3cae99",
"rule_text_id": "np.aws.6",
"statuses": []
},
Expand Down
3 changes: 1 addition & 2 deletions crates/noseyparker/data/default/builtin/rules/aws.yml
Original file line number Diff line number Diff line change
Expand Up @@ -348,11 +348,10 @@ rules:

pattern: |
(?x)
(?m)
\b
((?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}) (?# API key )
\b
(?: (?s) .{0,40} ) (?# Arbitrary intermediate stuff )
(?: (?s) .{0,40} ) (?# Arbitrary intermediate stuff; ?s causes . to match newlines )
\b
([A-Za-z0-9/+=]{40}) (?# secret )
(?: [^A-Za-z0-9/+=] | $ )
Expand Down
25 changes: 25 additions & 0 deletions crates/noseyparker/data/default/builtin/rules/azure.yml
Original file line number Diff line number Diff line change
Expand Up @@ -75,3 +75,28 @@ rules:
- https://docs.microsoft.com/en-us/azure/azure-app-configuration/
- https://docs.microsoft.com/en-us/azure/azure-app-configuration/howto-best-practices
- https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/appconfiguration/azure-appconfiguration/azure/appconfiguration/_utils.py


# This detects various hardcoded PATs that come from Microsoft example documentation
- name: Azure Personal Access Token
id: np.azure.3

pattern: |
(?x)
(?i: ADO_PAT | pat_token | personal_?access_?token | \$token )
\s* = \s*
["']
([a-z0-9]{52})
["']

examples:
- |
var personalAccessToken = "zpczok4kqgnw5prpfy3ehiylbqvgbjfkdiqkejsxqamy7qbkep7q"; // Provide a value or retrieve it from configuration
- |
$token = "58oo4mvqr2tpw7b4w3loeckwfu5o6nw3sihfckvlwoxgqimlddza"
- |
if __name__ == "__main__":
ado_pat = "iyfmob6xjrfmit67anxbot64umfx2clwx7dz5ynxi4q2z3uqegvq"

references:
- https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate
32 changes: 32 additions & 0 deletions crates/noseyparker/data/default/builtin/rules/google.yml
Original file line number Diff line number Diff line change
Expand Up @@ -128,3 +128,35 @@ rules:

examples:
- 'https://storage.googleapis.com/bucket_name/object_name'


# This matches an OAuth client ID followed closely by a client secret
- name: Google OAuth Credentials
id: np.google.6

pattern: |
(?x)
\b
([0-9]+-[a-z0-9_]{32}\.apps\.googleusercontent\.com) (?# client ID )
(?: (?s) .{0,40} ) (?# Arbitrary intermediate stuff; ?s causes . to match newlines )
\b

(?: (GOCSPX-[a-zA-Z0-9_-]{28}) (?# prefixed client secret )
| (?: (?i) client.?secret .{0,10} \b ([a-zA-Z0-9_-]{24}) ) (?# non-prefixed client secret )
)

(?:[^a-zA-Z0-9_-] | $)

examples:
- |
const CLIENT_ID = '304167046824-45h8no7j0s38akv998nivvb7i17ckqeh.apps.googleusercontent.com';
const CLIENT_SECRET = '1QcFpNjHoAf4_XczYwhYicTl';

- |
public static GAPIS_CREDENTIALS = {
// 1. Generate credentials: https://console.cloud.google.com/apis/
// 2. Create OAuth page and set spreadsheets and drive.metadata.readonly scopes
client_id: '132261435625-69ubohrvppjr9hcc5t9uighsb7j2cqhv.apps.googleusercontent.com',
client_secret: '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',
redirect_uri: `http://localhost:${Config.OAUTH_HTTP_PORT}/oauth2callback`
};
2 changes: 2 additions & 0 deletions crates/noseyparker/data/default/builtin/rulesets/default.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ rulesets:
- np.aws.6 # Amazon API Credentials
- np.azure.1 # Azure Connection String
- np.azure.2 # Azure App Configuration Connection String
- np.azure.3 # Azure Personal Access Token
- np.blynk.1 # Blynk Device Access Token
- np.blynk.2 # Blynk Organization Access Token (URL first)
- np.blynk.3 # Blynk Organization Access Token (URL last)
Expand Down Expand Up @@ -71,6 +72,7 @@ rulesets:
- np.google.3 # Google OAuth Client Secret
- np.google.4 # Google OAuth Access Token
- np.google.5 # Google API Key
- np.google.6 # Google OAuth Credentials
- np.gradle.1 # Hardcoded Gradle Credentials
- np.grafana.1 # Grafana API Token
- np.grafana.2 # Grafana Cloud API Token
Expand Down