-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expand RabbitMQ validator to check loose credentials expressions. #788
Conversation
@@ -18,12 +18,19 @@ protected override IEnumerable<ValidationResult> IsValidStaticHelper(IDictionary | |||
{ | |||
if (!groups.TryGetNonEmptyValue("id", out FlexMatch id) || | |||
!groups.TryGetNonEmptyValue("host", out FlexMatch host) || | |||
!groups.TryGetNonEmptyValue("secret", out FlexMatch secret) || | |||
!groups.TryGetNonEmptyValue("resource", out FlexMatch resource)) | |||
!groups.TryGetNonEmptyValue("secret", out FlexMatch secret)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We shouldn't need this if statement check for id, host, and secret now that these are required in the regex. Can just be string id = groups["id"].value for all 3 #Resolved
@@ -48,5 +48,24 @@ public static bool LikelyPowershellVariable(string input) | |||
|
|||
return true; | |||
} | |||
|
|||
public static bool PasswordIsInCommonVariableContext(string secret) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the function I copied from your previous implementation. The other projects has a reference to Security can use it.
@@ -129,9 +129,14 @@ | |||
$SEC101/038.PostgreSqlCredentialsAdoSecret=(?i)(?:password|pwd)\s*=\s*(?P<secret>[^,;"'<\s]{8,128})(?:[,;"'<\s]|$) | |||
$SEC101/038.PostgreSqlCredentialsAdoResource=(?i)(?:database|db|dbname)\s*=\s*(?P<resource>[^,;"'=|&\]\[><\s]+)(?:[,;"'=|&\]\[><\s]|$) | |||
|
|||
$SEC101/041.RabbitMqCredentials=(?i)amqps?:\/\/(?P<id>[^:"]+):(?P<secret>[^@\s]+)@(?P<host>[\w_\-\:]+)\/(?P<resource>[\w]+)(?:[^0-9a-z]|$) | |||
$SEC101/041.RabbitMqCredentials=(?i)amqps?:\/\/(?P<id>[^:"]+):(?P<secret>[^@\s]+)@(?P<host>[\w_-]+)(?::?(?P<port>[0-9]{4,5}))?\/(?P<resource>[\w]+)?(?:[^0-9a-z]|$) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The change here is to add capture group for "port" explicitly and make the "resource" group optional
Changes
SEC101/041.RabbitMqCredentials
validator to check for loose credentials. e.g.