proposal: SqlServer connection string detector #867
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #866
The problem: at moment trufflehog does not see SQL Server connection strings at all 🤷♂️
e.g. here is part of
Program.cs
:Proposal: this pull request adds dedicated SQLServer connection string detector to prevent such leaks
How it works
Because connection string itself is a set of case-insensitive key-value pairs delimited by a semicolon with regexp we are looking for something that may be a connection string
To prevent false positives we then try to parse it with msdn.Parse
And if everything fine as a last step we are trying to connect to server with connection string we have found
Also there is an
TestSQLServer_pattern
with few pattern dedicated tests to see if regexp will match desired strings