Skip to content

Commit

Permalink
fix(secret): change grafana token regex to find them without unquoted (
Browse files Browse the repository at this point in the history
  • Loading branch information
sgaist authored and fhielpos committed Dec 20, 2024
1 parent 617ddfe commit e24a2fb
Show file tree
Hide file tree
Showing 3 changed files with 77 additions and 1 deletion.
2 changes: 1 addition & 1 deletion pkg/fanal/secret/builtin-rules.go
Original file line number Diff line number Diff line change
Expand Up @@ -553,7 +553,7 @@ var builtinRules = []Rule{
Category: CategoryGrafana,
Title: "Grafana API token",
Severity: "MEDIUM",
Regex: MustCompile(`['\"]eyJrIjoi(?i)[a-z0-9\-_=]{72,92}['\"]`),
Regex: MustCompile(`['\"]?eyJrIjoi(?i)[a-z0-9\-_=]{72,92}['\"]?`),
Keywords: []string{"eyJrIjoi"},
},
{
Expand Down
74 changes: 74 additions & 0 deletions pkg/fanal/secret/scanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -690,6 +690,71 @@ func TestSecretScanner(t *testing.T) {
},
}

wantFindingGrafanaQuoted := types.SecretFinding{
RuleID: "grafana-api-token",
Category: secret.CategoryGrafana,
Title: "Grafana API token",
Severity: "MEDIUM",
StartLine: 1,
EndLine: 1,
Match: "GRAFANA_TOKEN=**********************************************************************************************",
Code: types.Code{
Lines: []types.Line{
{
Number: 1,
Content: "GRAFANA_TOKEN=**********************************************************************************************",
Highlighted: "GRAFANA_TOKEN=**********************************************************************************************",
IsCause: true,
FirstCause: true,
LastCause: true,
},
{
Number: 2,
Content: "GRAFANA_TOKEN=**************************************************************************************",
Highlighted: "GRAFANA_TOKEN=**************************************************************************************",
IsCause: false,
FirstCause: false,
LastCause: false,
},
},
},
}

wantFindingGrafanaUnquoted := types.SecretFinding{
RuleID: "grafana-api-token",
Category: secret.CategoryGrafana,
Title: "Grafana API token",
Severity: "MEDIUM",
StartLine: 2,
EndLine: 2,
Match: "GRAFANA_TOKEN=********************************************************************************************",
Code: types.Code{
Lines: []types.Line{
{
Number: 1,
Content: "GRAFANA_TOKEN=**************************************************************************************",
Highlighted: "GRAFANA_TOKEN=**************************************************************************************",
IsCause: false,
FirstCause: false,
LastCause: false,
},
{
Number: 2,
Content: "GRAFANA_TOKEN=********************************************************************************************",
Highlighted: "GRAFANA_TOKEN=********************************************************************************************",
IsCause: true,
FirstCause: true,
LastCause: true,
},
{
Number: 3,
Content: "",
Highlighted: "",
},
},
},
}

wantMultiLine := types.SecretFinding{
RuleID: "multi-line-secret",
Category: "general",
Expand Down Expand Up @@ -858,6 +923,15 @@ func TestSecretScanner(t *testing.T) {
Findings: []types.SecretFinding{wantFindingHuggingFace},
},
},
{
name: "find grafana secret",
configPath: filepath.Join("testdata", "config.yaml"),
inputFilePath: filepath.Join("testdata", "grafana-env.txt"),
want: types.Secret{
FilePath: filepath.Join("testdata", "grafana-env.txt"),
Findings: []types.SecretFinding{wantFindingGrafanaUnquoted, wantFindingGrafanaQuoted},
},
},
{
name: "find JWT token",
configPath: filepath.Join("testdata", "config.yaml"),
Expand Down
2 changes: 2 additions & 0 deletions pkg/fanal/secret/testdata/grafana-env.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
GRAFANA_TOKEN="eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbkT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk"
GRAFANA_TOKEN=eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbkT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk

0 comments on commit e24a2fb

Please sign in to comment.