Add a new rule for combined AWS API key and secret (#190)

CHANGELOG.md

@@ -27,6 +27,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 - New rules have been added:
 
+  - AWS API Credentials ([#190](https://github.com/praetorian-inc/noseyparker/pull/190))
   - AWS AppSync API Key ([#176](https://github.com/praetorian-inc/noseyparker/pull/176))
   - Databricks Personal Access Token ([#187](https://github.com/praetorian-inc/noseyparker/pull/187) from @@tobiasgyoerfi)
   - Password Hash (Kerberos 5, etype 23, AS-REP) ([#176](https://github.com/praetorian-inc/noseyparker/pull/176))

crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap

@@ -2,4 +2,4 @@
 source: crates/noseyparker-cli/tests/rules/mod.rs
 expression: stdout
 ---
-142 rules and 3 rulesets: no issues detected
+143 rules and 3 rulesets: no issues detected

crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap

@@ -254,6 +254,27 @@ expression: stdout
         ]
       }
     },
+    {
+      "id": "np.aws.6",
+      "structural_id": "6081f1aa6f664739d2ca79e7aa1952b862dd32e9",
+      "name": "AWS API Credentials",
+      "syntax": {
+        "name": "AWS API Credentials",
+        "id": "np.aws.6",
+        "pattern": "(?x)\n(?m)\n\\b\n((?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16})     (?# API key )\n\\b\n(?: (?s) .{0,40} )                                                        (?# Arbitrary intermediate stuff )\n\\b\n([A-Za-z0-9/+=]{40})                                                      (?# secret )\n(?: [^A-Za-z0-9/+=] | $ )\n",
+        "examples": [
+          "export AWS_API_KEY='A3T0ABCDEFGHIJKLMNOP'\nexport AWS_SECRET_ACCESS_KEY='ded7db27a4558eea9bbf0bf36e0e8521618f366c'\n",
+          "export AWS_API_KEY='A3T0ABCDEFGHIJKLMNOP''ded7db27a4558eea9bbf0bf36e0e8521618f366c'"
+        ],
+        "negative_examples": [],
+        "references": [
+          "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html",
+          "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html",
+          "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html",
+          "https://docs.aws.amazon.com/accounts/latest/reference/credentials-access-keys-best-practices.html"
+        ]
+      }
+    },
     {
       "id": "np.azure.1",
       "structural_id": "8d2b8482f72be3b33030ff0f584e4f26bfef2656",
@@ -2842,7 +2863,7 @@ expression: stdout
     {
       "id": "default",
       "name": "Nosey Parker default rules",
-      "num_rules": 121
+      "num_rules": 122
     },
     {
       "id": "np.assets",

crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap

@@ -16,6 +16,7 @@ expression: stdout
  np.aws.3             AWS Account ID 
  np.aws.4             AWS Session Token 
  np.aws.5             Amazon MWS Auth Token 
+ np.aws.6             AWS API Credentials 
  np.azure.1           Azure Connection String 
  np.azure.2           Azure App Configuration Connection String 
  np.blynk.1           Blynk Device Access Token 
@@ -149,6 +150,6 @@ expression: stdout
 
  Ruleset ID   Ruleset Name                         Rules 
 ─────────────────────────────────────────────────────────
- default      Nosey Parker default rules             121 
+ default      Nosey Parker default rules             122 
  np.assets    Nosey Parker asset detection rules      15 
  np.hashes    Nosey Parker password hash rules         6

crates/noseyparker-cli/tests/scan/appmaker/mod.rs

@@ -30,7 +30,7 @@ fn scan_workflow_from_git_url() {
     // The alternatives in the regex here are to account for different behavior from `git clone
     // --bare` between version 2.39 and 2.44: the newer version pulls additional content??
     .stdout(is_match(
-        r"(?m)^Scanned (549.97|550.05) MiB from 7,92[68] blobs in .*; 23/23 new matches$",
+        r"(?m)^Scanned (549.97|550.05) MiB from 7,92[68] blobs in .*; 24/24 new matches$",
     ));
 
     assert_cmd_snapshot!(noseyparker_success!("summarize", datastore_arg));

crates/noseyparker-cli/tests/scan/appmaker/snapshots/test_noseyparker__scan__appmaker__scan_workflow_from_git_url-2.snap

@@ -2,12 +2,11 @@
 source: crates/noseyparker-cli/tests/scan/appmaker/mod.rs
 expression: stdout
 ---
-
  Rule                         Total Findings   Total Matches 
 ─────────────────────────────────────────────────────────────
  AWS API Key                               3               3 
  AWS S3 Bucket (path style)                3              13 
  Amazon Resource Name                      3               3 
  Generic Secret                            3               3 
- AWS Secret Access Key                     1               1 
-
+ AWS API Credentials                       1               1 
+ AWS Secret Access Key                     1               1

crates/noseyparker-cli/tests/scan/appmaker/snapshots/test_noseyparker__scan__appmaker__scan_workflow_from_git_url-4.snap

@@ -3,6 +3,82 @@ source: crates/noseyparker-cli/tests/scan/appmaker/mod.rs
 expression: read_json(report_json.path()).unwrap()
 ---
 [
+  {
+    "comment": null,
+    "finding_id": "43ee76ab13531cf63b65f88804fd30dffba01b54",
+    "groups": [
+      "QUtJQUpVWlBMVE5NWTJKU1hMWUE=",
+      "RHZIeEhMTXNPMGZTbk5xSTgyZWZxNHNPOFFlZmRNU3ozbDJxMlhrMQ=="
+    ],
+    "matches": [
+      {
+        "blob_id": "fba046509dc93ea42e3be8bf0f8bd181ae3ddb20",
+        "blob_metadata": {
+          "charset": null,
+          "id": "fba046509dc93ea42e3be8bf0f8bd181ae3ddb20",
+          "mime_essence": null,
+          "num_bytes": 523
+        },
+        "comment": null,
+        "groups": [
+          "QUtJQUpVWlBMVE5NWTJKU1hMWUE=",
+          "RHZIeEhMTXNPMGZTbk5xSTgyZWZxNHNPOFFlZmRNU3ozbDJxMlhrMQ=="
+        ],
+        "location": {
+          "offset_span": {
+            "end": 455,
+            "start": 357
+          },
+          "source_span": {
+            "end": {
+              "column": 0,
+              "line": 12
+            },
+            "start": {
+              "column": 8,
+              "line": 9
+            }
+          }
+        },
+        "provenance": [
+          {
+            "first_commit": {
+              "blob_path": "my.env",
+              "commit_metadata": {
+                "author_email": "[email protected]",
+                "author_name": "David Ascher",
+                "author_timestamp": "1378126038 +0100",
+                "commit_id": "9ba2c5654ef78e49ce0173b81f1bcf8f25fcb36a",
+                "committer_email": "[email protected]",
+                "committer_name": "David Ascher",
+                "committer_timestamp": "1378126038 +0100",
+                "message": "fix both 254 and 257\n"
+              }
+            },
+            "kind": "git_repo",
+            "repo_path": "<REPO>"
+          }
+        ],
+        "rule_name": "AWS API Credentials",
+        "rule_structural_id": "6081f1aa6f664739d2ca79e7aa1952b862dd32e9",
+        "rule_text_id": "np.aws.6",
+        "score": null,
+        "snippet": {
+          "after": "SHARE_URL_PREFIX=https://s3.amazonaws.com/com.mozillalabs.appmaker/\n",
+          "before": " a janitor for arrogant rich people; so I clean their computer keyboareds with the toilet brush\nPATH=bin:node_modules/.bin:/usr/local/bin:/usr/bin:/bin\nPORT=5002\nPUBLISH_HOST=appalot.me\nPUBLISH_HOST_PREFIX=http://\nS3_BUCKET=com.mozillalabs.appmaker\nS3_KEY=",
+          "matching": "AKIAJUZPLTNMY2JSXLYA\nS3_OBJECT_PREFIX=flathead\nS3_SECRET=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\n"
+        },
+        "status": null,
+        "structural_id": "3826a0168ec2553f84592b57baa55218b004e1cb"
+      }
+    ],
+    "mean_score": null,
+    "num_matches": 1,
+    "rule_name": "AWS API Credentials",
+    "rule_structural_id": "6081f1aa6f664739d2ca79e7aa1952b862dd32e9",
+    "rule_text_id": "np.aws.6",
+    "statuses": []
+  },
   {
     "comment": null,
     "finding_id": "384ff44ebe6409d664f0d31189828b2e5ffbf45b",

crates/noseyparker-cli/tests/scan/appmaker/snapshots/test_noseyparker__scan__appmaker__scan_workflow_from_git_url-5.snap

@@ -2,7 +2,37 @@
 source: crates/noseyparker-cli/tests/scan/appmaker/mod.rs
 expression: "std::fs::read_to_string(report_txt.path()).unwrap()"
 ---
-Finding 1/13
+Finding 1/14
+Rule: AWS API Credentials
+Group 1: AKIAJUZPLTNMY2JSXLYA
+Group 2: DvHxHLMsO0fSnNqI82efq4sO8QefdMSz3l2q2Xk1
+
+    Occurrence 1/1
+    Git repo:  <REPO>
+    Commit: first seen in 9ba2c5654ef78e49ce0173b81f1bcf8f25fcb36a
+
+        Author:     David Ascher <[email protected]>
+        Date:       2013-09-02
+        Summary:    fix both 254 and 257
+        Path:       my.env
+
+    Blob:  <BLOB>
+    Lines: 9:8-12:0
+
+         a janitor for arrogant rich people; so I clean their computer keyboareds with the toilet brush
+        PATH=bin:node_modules/.bin:/usr/local/bin:/usr/bin:/bin
+        PORT=5002
+        PUBLISH_HOST=appalot.me
+        PUBLISH_HOST_PREFIX=http://
+        S3_BUCKET=com.mozillalabs.appmaker
+        S3_KEY=AKIAJUZPLTNMY2JSXLYA
+        S3_OBJECT_PREFIX=flathead
+        S3_SECRET=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
+        SHARE_URL_PREFIX=https://s3.amazonaws.com/com.mozillalabs.appmaker/
+
+
+
+Finding 2/14
 Rule: AWS API Key
 Group: AKIAJEEUOSJXYB2BKLMA
 
@@ -21,7 +51,7 @@ Group: AKIAJEEUOSJXYB2BKLMA
         {"TERM_PROGRAM":"Apple_Terminal","TERM":"xterm-256color","SHELL":"/usr/local/bin/fish","CLICOLOR":"1","TMPDIR":"/var/folders/xj/5v3cc4y9039fx_fhk67bvg8w0000gn/T/","AWS_ID":"AKIAJEEUOSJXYB2BKLMA","Apple_PubSub_Socket_Render":"/tmp/launch-rHzB0S/Render","TERM_PROGRAM_VERSION":"326","TERM_SESSION_ID":"C99AE63D-8AC8-40EC-9A43-7C14ACEBE413","ANT_HOME":"/usr/local/etc/ant","CMD_DURATION":"1m 22.1s","USER":"davida","SSH_AUTH_SOCK":"/tmp/launch-W9AsCX/L
 
 
-Finding 2/13
+Finding 3/14
 Rule: AWS API Key
 Group: AKIAJQNF3BIPEDR6MXEA
 
@@ -40,7 +70,7 @@ Group: AKIAJQNF3BIPEDR6MXEA
         S3U+qflQBzMNZ3TqlsXsrqBfA12wcidr5jLQ","S3_OBJECT_PREFIX":"flathead","SSH_AUTH_SOCK":"/tmp/launch-W9AsCX/Listeners","__CF_USER_TEXT_ENCODING":"0x1F5:0:0","PATH":"/usr/bin:/bin:/usr/local/bin:/usr/X11R6/bin","__CHECKFIX1436934":"1","ASSET_HOST":"","S3_KEY":"AKIAJQNF3BIPEDR6MXEA","PWD":"/Users/davida/src/appmaker","LANG":"en_CA.UTF-8","PUBLISH_URL_PREFIX":"XXX","HOME":"/Users/davida","SHLVL":"2","LOGNAME":"davida","S3_BUCKET":"com.mozillalabs.appmaker","COOKIE_SECRET":"I hate working as a janitor for arrogant rich people; so I cl
 
 
-Finding 3/13
+Finding 4/14
 Rule: AWS API Key
 Group: AKIAJUZPLTNMY2JSXLYA
 
@@ -69,7 +99,7 @@ Group: AKIAJUZPLTNMY2JSXLYA
 
 
 
-Finding 4/13
+Finding 5/14
 Rule: AWS S3 Bucket (path style)
 Group: s3-us-west-2.amazonaws.com/makerstrap
 
@@ -105,7 +135,7 @@ Group: s3-us-west-2.amazonaws.com/makerstrap
           aria-labelledby=
 
 
-Finding 5/13
+Finding 6/14
 Rule: AWS S3 Bucket (path style)
 Group: s3.amazonaws.com/com.mozillalabs.appmaker
 Showing 3/11 occurrences:
@@ -171,7 +201,7 @@ Showing 3/11 occurrences:
                   <div class="links"><a href="http://enchant
 
 
-Finding 6/13
+Finding 7/14
 Rule: AWS S3 Bucket (path style)
 Group: s3.amazonaws.com/listjs
 
@@ -206,7 +236,7 @@ Group: s3.amazonaws.com/listjs
         - Work
 
 
-Finding 7/13
+Finding 8/14
 Rule: AWS Secret Access Key
 Group: D+aLcccLrHbdWtCnN75MKI7Nmb9NZQHZ5cSxwOom
 
@@ -225,7 +255,7 @@ Group: D+aLcccLrHbdWtCnN75MKI7Nmb9NZQHZ5cSxwOom
         Frameworks/JavaVM.framework/Versions/1.6/Home","LANG":"en_CA.UTF-8","BING_APP_ID":"yX/AEjX7Iz6zSSDo+rvTxDCvTEjuQDGC+fNdVgk6bZs=","SHLVL":"2","HOME":"/Users/davida","PYTHONPATH":"/Users/davida/lib/python2.6/site-packages:","LOGNAME":"davida","PORT":"1234","AWS_SECRET":"D+aLcccLrHbdWtCnN75MKI7Nmb9NZQHZ5cSxwOom","DISPLAY":"/tmp/launch-xo2Dks/org.macosforge.xquartz:0","SECURITYSESSIONID":"186a4","_":"/usr/local/bin/node"}
 
 
-Finding 8/13
+Finding 9/14
 Rule: Amazon Resource Name
 Group: arn:aws:s3:::XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
 
@@ -267,7 +297,7 @@ Group: arn:aws:s3:::XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
         12. If you want deletion from the cache to be done automatically based on age (like Bootstrap does): In the bucket's Proper
 
 
-Finding 9/13
+Finding 10/14
 Rule: Amazon Resource Name
 Group: arn:aws:s3:::XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/*
 
@@ -307,7 +337,7 @@ Group: arn:aws:s3:::XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/*
         12. If you want deletion from the cache to be done automatically based on age (like Bootstrap does): In the bucket's Properties pane, in the "Lifecycle" section, add a rule to expire/delete files ba
 
 
-Finding 10/13
+Finding 11/14
 Rule: Amazon Resource Name
 Group: arn:aws:s3:::the-bucket-name-goes-here`
 
@@ -342,7 +372,7 @@ Group: arn:aws:s3:::the-bucket-name-goes-here`
         11. Input and submit an IAM Policy that grants the user at least read+write rights to the bucket. AWS has a policy generator and some examples to help
 
 
-Finding 11/13
+Finding 12/14
 Rule: Generic Secret
 Group: DvHxHLMsO0fSnNqI82efq4sO8QefdMSz3l2q2Xk1
 
@@ -371,7 +401,7 @@ Group: DvHxHLMsO0fSnNqI82efq4sO8QefdMSz3l2q2Xk1
 
 
 
-Finding 12/13
+Finding 13/14
 Rule: Generic Secret
 Group: aLcccLrHbdWtCnN75MKI7Nmb9NZQHZ5cSxwOom
 
@@ -390,7 +420,7 @@ Group: aLcccLrHbdWtCnN75MKI7Nmb9NZQHZ5cSxwOom
         eworks/JavaVM.framework/Versions/1.6/Home","LANG":"en_CA.UTF-8","BING_APP_ID":"yX/AEjX7Iz6zSSDo+rvTxDCvTEjuQDGC+fNdVgk6bZs=","SHLVL":"2","HOME":"/Users/davida","PYTHONPATH":"/Users/davida/lib/python2.6/site-packages:","LOGNAME":"davida","PORT":"1234","AWS_SECRET":"D+aLcccLrHbdWtCnN75MKI7Nmb9NZQHZ5cSxwOom","DISPLAY":"/tmp/launch-xo2Dks/org.macosforge.xquartz:0","SECURITYSESSIONID":"186a4","_":"/usr/local/bin/node"}
 
 
-Finding 13/13
+Finding 14/14
 Rule: Generic Secret
 Group: qflQBzMNZ3TqlsXsrqBfA12wcidr5jLQ
 
@@ -407,6 +437,3 @@ Group: qflQBzMNZ3TqlsXsrqBfA12wcidr5jLQ
     Lines: 1:392-1:440
 
         8w0000gn/T/","Apple_PubSub_Socket_Render":"/tmp/launch-rHzB0S/Render","TERM_PROGRAM_VERSION":"326","OLDPWD":"/Users/davida/src/appmaker","TERM_SESSION_ID":"5600EB0F-9A8F-4DF7-BB34-CD3E7CB7408D","COMPONENTS_BASE_URL":"//localhost:5000/","USER":"davida","S3_SECRET":"gQUSS3U+qflQBzMNZ3TqlsXsrqBfA12wcidr5jLQ","S3_OBJECT_PREFIX":"flathead","SSH_AUTH_SOCK":"/tmp/launch-W9AsCX/Listeners","__CF_USER_TEXT_ENCODING":"0x1F5:0:0","PATH":"/usr/bin:/bin:/usr/local/bin:/usr/X11R6/bin","__CHECKFIX1436934":"1","ASSET_HOST":"","S3_KEY":"AKIAJQNF3BIPEDR6MXEA","PWD":"/Users/
-
-
-

crates/noseyparker/data/default/builtin/rules/aws.yml

@@ -340,3 +340,32 @@ rules:
 
   examples:
   - "  aws_appsync_apiKey: 'da2-nmaqhbb63zabjactesiydcfuvu',"
+
+
+# This matches an API key followed closely by a secret access key
+- name: AWS API Credentials
+  id: np.aws.6
+
+  pattern: |
+    (?x)
+    (?m)
+    \b
+    ((?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16})     (?# API key )
+    \b
+    (?: (?s) .{0,40} )                                                        (?# Arbitrary intermediate stuff )
+    \b
+    ([A-Za-z0-9/+=]{40})                                                      (?# secret )
+    (?: [^A-Za-z0-9/+=] | $ )
+
+  references:
+  - https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
+  - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
+  - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
+  - https://docs.aws.amazon.com/accounts/latest/reference/credentials-access-keys-best-practices.html
+
+  examples:
+  - |
+      export AWS_API_KEY='A3T0ABCDEFGHIJKLMNOP'
+      export AWS_SECRET_ACCESS_KEY='ded7db27a4558eea9bbf0bf36e0e8521618f366c'
+
+  - export AWS_API_KEY='A3T0ABCDEFGHIJKLMNOP''ded7db27a4558eea9bbf0bf36e0e8521618f366c'

crates/noseyparker/data/default/builtin/rulesets/default.yml

@@ -23,6 +23,7 @@ rulesets:
   - np.aws.2          # AWS Secret Access Key
   - np.aws.4          # AWS Session Token
   - np.aws.5          # Amazon MWS Auth Token
+  - np.aws.6          # Amazon API Credentials
   - np.azure.1        # Azure Connection String
   - np.azure.2        # Azure App Configuration Connection String
   - np.blynk.1        # Blynk Device Access Token