From a4b67f3d60ff956af738120bfedbc512971311bc Mon Sep 17 00:00:00 2001 From: Andras Gemes Date: Wed, 20 Dec 2023 10:39:04 +0100 Subject: [PATCH 1/2] Add TrueNAS API Key rule --- CHANGELOG.md | 1 + README.md | 2 +- ...parker__rules__rules_check_builtins-2.snap | 2 +- ...noseyparker__rules__rules_list_json-2.snap | 6 +++++- ...seyparker__rules__rules_list_noargs-2.snap | 3 ++- .../data/default/builtin/rules/truenas.yml | 21 +++++++++++++++++++ .../data/default/builtin/rulesets/default.yml | 1 + 7 files changed, 32 insertions(+), 4 deletions(-) create mode 100644 crates/noseyparker/data/default/builtin/rules/truenas.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 059d96630..3dfcfdac5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - Docker Hub Personal Access Token ([#108](https://github.com/praetorian-inc/noseyparker/pull/108) - thank you @gemesa!) - Dropbox Access Token ([#106](https://github.com/praetorian-inc/noseyparker/pull/106) - thank you @gemesa!) + - TrueNAS API Key - WireGuard Private Key ([#104](https://github.com/praetorian-inc/noseyparker/pull/104) - thank you @gemesa!) - WireGuard Preshared Key ([#104](https://github.com/praetorian-inc/noseyparker/pull/104) - thank you @gemesa!) diff --git a/README.md b/README.md index a0dd626f8..afbdd2046 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Nosey Parker is a command-line tool that finds secrets and sensitive information **Key features:** - It supports scanning files, directories, and the entire history of Git repositories -- It uses regular expression matching with a set of 118 patterns chosen for high signal-to-noise based on experience and feedback from offensive security engagements +- It uses regular expression matching with a set of 119 patterns chosen for high signal-to-noise based on experience and feedback from offensive security engagements - It groups matches together that share the same secret, further emphasizing signal over noise - It is fast: it can scan at hundreds of megabytes per second on a single core, and is able to scan 100GB of Linux kernel source history in less than 2 minutes on an older MacBook Pro diff --git a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap index 1b5ac4481..9742260b1 100644 --- a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap +++ b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap @@ -2,5 +2,5 @@ source: crates/noseyparker-cli/tests/rules/mod.rs expression: stdout --- -118 rules and 3 rulesets: no issues detected +119 rules and 3 rulesets: no issues detected diff --git a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap index 09390ef4a..4855f8299 100644 --- a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap +++ b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap @@ -456,6 +456,10 @@ expression: stdout "id": "np.telegram.1", "name": "Telegram Bot Token" }, + { + "id": "np.truenas.1", + "name": "TrueNAS API Key" + }, { "id": "np.twilio.1", "name": "Twilio API Key" @@ -481,7 +485,7 @@ expression: stdout { "id": "default", "name": "Nosey Parker default rules", - "num_rules": 98 + "num_rules": 99 }, { "id": "np.assets", diff --git a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap index 9a1bd0cd6..8a3645e1f 100644 --- a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap +++ b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap @@ -118,6 +118,7 @@ expression: stdout np.stripe.1 Stripe API Key np.stripe.2 Stripe API Test Key np.telegram.1 Telegram Bot Token + np.truenas.1 TrueNAS API Key np.twilio.1 Twilio API Key np.twitter.1 Twitter Client ID np.twitter.2 Twitter Secret Key @@ -126,7 +127,7 @@ expression: stdout Ruleset ID Ruleset Name Rules ───────────────────────────────────────────────────────── - default Nosey Parker default rules 98 + default Nosey Parker default rules 99 np.assets Nosey Parker asset detection rules 15 np.hashes Nosey Parker password hash rules 5 diff --git a/crates/noseyparker/data/default/builtin/rules/truenas.yml b/crates/noseyparker/data/default/builtin/rules/truenas.yml new file mode 100644 index 000000000..acb5e89c8 --- /dev/null +++ b/crates/noseyparker/data/default/builtin/rules/truenas.yml @@ -0,0 +1,21 @@ +rules: + +- name: TrueNAS API Key + id: np.truenas.1 + + pattern: | + (?x) + \b + (\d+-[a-zA-Z0-9]{64}) + \b + + examples: + - '{"id":"3286a508-a6ca-278a-c078-85b2b515d8d2", "msg":"method", "method":"auth.login_with_api_key", "params":["8-Lp22ov7halMBLUpG97Wg4y7fibQi3CW19VJiZcCu746zgCs0mdDdTCoOcpgEucgu"]}' + - '{"id":"677d9914-f598-f497-e77e-2a3aadbb822e", "msg":"method", "method":"auth.login_with_api_key", "params":["9-hTSZDBPyg0PjRZvWb8omoxJ7X2gAjRGmiPKql9ENGIUP9OPtEAzz5f6g9YIMVbZT"]}' + - '{"id":"2755dad4-cc12-94bb-a894-ba0f85c3fdbf", "msg":"method", "method":"auth.login_with_api_key", "params":["10-6LZBVhNq8zze0rzXJptfSWDBoskWuThnQb3fUVw4sVNgJ7GKT3ITVIovhwPf34oL"]}' + + references: + - https://www.truenas.com/docs/api/core_websocket_api.html + - https://www.truenas.com/docs/scale/scaletutorials/toptoolbar/managingapikeys/ + - https://www.truenas.com/docs/scale/scaleclireference/auth/cliapikey/ + - https://www.truenas.com/docs/scale/api/ diff --git a/crates/noseyparker/data/default/builtin/rulesets/default.yml b/crates/noseyparker/data/default/builtin/rulesets/default.yml index 2bde94533..be4444ca8 100644 --- a/crates/noseyparker/data/default/builtin/rulesets/default.yml +++ b/crates/noseyparker/data/default/builtin/rulesets/default.yml @@ -109,6 +109,7 @@ rulesets: - np.stripe.1 # Stripe API Key - np.stripe.2 # Stripe API Test Key - np.telegram.1 # Telegram Bot Token + - np.truenas.1 # TrueNAS API Key - np.twilio.1 # Twilio API Key - np.twitter.2 # Twitter Secret Key - np.wireguard.1 # WireGuard Private Key From 662876ade941855560464fe73ad6a7bd4e6b405d Mon Sep 17 00:00:00 2001 From: Andras Gemes Date: Wed, 20 Dec 2023 19:49:20 +0100 Subject: [PATCH 2/2] Split TrueNAS API Key rule and make it stricter --- CHANGELOG.md | 3 +- README.md | 2 +- ...parker__rules__rules_check_builtins-2.snap | 2 +- ...noseyparker__rules__rules_list_json-2.snap | 8 +++- ...seyparker__rules__rules_list_noargs-2.snap | 5 ++- .../data/default/builtin/rules/truenas.yml | 42 ++++++++++++++++--- .../data/default/builtin/rulesets/default.yml | 3 +- 7 files changed, 52 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3dfcfdac5..bf117e698 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,7 +14,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - Docker Hub Personal Access Token ([#108](https://github.com/praetorian-inc/noseyparker/pull/108) - thank you @gemesa!) - Dropbox Access Token ([#106](https://github.com/praetorian-inc/noseyparker/pull/106) - thank you @gemesa!) - - TrueNAS API Key + - TrueNAS API Key (WebSocket) + - TrueNAS API Key (REST API) - WireGuard Private Key ([#104](https://github.com/praetorian-inc/noseyparker/pull/104) - thank you @gemesa!) - WireGuard Preshared Key ([#104](https://github.com/praetorian-inc/noseyparker/pull/104) - thank you @gemesa!) diff --git a/README.md b/README.md index afbdd2046..ef42ddc6b 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Nosey Parker is a command-line tool that finds secrets and sensitive information **Key features:** - It supports scanning files, directories, and the entire history of Git repositories -- It uses regular expression matching with a set of 119 patterns chosen for high signal-to-noise based on experience and feedback from offensive security engagements +- It uses regular expression matching with a set of 120 patterns chosen for high signal-to-noise based on experience and feedback from offensive security engagements - It groups matches together that share the same secret, further emphasizing signal over noise - It is fast: it can scan at hundreds of megabytes per second on a single core, and is able to scan 100GB of Linux kernel source history in less than 2 minutes on an older MacBook Pro diff --git a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap index 9742260b1..507899da7 100644 --- a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap +++ b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_check_builtins-2.snap @@ -2,5 +2,5 @@ source: crates/noseyparker-cli/tests/rules/mod.rs expression: stdout --- -119 rules and 3 rulesets: no issues detected +120 rules and 3 rulesets: no issues detected diff --git a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap index 4855f8299..38e360f03 100644 --- a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap +++ b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap @@ -458,7 +458,11 @@ expression: stdout }, { "id": "np.truenas.1", - "name": "TrueNAS API Key" + "name": "TrueNAS API Key (WebSocket)" + }, + { + "id": "np.truenas.2", + "name": "TrueNAS API Key (REST API)" }, { "id": "np.twilio.1", @@ -485,7 +489,7 @@ expression: stdout { "id": "default", "name": "Nosey Parker default rules", - "num_rules": 99 + "num_rules": 100 }, { "id": "np.assets", diff --git a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap index 8a3645e1f..1c695cd75 100644 --- a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap +++ b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_noargs-2.snap @@ -118,7 +118,8 @@ expression: stdout np.stripe.1 Stripe API Key np.stripe.2 Stripe API Test Key np.telegram.1 Telegram Bot Token - np.truenas.1 TrueNAS API Key + np.truenas.1 TrueNAS API Key (WebSocket) + np.truenas.2 TrueNAS API Key (REST API) np.twilio.1 Twilio API Key np.twitter.1 Twitter Client ID np.twitter.2 Twitter Secret Key @@ -127,7 +128,7 @@ expression: stdout Ruleset ID Ruleset Name Rules ───────────────────────────────────────────────────────── - default Nosey Parker default rules 99 + default Nosey Parker default rules 100 np.assets Nosey Parker asset detection rules 15 np.hashes Nosey Parker password hash rules 5 diff --git a/crates/noseyparker/data/default/builtin/rules/truenas.yml b/crates/noseyparker/data/default/builtin/rules/truenas.yml index acb5e89c8..767439e59 100644 --- a/crates/noseyparker/data/default/builtin/rules/truenas.yml +++ b/crates/noseyparker/data/default/builtin/rules/truenas.yml @@ -1,21 +1,53 @@ rules: -- name: TrueNAS API Key +- name: TrueNAS API Key (WebSocket) id: np.truenas.1 pattern: | (?x) - \b + "params"\s*:\s*\[\s*" (\d+-[a-zA-Z0-9]{64}) - \b + "\s*\] examples: - '{"id":"3286a508-a6ca-278a-c078-85b2b515d8d2", "msg":"method", "method":"auth.login_with_api_key", "params":["8-Lp22ov7halMBLUpG97Wg4y7fibQi3CW19VJiZcCu746zgCs0mdDdTCoOcpgEucgu"]}' - - '{"id":"677d9914-f598-f497-e77e-2a3aadbb822e", "msg":"method", "method":"auth.login_with_api_key", "params":["9-hTSZDBPyg0PjRZvWb8omoxJ7X2gAjRGmiPKql9ENGIUP9OPtEAzz5f6g9YIMVbZT"]}' - - '{"id":"2755dad4-cc12-94bb-a894-ba0f85c3fdbf", "msg":"method", "method":"auth.login_with_api_key", "params":["10-6LZBVhNq8zze0rzXJptfSWDBoskWuThnQb3fUVw4sVNgJ7GKT3ITVIovhwPf34oL"]}' + - '{"id":"677d9914-f598-f497-e77e-2a3aadbb822e", "msg":"method", "method":"auth.login_with_api_key", "params" : ["9-hTSZDBPyg0PjRZvWb8omoxJ7X2gAjRGmiPKql9ENGIUP9OPtEAzz5f6g9YIMVbZT"]}' + - '{"id":"2755dad4-cc12-94bb-a894-ba0f85c3fdbf", "msg":"method", "method":"auth.login_with_api_key", "params" : [ "10-6LZBVhNq8zze0rzXJptfSWDBoskWuThnQb3fUVw4sVNgJ7GKT3ITVIovhwPf34oL" ]}' + - | + { + "id": "2755dad4-cc12-94bb-a894-ba0f85c3fdbf", + "msg": "method", + "method": "auth.login_with_api_key", + "params": [ + "10-6LZBVhNq8zze0rzXJptfSWDBoskWuThnQb3fUVw4sVNgJ7GKT3ITVIovhwPf34oL" + ] + } + + references: + - https://www.truenas.com/docs/api/core_websocket_api.html + - https://www.truenas.com/docs/api/scale_rest_api.html + - https://www.truenas.com/docs/scale/scaletutorials/toptoolbar/managingapikeys/ + - https://www.truenas.com/docs/scale/scaleclireference/auth/cliapikey/ + - https://www.truenas.com/docs/scale/api/ + - https://www.truenas.com/community/threads/api-examples-in-perl-python.108053/ + +- name: TrueNAS API Key (REST API) + id: np.truenas.2 + + pattern: | + (?x) + Bearer\s* + (\d+-[a-zA-Z0-9]{64}) + \b + + examples: + # only "Bearer" is accepted by TrueNAS API (no "bearer" etc.) + - 'curl -X POST "http://192.168.0.30/api/v2.0/device/get_info" -H "Content-Type: application/json" -H "Authorization: Bearer 8-Lp22ov7halMBLUpG97Wg4y7fibQi3CW19VJiZcCu746zgCs0mdDdTCoOcpgEucgu" -d "\"SERIAL\""' references: - https://www.truenas.com/docs/api/core_websocket_api.html + - https://www.truenas.com/docs/api/scale_rest_api.html - https://www.truenas.com/docs/scale/scaletutorials/toptoolbar/managingapikeys/ - https://www.truenas.com/docs/scale/scaleclireference/auth/cliapikey/ - https://www.truenas.com/docs/scale/api/ + - https://www.truenas.com/community/threads/api-examples-in-perl-python.108053/ diff --git a/crates/noseyparker/data/default/builtin/rulesets/default.yml b/crates/noseyparker/data/default/builtin/rulesets/default.yml index be4444ca8..d98f4bb22 100644 --- a/crates/noseyparker/data/default/builtin/rulesets/default.yml +++ b/crates/noseyparker/data/default/builtin/rulesets/default.yml @@ -109,7 +109,8 @@ rulesets: - np.stripe.1 # Stripe API Key - np.stripe.2 # Stripe API Test Key - np.telegram.1 # Telegram Bot Token - - np.truenas.1 # TrueNAS API Key + - np.truenas.1 # TrueNAS API Key (WebSocket) + - np.truenas.2 # TrueNAS API Key (REST API) - np.twilio.1 # Twilio API Key - np.twitter.2 # Twitter Secret Key - np.wireguard.1 # WireGuard Private Key