Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[MongoDB] Detect CosmoDB access keys #1511

Merged
merged 1 commit into from
Jul 26, 2023
Merged

[MongoDB] Detect CosmoDB access keys #1511

merged 1 commit into from
Jul 26, 2023

Conversation

rgmz
Copy link
Contributor

@rgmz rgmz commented Jul 19, 2023
edited
Loading

The current pattern does not detect Azure CosmoDB Access Keys, which are 88 characters long.

Random example pulled from GitHub:
https://github.com/MichelliBrito/agendalive/blob/e74b7d74cc28140f77e22af1ba372a813dc99aa4/src/main/resources/application.properties#L2

I would recommend generating a live secret and adding that to the test bank, if possible.

@rgmz rgmz mentioned this pull request Jul 19, 2023
Closed
@rgmz rgmz changed the title Detect CosmoDB access keys [MongoDB] Detect CosmoDB access keys Jul 19, 2023
@ahrav ahrav requested a review from a team July 19, 2023 15:31
@zricethezav
Copy link
Collaborator

@rgmz I don't have an issue with this PR per se, but one thought I had, which other team members may take issue with is, should this be a separate detector? From my understanding CosmoDB is an Azure offering by Microsoft which treats a CosmoDB as a MongoDB. This is a weird one and I don't really have a strong opinion either way.

@rgmz
Copy link
Contributor Author

rgmz commented Jul 21, 2023

Given that CosmoDB for MongoDB supports the MongoDB wire protocol, maintaining a separate detector would probably be unnecessary work (e.g., changes to mongodb would have to be synced).

@rgmz rgmz force-pushed the fix/mongodb-regex branch 2 times, most recently from cd4de13 to 382f478 Compare July 25, 2023 19:07
@rgmz rgmz force-pushed the fix/mongodb-regex branch from 382f478 to 6e72bb7 Compare July 26, 2023 14:55
@zricethezav zricethezav merged commit f925da7 into trufflesecurity:main Jul 26, 2023
@rgmz rgmz deleted the fix/mongodb-regex branch July 27, 2023 11:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zricethezav zricethezav zricethezav approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rgmz @zricethezav