Skip to content

Commit 54ad265

Browse files
cx-andre-pereiracx-andre-pereira
committed
Initial approach to reduce False Positives on missing proto scenarios
1 parent 03faf42 commit 54ad265

3 files changed

Lines changed: 118 additions & 54 deletions

File tree

assets/queries/common/passwords_and_secrets/regex_rules.json

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@
4343
},
4444
{
4545
"description": "Avoiding Proto File fields",
46-
"regex": "(?i)password\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
46+
"regex": "(?i)password\\s*=\\s*[1-9][0-9]{0,8}\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,|;|\\[)"
4747
}
4848
],
4949
"specialMask": "(?i)['\"]?password['\"]?\\s*[:=]\\s*"
@@ -286,7 +286,7 @@
286286
},
287287
{
288288
"description": "Avoiding Proto File fields",
289-
"regex": "(?i)private[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
289+
"regex": "(?i)private[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,|;|\\[)"
290290
}
291291
]
292292
},
@@ -361,7 +361,7 @@
361361
},
362362
{
363363
"description": "Avoiding Proto File fields",
364-
"regex": "(?i)token(_)?(key)?\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
364+
"regex": "(?i)token(_)?(key)?\\s*=\\s*[1-9][0-9]{0,8}\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,|;|\\[\\s*$)"
365365
}
366366
],
367367
"specialMask": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*"
@@ -388,7 +388,7 @@
388388
},
389389
{
390390
"description": "Avoiding Proto File fields",
391-
"regex": "(?i)encryption[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*;"
391+
"regex": "(?i)encryption[_]?key\\s*=\\s*[1-9][0-9]{0,8}\\s*(\\[.+=.+\\]\\s*;|\\[.+=.+,|;|\\[)"
392392
}
393393
],
394394
"specialMask": "(?i)['\"]?encryption[_]?key['\"]?\\s*[:=]\\s*"

assets/queries/common/passwords_and_secrets/test/negative60.proto

Lines changed: 100 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -1,50 +1,108 @@
1+
// "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding Proto File fields" allow-rule-test - #1
2+
// "Generic Private Key" - 2f665079-c383-4b33-896e-88268c1fa258 - "Avoiding Proto File fields" allow rule test - #2
3+
// "Encryption Key" - 9fb1cd65-7a07-4531-9bcf-47589d0f82d6 - "Avoiding Proto File fields" allow-rule-test - #3
4+
// "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding Proto File fields" allow rule test - #4
15
syntax = "proto3";
26

3-
// Contains "secret", "key", "password" and "token" keywords - would flag if not for allow rules
4-
// Note - This is as valid proto file that generates output with "protoc" command as of version "libprotoc 34.0"
5-
67
package com.example.security_test.v1;
78

89
import "google/protobuf/wrappers.proto";
910

11+
option go_package = "github.com/CheckmarxDev/router-audit/gen/presets/v1;presets";
12+
1013
message SampleMessageNegative {
11-
google.protobuf.StringValue refresh_token = 536870911; // if value is larger - out of range error "Field numbers cannot be greater than 536870911." - Generic Token
12-
google.protobuf.StringValue access_token= 111111111; // Generic Token
13-
google.protobuf.StringValue id_token = 3; // Generic Token
14-
google.protobuf.StringValue bearer_toaken = 4;;; // Generic Token
15-
google.protobuf.StringValue api_token = 7 ; // Generic Token
16-
google.protobuf.StringValue token = 8; // Generic Token
17-
google.protobuf.StringValue aws_session_token = 9; // Generic Token
18-
google.protobuf.StringValue sas_token = 12; // Generic Token
19-
google.protobuf.StringValue auth_token = 13; // Generic Token
20-
google.protobuf.StringValue bot_token = 14; // Generic Token
21-
google.protobuf.StringValue callback_token = 32; // Generic Token
22-
google.protobuf.StringValue k8s_service_account_token = 33; // Generic Token
23-
google.protobuf.StringValue registry_token = 34; // Generic Token
24-
google.protobuf.StringValue deploy_token = 35; // Generic Token
25-
google.protobuf.StringValue ci_token = 36; // Generic Token
26-
google.protobuf.StringValue npm_token = 37; // Generic Token
27-
google.protobuf.StringValue pypi_token = 38; // Generic Token
28-
google.protobuf.StringValue app_installation_token = 20; // Generic Token
29-
google.protobuf.StringValue twilio_auth_token = 21; // Generic Token
30-
google.protobuf.StringValue twilio_auth_token_key = 121; // Generic Token
31-
google.protobuf.StringValue test_token_ = 122 ; // Generic Token
32-
google.protobuf.StringValue sonar_token = 39;google.protobuf.StringValue codecov_token = 40;// trailing comment test - Generic Token
33-
google.protobuf.StringValue jwt_private_key = 25; // Generic Private Key
34-
google.protobuf.StringValue ssh_private_key = 26; // Generic Private Key
35-
google.protobuf.StringValue tls_private_key = 27; // Generic Private Key
36-
google.protobuf.StringValue ca_private_key = 28 ; // Generic Private Key
37-
google.protobuf.StringValue cosign_private_key = 41; // Generic Private Key
38-
google.protobuf.StringValue service_account_private_key = 30; // Generic Private Key
39-
google.protobuf.StringValue app_private_key = 19; // Generic Private Key
40-
google.protobuf.StringValue gcp_private_key = 10; // Generic Private Key
41-
google.protobuf.StringValue private_key = 5; // Generic Private Key
42-
google.protobuf.StringValue sp_private_key = 6; // Generic Private Key
43-
google.protobuf.StringValue encryption_key = 22; // Encryption Key
44-
google.protobuf.StringValue data_encryption_key= 23 ; // Encryption Key
45-
google.protobuf.StringValue key_encryption_key=24; // Encryption Key
46-
google.protobuf.StringValue registry_password = 104; // Generic Password
47-
google.protobuf.StringValue artifactory_password = 107 ; // Generic Password
48-
google.protobuf.StringValue nexus_password = 108; // Generic Password
49-
string password = 64; // Generic Password
14+
google.protobuf.StringValue refresh_token = 536870911; // if value is larger - out of range error "Field numbers cannot be greater than 536870911." - Generic Token #1
15+
google.protobuf.StringValue sonar_token = 39;google.protobuf.StringValue codecov_token = 40;// trailing comment test - Generic Token #1
16+
google.protobuf.StringValue access_token= 111111111; // Generic Token #1
17+
google.protobuf.StringValue id_token = 3; // Generic Token #1
18+
google.protobuf.StringValue bearer_toaken = 4;;; // Generic Token #1
19+
google.protobuf.StringValue api_token = 7 ; // Generic Token #1
20+
google.protobuf.StringValue token = 8; // Generic Token #1
21+
google.protobuf.StringValue aws_session_token = 9; // Generic Token #1
22+
google.protobuf.StringValue sas_token = 12; // Generic Token #1
23+
google.protobuf.StringValue auth_token = 13; // Generic Token #1
24+
google.protobuf.StringValue bot_token = 14; // Generic Token #1
25+
google.protobuf.StringValue callback_token = 32; // Generic Token #1
26+
google.protobuf.StringValue k8s_service_account_token = 33; // Generic Token #1
27+
google.protobuf.StringValue registry_token = 34; // Generic Token #1
28+
google.protobuf.StringValue deploy_token = 35; // Generic Token #1
29+
google.protobuf.StringValue ci_token = 36; // Generic Token #1
30+
google.protobuf.StringValue npm_token = 37; // Generic Token #1
31+
google.protobuf.StringValue pypi_token = 38; // Generic Token #1
32+
google.protobuf.StringValue app_installation_token = 20; // Generic Token #1
33+
google.protobuf.StringValue twilio_auth_token = 21; // Generic Token #1
34+
google.protobuf.StringValue twilio_auth_token_key = 121; // Generic Token #1
35+
google.protobuf.StringValue test_token_ = 122 ; // Generic Token #1
36+
google.protobuf.StringValue jwt_private_key = 25; // Generic Private Key #2
37+
google.protobuf.StringValue ssh_private_key = 26; // Generic Private Key #2
38+
google.protobuf.StringValue tls_private_key = 27; // Generic Private Key #2
39+
google.protobuf.StringValue ca_private_key = 28 ; // Generic Private Key #2
40+
google.protobuf.StringValue cosign_private_key = 41; // Generic Private Key #2
41+
google.protobuf.StringValue service_account_private_key = 30; // Generic Private Key #2
42+
google.protobuf.StringValue app_private_key = 19; // Generic Private Key #2
43+
google.protobuf.StringValue gcp_private_key = 10; // Generic Private Key #2
44+
google.protobuf.StringValue private_key = 5; // Generic Private Key #2
45+
google.protobuf.StringValue sp_private_key = 6; // Generic Private Key #2
46+
google.protobuf.StringValue encryption_key = 22; // Encryption Key #3
47+
google.protobuf.StringValue data_encryption_key= 23 ; // Encryption Key #3
48+
google.protobuf.StringValue key_encryption_key=24; // Encryption Key #3
49+
google.protobuf.StringValue registry_password = 10421; // Generic Password #4
50+
google.protobuf.StringValue artifactory_password = 10731 ; // Generic Password #4
51+
google.protobuf.StringValue nexus_password = 10853; // Generic Password #4
52+
string password = 64114; // Generic Password #4
53+
}
54+
55+
message SampleMessageNegative2 {
56+
google.protobuf.StringValue next_page_token = 5 [(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"test\""}]; // Generic Token #1
57+
google.protobuf.StringValue next_next_page_token = 6[(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"test\""} ] ; // Generic Token #1
58+
google.protobuf.StringValue api_token = 7 [(grpc.gateway.protoc_gen_openapiv3.options.openapiv3_field) = {example: "\"jira_api_token\""}]; // Generic Token #1
59+
google.protobuf.StringValue next_page_password = 51 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"test\""}]; // Generic Password #4
60+
google.protobuf.StringValue next_next_page_password = 61[(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"test\""} ] ; // Generic Password #4
61+
google.protobuf.StringValue api_password = 71 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {example: "\"jira_api_password\""}]; // Generic Password #4
62+
}
63+
64+
extend google.protobuf.FileOptions {
65+
int32 source_retention_password = 12342134
66+
[retention = RETENTION_SOURCE];
67+
}
68+
69+
enum Corpus {
70+
DATA_UNSPECIFIED = 0;
71+
DATA_A_TOKEN = 1 [deprecated = true];
72+
73+
DATA_B_TOKEN = 2[
74+
(string_name) = "display_value"
75+
];
76+
77+
DATA_B_PASSWORD = 28970[
78+
(string_name) = "display_value"
79+
];
80+
81+
DATA_B_SECRET = 2 [
82+
(string_name) = "display_value"
83+
];
84+
}
85+
86+
enum EnumAllowingAlias {
87+
reserved "password", "api_token", "private_key", "encryption_key";
88+
option allow_token = true;
89+
EAA_UNSPECIFIED = 0;
90+
}
91+
92+
message MyOptions {
93+
string file_only_option_token = 1 [targets = TARGET_TYPE_FILE];
94+
int32 message_and_enum_option_token = 2 [targets = TARGET_TYPE_MESSAGE,
95+
targets = TARGET_TYPE_ENUM];
96+
}
97+
98+
message Not_a_Token {
99+
string token = 1 [json_name = "tk"];
100+
string password = 2 [json_name = "ps"];
101+
string encryption_key = 3 [json_name = "ek"];
102+
string private_key = 4 [json_name = "pk"];
103+
}
104+
105+
message Config {
106+
map<string, string> api_token = 1;
107+
map<string, string> encryption_keys = 2;
50108
}

assets/queries/common/passwords_and_secrets/test/positive56.proto

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,24 @@
1+
// "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 positive-test - #1
2+
// "Generic Secret" - 3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99 positive-test - #2
3+
// "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc positive-test - #3
4+
// "Generic Password" - 487f4be7-3fd9-4506-a07a-eae252180c08 - "Avoiding Proto File fields" allow rule test - #4
5+
// "Generic Token" - baee238e-1921-4801-9c3f-79ae1d7b2cbc - "Avoiding Proto File fields" allow-rule-test - #5
6+
// "Encryption Key" - 9fb1cd65-7a07-4531-9bcf-47589d0f82d6 - "Avoiding Proto File fields" allow-rule-test - #6
7+
18
syntax = "proto3";
29

310
// This sample should not flag the message defined only the exposed secrets in comments :
4-
// "password" = "test_sample"
5-
// "secret_key" : minimum_ten_characters
6-
// "unsafe_token" : "is_this_safe"
7-
// Note - This is as valid proto file that generates output with "protoc" command as of version "libprotoc 34.0"
11+
// "password" = "test_sample" #1
12+
// "secret_key" : minimum_ten_characters #2
13+
// "unsafe_token" : "is_this_safe" #3
814

915
package com.example.security_test.v1;
1016

1117
import "google/protobuf/wrappers.proto";
1218

1319
message InocentMessage {
1420
google.protobuf.StringValue safe_value = 1;
15-
double not_a_password = 2;
16-
float not_a_token = 3;
17-
string not_an_encryption_key = 4;
18-
}
21+
double not_a_password = 22222; // #4
22+
float not_a_token = 3; // #5
23+
string not_an_encryption_key = 4; // #6
24+
}

0 commit comments

Comments
 (0)