-
Notifications
You must be signed in to change notification settings - Fork 166
Expand file tree
/
Copy pathsecret_detector.go
More file actions
129 lines (108 loc) · 4.65 KB
/
Copy pathsecret_detector.go
File metadata and controls
129 lines (108 loc) · 4.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
package gosnowflake
import (
"regexp"
"sync"
)
const (
awsKeyPattern = `(?i)(aws_key_id|aws_secret_key|access_key_id|secret_access_key)\s*=\s*'([^']+)'`
awsTokenPattern = `(?i)(accessToken|tempToken|keySecret)"\s*:\s*"([a-z0-9/+]{32,}={0,2})"`
sasTokenPattern = `(?i)(sig|signature|AWSAccessKeyId|password|passcode)=(?P<secret>[a-z0-9%/+]{16,})`
privateKeyPattern = `(?im)-----BEGIN PRIVATE KEY-----\\n([a-z0-9/+=\\n]{32,})\\n-----END PRIVATE KEY-----` // pragma: allowlist secret
privateKeyDataPattern = `(?i)"privateKeyData": "([a-z0-9/+=\\n]{10,})"`
privateKeyParamPattern = `(?i)privateKey=([A-Za-z0-9/+=_%-]+)(&|$|\s)`
connectionTokenPattern = `(?i)(token|assertion content)([\'\"\s:=]+)([a-z0-9=/_\-\+]{8,})`
passwordPattern = `(?i)(password|pwd)([\'\"\s:=]+)([a-z0-9!\"#\$%&\\\'\(\)\*\+\,-\./:;<=>\?\@\[\]\^_\{\|\}~]{8,})`
dsnPasswordPattern = `([^/:]+):([^@/:]{3,})@` // Matches user:password@host format in DSN strings
clientSecretPattern = `(?i)(clientSecret)([\'\"\s:= ]+)([a-z0-9!\"#\$%&\\\'\(\)\*\+\,-\./:;<=>\?\@\[\]\^_\{\|\}~]+)`
jwtTokenPattern = `(?i)(jwt|bearer)[\s:=]*([a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+)` // pragma: allowlist secret
)
var (
initSecretDetectorOnce sync.Once
awsKeyRegexp *regexp.Regexp
awsTokenRegexp *regexp.Regexp
sasTokenRegexp *regexp.Regexp
privateKeyRegexp *regexp.Regexp
privateKeyDataRegexp *regexp.Regexp
privateKeyParamRegexp *regexp.Regexp
connectionTokenRegexp *regexp.Regexp
passwordRegexp *regexp.Regexp
dsnPasswordRegexp *regexp.Regexp
clientSecretRegexp *regexp.Regexp
jwtTokenRegexp *regexp.Regexp
)
func registerRegexps() {
awsKeyRegexp = regexp.MustCompile(awsKeyPattern)
awsTokenRegexp = regexp.MustCompile(awsTokenPattern)
sasTokenRegexp = regexp.MustCompile(sasTokenPattern)
privateKeyRegexp = regexp.MustCompile(privateKeyPattern)
privateKeyDataRegexp = regexp.MustCompile(privateKeyDataPattern)
privateKeyParamRegexp = regexp.MustCompile(privateKeyParamPattern)
connectionTokenRegexp = regexp.MustCompile(connectionTokenPattern)
passwordRegexp = regexp.MustCompile(passwordPattern)
dsnPasswordRegexp = regexp.MustCompile(dsnPasswordPattern)
clientSecretRegexp = regexp.MustCompile(clientSecretPattern)
jwtTokenRegexp = regexp.MustCompile(jwtTokenPattern)
}
type secretmasker string
func (s secretmasker) maskConnectionToken() secretmasker {
return secretmasker(connectionTokenRegexp.ReplaceAllString(s.String(), "$1${2}****"))
}
func (s secretmasker) maskPassword() secretmasker {
return secretmasker(passwordRegexp.ReplaceAllString(s.String(), "$1${2}****"))
}
func (s secretmasker) maskDsnPassword() secretmasker {
return secretmasker(dsnPasswordRegexp.ReplaceAllString(s.String(), "$1:****@"))
}
func (s secretmasker) maskAwsKey() secretmasker {
return secretmasker(awsKeyRegexp.ReplaceAllString(s.String(), "${1}****$2"))
}
func (s secretmasker) maskAwsToken() secretmasker {
return secretmasker(awsTokenRegexp.ReplaceAllString(s.String(), "${1}XXXX$2"))
}
func (s secretmasker) maskSasToken() secretmasker {
return secretmasker(sasTokenRegexp.ReplaceAllString(s.String(), "${1}****$2"))
}
func (s secretmasker) maskPrivateKey() secretmasker {
return secretmasker(privateKeyRegexp.ReplaceAllString(s.String(), "-----BEGIN PRIVATE KEY-----\\\\\\\\nXXXX\\\\\\\\n-----END PRIVATE KEY-----")) // pragma: allowlist secret
}
func (s secretmasker) maskPrivateKeyData() secretmasker {
return secretmasker(privateKeyDataRegexp.ReplaceAllString(s.String(), `"privateKeyData": "XXXX"`))
}
func (s secretmasker) maskClientSecret() secretmasker {
return secretmasker(clientSecretRegexp.ReplaceAllString(s.String(), "$1${2}****"))
}
func (s secretmasker) maskPrivateKeyParam() secretmasker {
return secretmasker(privateKeyParamRegexp.ReplaceAllString(s.String(), "privateKey=****$2"))
}
func (s secretmasker) maskJwtToken() secretmasker {
return secretmasker(jwtTokenRegexp.ReplaceAllString(s.String(), "$1 ****"))
}
func (s secretmasker) String() string {
return string(s)
}
func newSecretMasker(text string) secretmasker {
return secretmasker(text)
}
func maskSecrets(text string) (masked string) {
// Recover from any panic during regex initialization
defer func() {
if r := recover(); r != nil {
logger.Errorf("panic occurred during secret masking: %v", r)
masked = "****"
}
}()
initSecretDetectorOnce.Do(registerRegexps)
s := newSecretMasker(text)
return s.maskConnectionToken().
maskPassword().
maskDsnPassword().
maskPrivateKeyData().
maskPrivateKeyParam().
maskPrivateKey().
maskAwsToken().
maskSasToken().
maskAwsKey().
maskClientSecret().
maskJwtToken().
String()
}