diff --git a/detect_secrets/plugins/artifactory.py b/detect_secrets/plugins/artifactory.py index 8931f1ef5..f22c4cc4d 100644 --- a/detect_secrets/plugins/artifactory.py +++ b/detect_secrets/plugins/artifactory.py @@ -15,6 +15,8 @@ class ArtifactoryDetector(RegexBasedDetector): re.compile(r'(?:(?<==|:|")|(?<=\s)|(?<=^))AKC[a-zA-Z0-9]{10,}'), # api token # artifactory encrypted passwords begin with AP[A-Z] re.compile(r'(?:(?<==|:|")|(?<=\s)|(?<=^))AP[\dABCDEF][a-zA-Z0-9]{8,}'), # password + # artifactory identity tokens are different (base64 encoded reftkn:) and 64 chars + re.compile(r'(?:(?<==|:|")|(?<=\s)|(?<=^))cmVmdGtu[\da-zA-Z]{56}'), ] artifactory_url = 'na.artifactory.swg-devops.com/artifactory' diff --git a/tests/plugins/artifactory_test.py b/tests/plugins/artifactory_test.py index c55c89046..2b3144d1a 100644 --- a/tests/plugins/artifactory_test.py +++ b/tests/plugins/artifactory_test.py @@ -7,6 +7,7 @@ ARTIFACTORY_TOKEN = 'AKCxxxxxxxxxx' ARTIFACTORY_TOKEN_BYTES = b'AKCxxxxxxxxxx' +ARTIFACTORY_IDENTITY_TOKEN = b'cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' class TestArtifactoryDetector(object): @@ -14,6 +15,9 @@ class TestArtifactoryDetector(object): @pytest.mark.parametrize( 'token, payload, should_flag', [ + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', + 'Authorization: Bearer cmVmdGtu' + 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AP6xxxxxxxxxx', 'AP6xxxxxxxxxx', True), ('AP2xxxxxxxxxx', 'AP2xxxxxxxxxx', True), ('AP3xxxxxxxxxx', 'AP3xxxxxxxxxx', True), @@ -21,24 +25,43 @@ class TestArtifactoryDetector(object): ('APAxxxxxxxxxx', 'APAxxxxxxxxxx', True), ('APBxxxxxxxxxx', 'APBxxxxxxxxxx', True), ('AKCxxxxxxxxxx', 'AKCxxxxxxxxxx', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', + 'cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AP6xxxxxxxxxx', ' AP6xxxxxxxxxx', True), ('AKCxxxxxxxxxx', ' AKCxxxxxxxxxx', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', + ' cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AP6xxxxxxxxxx', '=AP6xxxxxxxxxx', True), ('AKCxxxxxxxxxx', '=AKCxxxxxxxxxx', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', + '=cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AP6xxxxxxxxxx', '\"AP6xxxxxxxxxx\"', True), ('AKCxxxxxxxxxx', '\"AKCxxxxxxxxxx\"', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', + '\"cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"', True), ('AP6xxxxxxxxxx', 'artif-key:AP6xxxxxxxxxx', True), ('AKCxxxxxxxxxx', 'artif-key:AKCxxxxxxxxxx', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', + 'artif-key:cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AKCxxxxxxxxxx', 'X-JFrog-Art-Api: AKCxxxxxxxxxx', True), ('AP6xxxxxxxxxx', 'X-JFrog-Art-Api: AP6xxxxxxxxxx', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', + 'X-JFrog-Art-Api: cmVmdGtu' + 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AKCxxxxxxxxxx', 'artifactoryx:_password=AKCxxxxxxxxxx', True), ('AP6xxxxxxxxxx', 'artifactoryx:_password=AP6xxxxxxxxxx', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', + 'artifactoryx:_password=cmVmdGtu' + 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('', 'testAKCwithinsomeirrelevantstring', False), ('', 'testAP6withinsomeirrelevantstring', False), + ('', 'testcmVmdGtuwithinsomeirrelevantstring', False), ('', 'X-JFrog-Art-Api: $API_KEY', False), ('', 'X-JFrog-Art-Api: $PASSWORD', False), ('', 'artifactory:_password=AP6xxxxxx', False), ('', 'artifactory:_password=AKCxxxxxxxx', False), + ('', 'artifactory:_password=cmVmdGtu' + 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', False), ], ) def test_analyze_line(self, token, payload, should_flag):