From 34294da1708270a4938aeaa9cfe77c31be372d86 Mon Sep 17 00:00:00 2001 From: d3rn <84808889+d3rnn@users.noreply.github.com> Date: Fri, 1 Sep 2023 17:18:22 -0500 Subject: [PATCH 1/6] Update artifactory.py support for artifactory identity tokens Signed-off-by: d3rn <84808889+d3rnn@users.noreply.github.com> --- detect_secrets/plugins/artifactory.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/detect_secrets/plugins/artifactory.py b/detect_secrets/plugins/artifactory.py index 8931f1ef5..f22c4cc4d 100644 --- a/detect_secrets/plugins/artifactory.py +++ b/detect_secrets/plugins/artifactory.py @@ -15,6 +15,8 @@ class ArtifactoryDetector(RegexBasedDetector): re.compile(r'(?:(?<==|:|")|(?<=\s)|(?<=^))AKC[a-zA-Z0-9]{10,}'), # api token # artifactory encrypted passwords begin with AP[A-Z] re.compile(r'(?:(?<==|:|")|(?<=\s)|(?<=^))AP[\dABCDEF][a-zA-Z0-9]{8,}'), # password + # artifactory identity tokens are different (base64 encoded reftkn:) and 64 chars + re.compile(r'(?:(?<==|:|")|(?<=\s)|(?<=^))cmVmdGtu[\da-zA-Z]{56}'), ] artifactory_url = 'na.artifactory.swg-devops.com/artifactory' From d368a0cf4017928dd5b8311afa6b1901552c5312 Mon Sep 17 00:00:00 2001 From: d3rn <84808889+d3rnn@users.noreply.github.com> Date: Wed, 4 Oct 2023 13:23:59 -0500 Subject: [PATCH 2/6] Update artifactory_test.py add `ARTIFACTORY_IDENTITY_TOKEN` test case Signed-off-by: d3rn <84808889+d3rnn@users.noreply.github.com> --- tests/plugins/artifactory_test.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/tests/plugins/artifactory_test.py b/tests/plugins/artifactory_test.py index c55c89046..1d048a783 100644 --- a/tests/plugins/artifactory_test.py +++ b/tests/plugins/artifactory_test.py @@ -7,13 +7,14 @@ ARTIFACTORY_TOKEN = 'AKCxxxxxxxxxx' ARTIFACTORY_TOKEN_BYTES = b'AKCxxxxxxxxxx' - +ARTIFACTORY_IDENTITY_TOKEN = b'cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' class TestArtifactoryDetector(object): @pytest.mark.parametrize( 'token, payload, should_flag', [ + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'Authorization: Bearer cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AP6xxxxxxxxxx', 'AP6xxxxxxxxxx', True), ('AP2xxxxxxxxxx', 'AP2xxxxxxxxxx', True), ('AP3xxxxxxxxxx', 'AP3xxxxxxxxxx', True), @@ -21,24 +22,33 @@ class TestArtifactoryDetector(object): ('APAxxxxxxxxxx', 'APAxxxxxxxxxx', True), ('APBxxxxxxxxxx', 'APBxxxxxxxxxx', True), ('AKCxxxxxxxxxx', 'AKCxxxxxxxxxx', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AP6xxxxxxxxxx', ' AP6xxxxxxxxxx', True), ('AKCxxxxxxxxxx', ' AKCxxxxxxxxxx', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', ' cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AP6xxxxxxxxxx', '=AP6xxxxxxxxxx', True), ('AKCxxxxxxxxxx', '=AKCxxxxxxxxxx', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', '=cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AP6xxxxxxxxxx', '\"AP6xxxxxxxxxx\"', True), ('AKCxxxxxxxxxx', '\"AKCxxxxxxxxxx\"', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', '\"cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"', True), ('AP6xxxxxxxxxx', 'artif-key:AP6xxxxxxxxxx', True), ('AKCxxxxxxxxxx', 'artif-key:AKCxxxxxxxxxx', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'artif-key:cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AKCxxxxxxxxxx', 'X-JFrog-Art-Api: AKCxxxxxxxxxx', True), ('AP6xxxxxxxxxx', 'X-JFrog-Art-Api: AP6xxxxxxxxxx', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'X-JFrog-Art-Api: cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AKCxxxxxxxxxx', 'artifactoryx:_password=AKCxxxxxxxxxx', True), ('AP6xxxxxxxxxx', 'artifactoryx:_password=AP6xxxxxxxxxx', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'artifactoryx:_password=cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('', 'testAKCwithinsomeirrelevantstring', False), ('', 'testAP6withinsomeirrelevantstring', False), + ('', 'testcmVmdGtuwithinsomeirrelevantstring', False), ('', 'X-JFrog-Art-Api: $API_KEY', False), ('', 'X-JFrog-Art-Api: $PASSWORD', False), ('', 'artifactory:_password=AP6xxxxxx', False), ('', 'artifactory:_password=AKCxxxxxxxx', False), + ('', 'artifactory:_password=cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', False), ], ) def test_analyze_line(self, token, payload, should_flag): From 9d008028af85ef251a7a476b70f26a1b8d7fd509 Mon Sep 17 00:00:00 2001 From: d3rn <84808889+d3rnn@users.noreply.github.com> Date: Tue, 19 Dec 2023 16:09:59 -0600 Subject: [PATCH 3/6] Update artifactory_test.py Signed-off-by: d3rn <84808889+d3rnn@users.noreply.github.com> --- tests/plugins/artifactory_test.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/plugins/artifactory_test.py b/tests/plugins/artifactory_test.py index 1d048a783..1db7d4a9d 100644 --- a/tests/plugins/artifactory_test.py +++ b/tests/plugins/artifactory_test.py @@ -9,6 +9,7 @@ ARTIFACTORY_TOKEN_BYTES = b'AKCxxxxxxxxxx' ARTIFACTORY_IDENTITY_TOKEN = b'cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' + class TestArtifactoryDetector(object): @pytest.mark.parametrize( From 1d4ab41fed0703a619f9c4c67ded8c63f49ed312 Mon Sep 17 00:00:00 2001 From: d3rn <84808889+d3rnn@users.noreply.github.com> Date: Tue, 19 Dec 2023 16:55:50 -0600 Subject: [PATCH 4/6] Update artifactory_test.py Signed-off-by: d3rn <84808889+d3rnn@users.noreply.github.com> --- tests/plugins/artifactory_test.py | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/tests/plugins/artifactory_test.py b/tests/plugins/artifactory_test.py index 1db7d4a9d..21baf3726 100644 --- a/tests/plugins/artifactory_test.py +++ b/tests/plugins/artifactory_test.py @@ -15,7 +15,8 @@ class TestArtifactoryDetector(object): @pytest.mark.parametrize( 'token, payload, should_flag', [ - ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'Authorization: Bearer cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', + 'Authorization: Bearer cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AP6xxxxxxxxxx', 'AP6xxxxxxxxxx', True), ('AP2xxxxxxxxxx', 'AP2xxxxxxxxxx', True), ('AP3xxxxxxxxxx', 'AP3xxxxxxxxxx', True), @@ -23,25 +24,32 @@ class TestArtifactoryDetector(object): ('APAxxxxxxxxxx', 'APAxxxxxxxxxx', True), ('APBxxxxxxxxxx', 'APBxxxxxxxxxx', True), ('AKCxxxxxxxxxx', 'AKCxxxxxxxxxx', True), - ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', + 'cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AP6xxxxxxxxxx', ' AP6xxxxxxxxxx', True), ('AKCxxxxxxxxxx', ' AKCxxxxxxxxxx', True), - ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', ' cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', + ' cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AP6xxxxxxxxxx', '=AP6xxxxxxxxxx', True), ('AKCxxxxxxxxxx', '=AKCxxxxxxxxxx', True), - ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', '=cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', + '=cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AP6xxxxxxxxxx', '\"AP6xxxxxxxxxx\"', True), ('AKCxxxxxxxxxx', '\"AKCxxxxxxxxxx\"', True), - ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', '\"cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', + '\"cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"', True), ('AP6xxxxxxxxxx', 'artif-key:AP6xxxxxxxxxx', True), ('AKCxxxxxxxxxx', 'artif-key:AKCxxxxxxxxxx', True), - ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'artif-key:cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', + 'artif-key:cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AKCxxxxxxxxxx', 'X-JFrog-Art-Api: AKCxxxxxxxxxx', True), ('AP6xxxxxxxxxx', 'X-JFrog-Art-Api: AP6xxxxxxxxxx', True), - ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'X-JFrog-Art-Api: cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', + 'X-JFrog-Art-Api: cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AKCxxxxxxxxxx', 'artifactoryx:_password=AKCxxxxxxxxxx', True), ('AP6xxxxxxxxxx', 'artifactoryx:_password=AP6xxxxxxxxxx', True), - ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'artifactoryx:_password=cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), + ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', + 'artifactoryx:_password=cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('', 'testAKCwithinsomeirrelevantstring', False), ('', 'testAP6withinsomeirrelevantstring', False), ('', 'testcmVmdGtuwithinsomeirrelevantstring', False), From 835dc587a74a707264564ecb2b1b06cc444e4502 Mon Sep 17 00:00:00 2001 From: d3rn <84808889+d3rnn@users.noreply.github.com> Date: Tue, 19 Dec 2023 17:08:40 -0600 Subject: [PATCH 5/6] Update artifactory_test.py Signed-off-by: d3rn <84808889+d3rnn@users.noreply.github.com> --- tests/plugins/artifactory_test.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/tests/plugins/artifactory_test.py b/tests/plugins/artifactory_test.py index 21baf3726..5dac7a69d 100644 --- a/tests/plugins/artifactory_test.py +++ b/tests/plugins/artifactory_test.py @@ -16,7 +16,8 @@ class TestArtifactoryDetector(object): 'token, payload, should_flag', [ ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', - 'Authorization: Bearer cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), + 'Authorization: Bearer cmVmdGtu + 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AP6xxxxxxxxxx', 'AP6xxxxxxxxxx', True), ('AP2xxxxxxxxxx', 'AP2xxxxxxxxxx', True), ('AP3xxxxxxxxxx', 'AP3xxxxxxxxxx', True), @@ -45,11 +46,13 @@ class TestArtifactoryDetector(object): ('AKCxxxxxxxxxx', 'X-JFrog-Art-Api: AKCxxxxxxxxxx', True), ('AP6xxxxxxxxxx', 'X-JFrog-Art-Api: AP6xxxxxxxxxx', True), ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', - 'X-JFrog-Art-Api: cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), + 'X-JFrog-Art-Api: cmVmdGtu' + 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AKCxxxxxxxxxx', 'artifactoryx:_password=AKCxxxxxxxxxx', True), ('AP6xxxxxxxxxx', 'artifactoryx:_password=AP6xxxxxxxxxx', True), ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', - 'artifactoryx:_password=cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), + 'artifactoryx:_password=cmVmdGtu' + 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('', 'testAKCwithinsomeirrelevantstring', False), ('', 'testAP6withinsomeirrelevantstring', False), ('', 'testcmVmdGtuwithinsomeirrelevantstring', False), @@ -57,7 +60,8 @@ class TestArtifactoryDetector(object): ('', 'X-JFrog-Art-Api: $PASSWORD', False), ('', 'artifactory:_password=AP6xxxxxx', False), ('', 'artifactory:_password=AKCxxxxxxxx', False), - ('', 'artifactory:_password=cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', False), + ('', 'artifactory:_password=cmVmdGtu' + 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', False), ], ) def test_analyze_line(self, token, payload, should_flag): From f04670c68ad5eec6836036dcc408661c9a6924ea Mon Sep 17 00:00:00 2001 From: d3rn <84808889+d3rnn@users.noreply.github.com> Date: Tue, 19 Dec 2023 17:13:53 -0600 Subject: [PATCH 6/6] Update artifactory_test.py Signed-off-by: d3rn <84808889+d3rnn@users.noreply.github.com> --- tests/plugins/artifactory_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/plugins/artifactory_test.py b/tests/plugins/artifactory_test.py index 5dac7a69d..2b3144d1a 100644 --- a/tests/plugins/artifactory_test.py +++ b/tests/plugins/artifactory_test.py @@ -16,7 +16,7 @@ class TestArtifactoryDetector(object): 'token, payload, should_flag', [ ('cmVmdGtuxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', - 'Authorization: Bearer cmVmdGtu + 'Authorization: Bearer cmVmdGtu' 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', True), ('AP6xxxxxxxxxx', 'AP6xxxxxxxxxx', True), ('AP2xxxxxxxxxx', 'AP2xxxxxxxxxx', True),