Refine the Slack Bot Token rule

praetorian-inc · Dec 6, 2024 · 8d6963a · 8d6963a
1 parent 14a2a39
commit 8d6963a
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -23,6 +23,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
   This fixes a bug in v0.20.0 where provenance entries from an extensible enumerator could _only_ be JSON objects, instead of arbitrary JSON values as claimed by the documentation.
 
 
+### Changes
+- The `Slack Bot Token` rule has been modified to match additional cases.
+
 ### Additions
 - New rules have been added:
 

diff --git a/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap b/crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap
@@ -3503,15 +3503,16 @@ expression: stdout
     },
     {
       "id": "np.slack.2",
-      "structural_id": "0ea5b5cda83ab3b0c33554d7f0d85314bfa9fe5c",
+      "structural_id": "5414df5832199b9114ba2581d9c0859c0503623a",
       "name": "Slack Bot Token",
       "syntax": {
         "name": "Slack Bot Token",
         "id": "np.slack.2",
-        "pattern": "\\b(xoxb-[0-9]{12}-[0-9]{12}-[a-zA-Z0-9]{24})\\b",
-        "description": null,
+        "pattern": "\\b(xoxb-[0-9]{10,12}-[0-9]{10,12}-[a-zA-Z0-9]{23,25})\\b",
+        "description": "A Slack Bot Token was found. An attacker could use the token to impersonate or control the corresponding Slack bot.\n",
         "examples": [
-          "SLACK_API_TOKEN=xoxb-893582989554-899326518131-JRHeVv1o9Cf99fwDpuortR2D"
+          "SLACK_API_TOKEN=xoxb-893582989554-899326518131-JRHeVv1o9Cf99fwDpuortR2D",
+          "REM SET SLACK_TOKEN=xoxb-31446298938-537092655923-AeFmqVRV5nS3q028kmmHUFm3"
         ],
         "negative_examples": [
           "python log_announce.py xoxp-513768634356-513201028496-513937500594-185e196ace562dd6443b5d29b1d817c2 \"This is a test run. Ignore\"",

diff --git a/crates/noseyparker/data/default/builtin/rules/slack.yml b/crates/noseyparker/data/default/builtin/rules/slack.yml
@@ -7,7 +7,7 @@ rules:
 
 - name: Slack Bot Token
   id: np.slack.2
-  pattern: '\b(xoxb-[0-9]{12}-[0-9]{12}-[a-zA-Z0-9]{24})\b'
+  pattern: '\b(xoxb-[0-9]{10,12}-[0-9]{10,12}-[a-zA-Z0-9]{23,25})\b'
 
   references:
   - https://api.slack.com/authentication
@@ -18,8 +18,13 @@ rules:
   - api
   - secret
 
+  description: >
+    A Slack Bot Token was found.
+    An attacker could use the token to impersonate or control the corresponding Slack bot.
+
   examples:
   - 'SLACK_API_TOKEN=xoxb-893582989554-899326518131-JRHeVv1o9Cf99fwDpuortR2D'
+  - 'REM SET SLACK_TOKEN=xoxb-31446298938-537092655923-AeFmqVRV5nS3q028kmmHUFm3'
 
   negative_examples:
   - 'python log_announce.py xoxp-513768634356-513201028496-513937500594-185e196ace562dd6443b5d29b1d817c2 "This is a test run. Ignore"'