forked from checkmarx-ts/CxUtils
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Potential_Hardcoded_Passwords.cxql
50 lines (36 loc) · 2.13 KB
/
Potential_Hardcoded_Passwords.cxql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
/*
Author: Nathan Leach (nathan.leach_at_checkmarx.com)
Date: Sometime in 2019
Desc: A method for finding potential hardcoded passwords using
Checkmarx SAST. This is VERY prone to false positives, you have
been warned.
This is not part of TruffleHog. This is more of an example for
an inefficient way of detecting secrets.
*/
// List of password regexes we use in finding passwords in general queries.
List < string > pswdIncludeList = new List<string>{"password", "token","*password*", "*psw", "psw*", "pwd*", "*pwd", "*authKey*", "pass*", "cipher*", "*cipher", "pass", "adgangskode", "benutzerkennwort", "chiffre", "clave", "codewort", "contrasena", "contrasenya", "geheimcode", "geslo", "heslo", "jelszo", "kennwort", "losenord", "losung", "losungswort", "lozinka", "modpas", "motdepasse", "parol", "parola", "parole", "pasahitza", "pasfhocal", "passe", "passord", "passwort", "pasvorto", "paswoord", "salasana", "schluessel", "schluesselwort", "senha", "sifre", "wachtwoord", "wagwoord", "watchword", "zugangswort", "PAROLACHIAVE", "PAROLA CHIAVE", "PAROLECHIAVI", "PAROLE CHIAVI", "paroladordine", "verschluesselt", "sisma"};
// This matches "passwords" that may follow settings in config files such as
// password:"foo"
//password = "foo"
//password = foo
//password:foo
//"password" = "foo"
//"password":"foo"
//"password" = foo
//"password":foo
//"password" - foo
// False-positives are hard to avoid with this approach
String qualifiedPasswordRegex = ".*[:=]\\s*[\"'`]?\\w+[\"'`]?";
foreach (String passwordKey in pswdIncludeList)
{
String searchString = "(?:" + passwordKey + ")";
CxList findAsCodeResult = All.FindByRegex(searchString,
CxList.CxRegexOptions.DoNotSearchInStringLiterals,
System.Text.RegularExpressions.RegexOptions.IgnoreCase |
System.Text.RegularExpressions.RegexOptions.Singleline);
CxList findAsCommentResult = All.FindByRegexExt(searchString + qualifiedPasswordRegex,
"*", CxList.CxRegexOptions.SearchInComments,
System.Text.RegularExpressions.RegexOptions.IgnoreCase |
System.Text.RegularExpressions.RegexOptions.Singleline);
result.Add(Resolve_Code_And_Comment_Flows (findAsCodeResult, findAsCommentResult) );
}