class SecretFilenameMatchTrigger(BaseTrigger):
__trigger_name__ = 'FILENAMEMATCH'
__description__ = 'Triggers if a file exists in the container that matches with any of the regular expressions given as SECRETCHECK_NAMEREGEXP parameters.'
__params__ = {'SECRETCHECK_NAMEREGEXP': PipeDelimitedStringListValidator()}
def evaluate(self, image_obj, context):
# decode the param regexes from b64
fname_regexps = []
regex_param = self.eval_params.get(self.__params__.keys()[0])
if regex_param:
fname_regexps = regex_param.split('|')
if not fname_regexps:
# Short circuit
return
if context.data.get('filenames'):
files = context.data.get('filenames')
else:
files = image_obj.fs.files().keys(
) # returns a map of path -> entry
for thefile in files:
thefile = thefile.encode('ascii', errors='replace')
for regexp in fname_regexps:
if re.match(regexp, thefile):
self._fire(
msg=
'Application of regexp matched file found in container: file={} regexp={}'
.format(thefile, regexp))
def test_pipe_delim_validator(self):
v = PipeDelimitedStringListValidator()
matrix = [
("ab", True),
("abc|c", True),
("ab|c|d", True),
("|a", False),
("a|", False),
]
self.run_matrix_test(matrix, v)
def test_pipe_delim_validator(self):
v = PipeDelimitedStringListValidator()
matrix = [
('ab', True),
('abc|c', True),
('ab|c|d', True),
('|a', False),
('a|', False)
]
self.run_matrix_test(matrix, v)
class SecretContentMatchTrigger(BaseTrigger):
__trigger_name__ = 'CONTENTMATCH'
__description__ = 'Triggers if the content search analyzer has found any matches. If the parameter is set, then will only trigger against found matches that are also in the SECRETCHECK_CONTENTREGEXP parameter list. If the parameter is absent or blank, then the trigger will fire if the analyzer found any matches.'
__params__ = {
'SECRETCHECK_CONTENTREGEXP': PipeDelimitedStringListValidator()
}
def evaluate(self, image_obj, context):
match_filter = self.eval_params.get(self.__params__.keys()[0])
if match_filter:
matches = [x.encode('base64') for x in match_filter.split('|')]
matches_decoded = match_filter.split('|')
else:
matches = []
matches_decoded = []
for thefile, regexps in context.data.get('secret_content_regexp',
{}).items():
thefile = thefile.encode('ascii', errors='replace')
if not regexps:
continue
for regexp in regexps.keys():
try:
regexp_name, theregexp = regexp.decode('base64').split(
"=", 1)
except:
regexp_name = None
theregexp = regexp.decode('base64')
if not matches:
self._fire(
msg=
'Secret search analyzer found regexp match in container: file={} regexp={}'
.format(thefile, regexp.decode('base64')))
elif regexp in matches or theregexp in matches_decoded:
self._fire(
msg=
'Secret search analyzer found regexp match in container: file={} regexp={}'
.format(thefile, regexp.decode('base64')))
elif regexp_name and regexp_name in matches_decoded:
self._fire(
msg=
'Secret search analyzer found regexp match in container: file={} regexp={}'
.format(thefile, regexp.decode('base64')))