def test_finds_simple_json_gitlab_pat():
target = types.SecretsMonitor()
content = {test_url: "private-token:ab123mr980pas453201s"}
actual = target.sniff_secrets(content)
assert len(actual) == 1
assert actual[0].url == test_url
assert actual[0].secret == "private-token:ab123mr980pas453201s"
assert actual[0].secret_type == "GitLab PAT API-style"
def test_finds_simple_json_gitlab_pat():
target = types.SecretsMonitor()
content = {test_url: "private-token:glpat-XYA_12345-aaaaaaaaaa\r\n"}
actual = target.sniff_secrets(content)
assert len(actual) == 1
assert actual[0].url == test_url
assert actual[0].secret == "glpat-XYA_12345-aaaaaaaaaa"
assert actual[0].secret_type == "GitLab PAT"
def test_finds_naked_slack_token():
target = types.SecretsMonitor()
naked_token = "xoxp-912111665212-112233445566-112233445566-111111111111111111111111111111a1"
content = {test_url: naked_token}
actual = target.sniff_secrets(content)
assert len(actual) == 1
assert actual[0].url == test_url
assert actual[0].secret == naked_token
assert actual[0].secret_type == "Slack Token"
def test_finds_naked_slack_token():
target = types.SecretsMonitor()
naked_token = "xoxb-931357323073-954664552758-1IrxU4wByo3exZviLEMibCTw"
content = {test_url: naked_token}
actual = target.sniff_secrets(content)
assert len(actual) == 1
assert actual[0].url == test_url
assert actual[0].secret == "xoxb-931357323073"
assert actual[0].secret_type == "Slack Token"
def test_does_not_match_gitlab_pats_without_line_ending():
target = types.SecretsMonitor()
content = {
test_url:
textwrap.dedent("""
[GitLab Personal Access Token Example](https://gitlab.com/gitlab-com/gl-security/gl-redteam/red-team-tech-notes/snippets/1976052)
""")
}
actual = target.sniff_secrets(content)
assert len(actual) == 0
def test_finds_openssh_private_key():
target = types.SecretsMonitor()
content = {
test_url:
textwrap.dedent("""\
-----BEGIN OPENSSH PRIVATE KEY-----
asdfjwpoidnsohfohoiahsdfkjaksfdkasdfsdkfjlhkjhslkdjhdfjh
-----END OPENSSH PRIVATE KEY-----"
""")
}
assert len(target.sniff_secrets(content)) == 1
def test_finds_single_group_results():
target = types.SecretsMonitor()
content = {
test_url:
textwrap.dedent("""\
-----BEGIN RSA PRIVATE KEY-----
asdfjwpoidnsohfohoiahsdfkjaksfdkasdfsdkfjlhkjhslkdjhdfjh
-----END RSA PRIVATE KEY-----
""")
}
assert len(target.sniff_secrets(content)) == 1
def sniff_secrets(snippets):
if len(snippets) == 0:
return []
secrets = []
raw_data = {}
for snippet_id, snippet_url in snippets.items():
raw_content = gitlab.get_snippet_raw(snippet_id)
raw_data.update({snippet_url: raw_content})
if len(raw_data) > 0:
monitor = types.SecretsMonitor()
found_secrets = monitor.sniff_secrets(raw_data)
for secret in found_secrets:
secrets.append(secret)
return secrets
def test_finds_gitlab_pat_in_text_block():
target = types.SecretsMonitor()
content = {
test_url:
textwrap.dedent("""\
using System.Collections.Generic;
using System.Runtime.CompilerServices;
namespace NameSpace1
{
public static class DoubleExecutionPreventerExtensions
{
private static readonly List<string> locks = new List<string>();
public static void Free(this object obj, [CallerMemberName] string caller = null)
{
string key = GetKey(obj, caller);
locks.Remove(key);
}
public static bool Lock(this object obj, [CallerMemberName] string caller = null)
{
string key = GetKey(obj, caller);
if (locks.Contains(key))
return true;
locks.Add(key);
return false;
}
private static string GetKey(object instance, string caller)
{
return "private-token=asdfkdjfkjalksjdflkj"
}
}
}
""")
}
actual = target.sniff_secrets(content)
assert len(actual) == 1
assert actual[0].secret == 'private-token=asdfkdjfkjalksjdflkj"'
assert actual[0].url == test_url
assert actual[0].secret_type == "GitLab PAT API-style"
def test_finds_gitlab_ci_registration_token():
target = types.SecretsMonitor()
content = {
test_url:
textwrap.dedent("""\
runners:
- name: ***computer name***
limit: 0
outputlimit: 0
requestconcurrency: 0
runnercredentials:
url: https://gitlab.com/
token: guz_DJCzb4rsUybpwuAQ
tlscafile: ""
tlscertfile: ""
tlskeyfile: ""
runnersettings:
executor: docker
buildsdir: ""
cachedir: ""
""")
}
assert len(target.sniff_secrets(content)) == 1
def sniff_secrets(issue):
monitor = types.SecretsMonitor()
return monitor.sniff_secrets({issue.web_url: issue.description})
def test_regexes_are_loaded():
target = types.SecretsMonitor()
assert len(target.regexes) > 0
def test_handles_empty_string():
target = types.SecretsMonitor()
content = {test_url: ""}
assert target.sniff_secrets(content) == []
def test_regexes_are_loaded():
target = types.SecretsMonitor()
assert len(target.regexes) > 0
assert target.regexes["GitLab PAT API-style"] is not None
def test_finds_gitlab_pat_in_naked_string():
target = types.SecretsMonitor()
content = {test_url: "private-token: QMZd94Sz-MAVNfaoP7Vz"}
actual = target.sniff_secrets(content)
assert len(actual) == 1
def test_handles_nil():
target = types.SecretsMonitor()
content = {test_url: None}
assert target.sniff_secrets(content) == []
def test_finds_gitlab_pat_surrounded_by_double_quotes():
target = types.SecretsMonitor()
content = {test_url: "PRIVATE_TOKEN= \"QMZd94Sz-MAVNfaoP7Vz\""}
actual = target.sniff_secrets(content)
assert len(actual) == 1
def sniff_secrets(mr):
monitor = types.SecretsMonitor()
return monitor.sniff_secrets({mr.web_url: mr.description})
def sniff_secrets(job_log):
monitor = types.SecretsMonitor()
return monitor.sniff_secrets({job_log.web_url: job_log.trace})
def sniff_secrets(comment):
monitor = types.SecretsMonitor()
return monitor.sniff_secrets({comment.parent_url: comment.comment_body})
