def test_finds_simple_json_gitlab_pat(): target = types.SecretsMonitor() content = {test_url: "private-token:ab123mr980pas453201s"} actual = target.sniff_secrets(content) assert len(actual) == 1 assert actual[0].url == test_url assert actual[0].secret == "private-token:ab123mr980pas453201s" assert actual[0].secret_type == "GitLab PAT API-style"
def test_finds_simple_json_gitlab_pat(): target = types.SecretsMonitor() content = {test_url: "private-token:glpat-XYA_12345-aaaaaaaaaa\r\n"} actual = target.sniff_secrets(content) assert len(actual) == 1 assert actual[0].url == test_url assert actual[0].secret == "glpat-XYA_12345-aaaaaaaaaa" assert actual[0].secret_type == "GitLab PAT"
def test_finds_naked_slack_token(): target = types.SecretsMonitor() naked_token = "xoxp-912111665212-112233445566-112233445566-111111111111111111111111111111a1" content = {test_url: naked_token} actual = target.sniff_secrets(content) assert len(actual) == 1 assert actual[0].url == test_url assert actual[0].secret == naked_token assert actual[0].secret_type == "Slack Token"
def test_finds_naked_slack_token(): target = types.SecretsMonitor() naked_token = "xoxb-931357323073-954664552758-1IrxU4wByo3exZviLEMibCTw" content = {test_url: naked_token} actual = target.sniff_secrets(content) assert len(actual) == 1 assert actual[0].url == test_url assert actual[0].secret == "xoxb-931357323073" assert actual[0].secret_type == "Slack Token"
def test_does_not_match_gitlab_pats_without_line_ending(): target = types.SecretsMonitor() content = { test_url: textwrap.dedent(""" [GitLab Personal Access Token Example](https://gitlab.com/gitlab-com/gl-security/gl-redteam/red-team-tech-notes/snippets/1976052) """) } actual = target.sniff_secrets(content) assert len(actual) == 0
def test_finds_openssh_private_key(): target = types.SecretsMonitor() content = { test_url: textwrap.dedent("""\ -----BEGIN OPENSSH PRIVATE KEY----- asdfjwpoidnsohfohoiahsdfkjaksfdkasdfsdkfjlhkjhslkdjhdfjh -----END OPENSSH PRIVATE KEY-----" """) } assert len(target.sniff_secrets(content)) == 1
def test_finds_single_group_results(): target = types.SecretsMonitor() content = { test_url: textwrap.dedent("""\ -----BEGIN RSA PRIVATE KEY----- asdfjwpoidnsohfohoiahsdfkjaksfdkasdfsdkfjlhkjhslkdjhdfjh -----END RSA PRIVATE KEY----- """) } assert len(target.sniff_secrets(content)) == 1
def sniff_secrets(snippets): if len(snippets) == 0: return [] secrets = [] raw_data = {} for snippet_id, snippet_url in snippets.items(): raw_content = gitlab.get_snippet_raw(snippet_id) raw_data.update({snippet_url: raw_content}) if len(raw_data) > 0: monitor = types.SecretsMonitor() found_secrets = monitor.sniff_secrets(raw_data) for secret in found_secrets: secrets.append(secret) return secrets
def test_finds_gitlab_pat_in_text_block(): target = types.SecretsMonitor() content = { test_url: textwrap.dedent("""\ using System.Collections.Generic; using System.Runtime.CompilerServices; namespace NameSpace1 { public static class DoubleExecutionPreventerExtensions { private static readonly List<string> locks = new List<string>(); public static void Free(this object obj, [CallerMemberName] string caller = null) { string key = GetKey(obj, caller); locks.Remove(key); } public static bool Lock(this object obj, [CallerMemberName] string caller = null) { string key = GetKey(obj, caller); if (locks.Contains(key)) return true; locks.Add(key); return false; } private static string GetKey(object instance, string caller) { return "private-token=asdfkdjfkjalksjdflkj" } } } """) } actual = target.sniff_secrets(content) assert len(actual) == 1 assert actual[0].secret == 'private-token=asdfkdjfkjalksjdflkj"' assert actual[0].url == test_url assert actual[0].secret_type == "GitLab PAT API-style"
def test_finds_gitlab_ci_registration_token(): target = types.SecretsMonitor() content = { test_url: textwrap.dedent("""\ runners: - name: ***computer name*** limit: 0 outputlimit: 0 requestconcurrency: 0 runnercredentials: url: https://gitlab.com/ token: guz_DJCzb4rsUybpwuAQ tlscafile: "" tlscertfile: "" tlskeyfile: "" runnersettings: executor: docker buildsdir: "" cachedir: "" """) } assert len(target.sniff_secrets(content)) == 1
def sniff_secrets(issue): monitor = types.SecretsMonitor() return monitor.sniff_secrets({issue.web_url: issue.description})
def test_regexes_are_loaded(): target = types.SecretsMonitor() assert len(target.regexes) > 0
def test_handles_empty_string(): target = types.SecretsMonitor() content = {test_url: ""} assert target.sniff_secrets(content) == []
def test_regexes_are_loaded(): target = types.SecretsMonitor() assert len(target.regexes) > 0 assert target.regexes["GitLab PAT API-style"] is not None
def test_finds_gitlab_pat_in_naked_string(): target = types.SecretsMonitor() content = {test_url: "private-token: QMZd94Sz-MAVNfaoP7Vz"} actual = target.sniff_secrets(content) assert len(actual) == 1
def test_handles_nil(): target = types.SecretsMonitor() content = {test_url: None} assert target.sniff_secrets(content) == []
def test_finds_gitlab_pat_surrounded_by_double_quotes(): target = types.SecretsMonitor() content = {test_url: "PRIVATE_TOKEN= \"QMZd94Sz-MAVNfaoP7Vz\""} actual = target.sniff_secrets(content) assert len(actual) == 1
def sniff_secrets(mr): monitor = types.SecretsMonitor() return monitor.sniff_secrets({mr.web_url: mr.description})
def sniff_secrets(job_log): monitor = types.SecretsMonitor() return monitor.sniff_secrets({job_log.web_url: job_log.trace})
def sniff_secrets(comment): monitor = types.SecretsMonitor() return monitor.sniff_secrets({comment.parent_url: comment.comment_body})