From 756fd89097ceab042df267667fe4161d9e2b7388 Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Tue, 5 Aug 2025 14:45:51 -0700 Subject: [PATCH 1/2] - Use system TLS root certificates to support self-hosted GitLab instances with internal CAs - Added new rule: Coze personal access token --- CHANGELOG.md | 4 ++++ Cargo.toml | 4 ++-- data/rules/aws.yml | 2 +- data/rules/coze.yml | 31 +++++++++++++++++++++++++++++++ 4 files changed, 38 insertions(+), 3 deletions(-) create mode 100644 data/rules/coze.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 4f169a7..58c66e5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ All notable changes to this project will be documented in this file. +## [1.34.0] +- Use system TLS root certificates to support self-hosted GitLab instances with internal CAs +- Added new rule: Coze personal access token + ## [1.33.0] - Fixed header precedence so custom HTTP validation headers like `Accept` are preserved - Added new Heroku rule diff --git a/Cargo.toml b/Cargo.toml index c4328e0..4295167 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -10,7 +10,7 @@ publish = false [package] name = "kingfisher" -version = "1.33.0" +version = "1.34.0" description = "MongoDB's blazingly fast secret scanning and validation tool" edition.workspace = true rust-version.workspace = true @@ -82,9 +82,9 @@ reqwest = { version = "0.12", default-features = false, features = [ "deflate", "stream", "rustls-tls", + "rustls-tls-native-roots", "blocking", "multipart", - "rustls-tls", ] } diff --git a/data/rules/aws.yml b/data/rules/aws.yml index b324dcc..49fcbe3 100644 --- a/data/rules/aws.yml +++ b/data/rules/aws.yml @@ -6,7 +6,7 @@ rules: \b ( (?:AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA) - [0-9A-Z]{16} + [2-7A-Z]{16} ) \b min_entropy: 3.2 diff --git a/data/rules/coze.yml b/data/rules/coze.yml new file mode 100644 index 0000000..df3692a --- /dev/null +++ b/data/rules/coze.yml @@ -0,0 +1,31 @@ +rules: + - name: Coze Personal Access Token + id: kingfisher.coze.1 + pattern: '(?i)\b(pat_[a-zA-Z0-9]{64})\b' + confidence: medium + min_entropy: 5.0 + validation: + type: Http + content: + request: + method: GET + url: "https://api.coze.com/v1/workspaces?" + headers: + Authorization: "Bearer {{TOKEN}}" + Content-Type: application/json + response_matcher: + - type: StatusMatch + status: [200, 403] # API returns 403 for a valid token without permission to route + - type: JsonValid + - type: WordMatch + words: + - '"access token invalid"' + - '"does not have permission"' + negative: true + references: + - https://www.coze.com/docs/developer_guides/coze_api_overview + - https://www.coze.com/docs/developer_guides/retrieve_files + examples: + - "pat_DlOG7fNcVfmw8cYhPWNcdfwrjjzwDr9EkV8EBjzHdgRWU2DzqHC1pPe0x590NN5f" + - "pat_93QiTdIvZGuRCFcfGTQJJ1VIYZ9dNHanX88wKoMojwMk3tX5tKqfFtxUp0ux8CjI" + - "pat_WvUTLYq5yZyaqegkyLSxXJMjXAJotjYEuC1sqT8daFlfwM3BiaRVJIZsER42DnhV" From c2e227a832aa6a4f4dea807ea2af9e0c6d24d345 Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Tue, 5 Aug 2025 16:25:22 -0700 Subject: [PATCH 2/2] Updated Supabase rule to detect project url's and validate their corresponding tokens --- CHANGELOG.md | 1 + data/rules/supabase.yml | 54 +++++++++++++++++++++++++++++++++++++++-- 2 files changed, 53 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 58c66e5..4a982f5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ All notable changes to this project will be documented in this file. ## [1.34.0] - Use system TLS root certificates to support self-hosted GitLab instances with internal CAs - Added new rule: Coze personal access token +- Updated Supabase rule to detect project url's and validate their corresponding tokens ## [1.33.0] - Fixed header precedence so custom HTTP validation headers like `Accept` are preserved diff --git a/data/rules/supabase.yml b/data/rules/supabase.yml index 6cb4abb..c93c648 100644 --- a/data/rules/supabase.yml +++ b/data/rules/supabase.yml @@ -1,5 +1,5 @@ rules: - - name: Supabase API Key + - name: Supabase Management Token id: kingfisher.supabase.1 pattern: | (?xi) @@ -27,4 +27,54 @@ rules: - report_response: true - type: StatusMatch status: - - 200 \ No newline at end of file + - 200 + - name: Supabase Project API Key + id: kingfisher.supabase.2 + pattern: | + (?xi) + \b + ( + sb_secret_[a-z0-9_-]{31} + ) + \b + min_entropy: 4.0 + confidence: high + validation: + type: Http + content: + request: + method: GET + url: "{{SBPROJECTURL}}/rest/v1/?select=*" + headers: + Apikey: "{{TOKEN}}" + User-Agent: "" + response_matcher: + - report_response: true + - type: StatusMatch + status: [200] + - type: WordMatch + words: + - '"host":' + references: + - https://supabase.com/docs/reference/api/v1-get-an-organization + examples: + - "sb_secret_9uM4GhB0STF5R4K3HxQtlg_bzWW6DRj" + - "sb_secret_szE_jsbktD3pWgnfUjgahw_hcHEIOBH" + depends_on_rule: + - rule_id: "kingfisher.supabase.3" + variable: SBPROJECTURL + - name: Supabase Project URL + id: kingfisher.supabase.3 + pattern: + (?xi) + ( + https:\/\/[a-z0-9]{16,32}\.supabase\.co + ) + confidence: medium + min_entropy: 3.0 + visible: false + validation: + references: + - https://supabase.com/docs/guides/api + examples: + - "https://ejcvydfyxzmbtfbfstnq.supabase.co"