fixes in response to pr review

2026-02-01 22:58:01 -08:00 · 2026-02-01 22:58:01 -08:00 · 91c48ff7f8
commit 91c48ff7f8
parent 32be18bef0
4 changed files with 13 additions and 220 deletions
--- a/crates/kingfisher-rules/data/rules/age.yml
+++ b/crates/kingfisher-rules/data/rules/age.yml
@ -1,83 +0,0 @@
-rules:
-  - name: Age Recipient (X25519 public key)
-    id: kingfisher.age.1
-    pattern: |
-      (?x)
-      (
-        age1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{58}
-      )
-      \b
-    pattern_requirements:
-      min_digits: 2
-      min_lowercase: 1
-    min_entropy: 3.3
-    confidence: medium
-    examples:
-      - 'age1zvkyg2lqzraa2lnjvqej32nkuu0ues2s82hzrye869xeexvn73equnujwj'
-    references:
-      - https://age-encryption.org
-      - https://htmlpreview.github.io/?https://github.com/FiloSottile/age/blob/main/doc/age.1.html
-      - https://github.com/C2SP/C2SP/blob/8b6a842e0360d35111c46be2a8019b2276295914/age.md#the-x25519-recipient-type
-
-  - name: Age Identity (X22519 secret key)
-    id: kingfisher.age.2
-    pattern: |
-      (?x)
-      (
-        AGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}
-      )
-    min_entropy: 3.3
-    confidence: medium
-    examples:
-      - |
-        # created: 2022-09-26T21:55:47-05:00
-        # public key: age1epzmwwzw8n09slh0c7z1z52x43nnga7lkksx3qrh07tqz5v7lcys45428t
-        this is the 'AGE-SECRET-KEY-1HJCRJVK7EE3A5N8CRP8YSEUGZKNW90Y5UR2RGYAS8L279LFP6LCQU5ADNR'
-      - 'AGE-SECRET-KEY-1HJCRJVK7EE3A5N8CRP8YSEUGZKNW90Y5UR2RGYAS8L279LFP6LCQUEGAEX'
-    references:
-      - https://age-encryption.org
-      - https://htmlpreview.github.io/?https://github.com/FiloSottile/age/blob/main/doc/age.1.html
-      - https://github.com/C2SP/C2SP/blob/8b6a842e0360d35111c46be2a8019b2276295914/age.md#the-x25519-recipient-type
-    categories:
-      - secret
-
-  - name: Age Recipient (MLKEM768-X25519 public key)
-    id: kingfisher.age.3
-    pattern: |
-      (?x)
-      \b
-      (
-        age1pq1[qpzry9x8gf2tvdw0s3jn54khce6mua7l]{1952}
-      )
-      \b
-    min_entropy: 3.3
-    confidence: medium
-    examples:
-      - 'age1pq1x34nzsvr0rxjsgdn8zgyhfe8j7ceq5r9rdelkjuh3y235jzxshfg87pzf5zrqtzdxz95paef6caq5aapdmwjjqpjfdyxnzr2zampc3uxy0dg4z2n2gm9su72p0pc3u0jvev55l694v78snxg3yzvcl7yda0eyytqj6a0ec477lnhcy5hzpz4zq3pxanve4cn62gqj3pjy5lqj9c6kyj4v2z8alktn8zh99970x79gjkv7522hv9kfz35zsnxhsx8wwtmu9cy3ftzjgwcp4sshn3llnylnpdsyz5jm72vefv4x5vfwytrefxg4wq3mv42wcrvkj742479zrxzpvp2p3e9fed9f0739vcu80r7ma28qfhnvlv4gfzel9q654dj3zmuvvz893azhxdvs9fxd0r7jzchzcfcs5mkyyjxhw0n2z6dvp9yn9qfdp29h0azxqyjw6v7fhyuzj7zel0uq6j9rd7wgrpz7mf5dnj43jwsgvrc8qcnhy7tu6dkdujuxzkp9xj43xe8h92ktre2a3u3s8mm5mrp9nr9pwkgtz4mdlq9hgn4fps4k57ff6wddn2fy23t47sm20r8km8sd2pcyyafnet8f0dajsrlyjeah4n3mssr6aseevuuskdvq5lzguyvpgwpta742c6698vgutzqgny8usfg0w2he7kq5vyxjd0f9hqg8xk26y9e4th0gezq92q4cpp5p2y9hf5f2cje5l0c3sa3a2qxmm38pxxvhxh99yzmfz0zk7r2s64nnwjhkfgfr3gf8xnmppcgmaykvh5sh6g7vk9790rf8ws0axmr2t7z8aae5fq2029uvcn2ghgt4fu4wgwdc0k0cz52qkvwmuzj8p8k5jgf3xzk5zmrkavjekjrpeq408xz3zxazwkc6tyfmhayrkfpjhwtz5mp8j8guqe43k2q6m2kte03vrw27y3wmqyu5etmt9dnkwcnnpmu9gz9dekfhdevf42ucshphnrk38ra6hx8w5f8q5ru0xdhrjxmwqf6cused7zc5xvq43r0zscjglpwlptpwydhqw64xz7ptjdyeyzpq2zkxtmzg29gzjpvzva4d3l0cenn9xs297wf4y4ukwrunf57xj6pm7nvrkwvtrt8hwcmgv8x7ajw7258ugf9wvkmk4052ekg87tw5vnx8nq2swyzv77v8yqlwsenvamr0zssknwts8rrhfuwj7ykysnq9jxy0uv3kuyt22djszjdtvpz6d0s0kwh8ryynddzud92emeyvvyqktd0jtj7rvvg5gch25v8smlvny3kvn5gagyz475ze2y6q466xqmz2n3hs77lddeqyta2nch5k2u5yacuk9ywnwfdzvyejnucz724hj77hrrmakm7pr3kxsrxq22ejexlud9fy2kdqmkg5yncz7jm5wv2qjk5w5kvcpqsry2yqffh2la52dxfjkjq5rzhjzeyn6dupn0qwtyv7s4lwg3xdarsdlwe2y3tujy480y7z39q259fzx6jhd2j0f5hagqpcpees7hzc2yrk5cy788uk3s7qvp5cpepx24gvws3m2g433exgwppnkjscec8qu4y9z9r7vccexjcjaen42245lmgmxmuavg9alej92322gvvyy2t6267v09ch64y0m53jff0vjj96s0ypk60hr3jw4myd6m5hpn3xjstx7tl2szhpr5qe8jj08ydjc4wy2rch2fhuy3pdfjax5awe9j99ly5hkntzz9fe5zatgjvzdd0kgtxs25njnajyf6ssekp7gelxquusn4pt25czh3scj68kq79wdn5tgm6yvm9nzavrg043x3msnygf8dweknw5jmqd0uvny6ttsn09508k0c55zfnegrm9efhxpfqdkmhh6gjtqmwze9pyyzk3tlhl53k2ykx3qheyty7saeq0d3fzv49zc0k'
-    references:
-      - https://age-encryption.org
-      - https://htmlpreview.github.io/?https://github.com/FiloSottile/age/blob/main/doc/age.1.html
-      - https://github.com/C2SP/C2SP/blob/037e546d164a89fd7577df2c18df80bb54bd246e/age.md#the-mlkem768-x25519-ie-x-wing-hybrid-post-quantum-recipient-type
-
-  - name: Age Identity (MLKEM768-X25519 secret key)
-    id: kingfisher.age.4
-    pattern: |
-      (?x)
-      \b
-      (
-        AGE-SECRET-KEY-PQ-1[0-9A-Z]{58}
-      )
-      \b
-    min_entropy: 3.3
-    confidence: medium
-    examples:
-      - |
-        # created: 2025-11-17T12:15:17+01:00
-        # public key: age1pq1pd[... 1950 more characters ...]
-        AGE-SECRET-KEY-PQ-1XXC4XS9DXHZ6TREKQTT3XECY8VNNU7GJ83C3Y49D0GZ3ZUME4JWS6QC3EF
-    references:
-      - https://age-encryption.org
-      - https://htmlpreview.github.io/?https://github.com/FiloSottile/age/blob/main/doc/age.1.html
-      - https://github.com/C2SP/C2SP/blob/037e546d164a89fd7577df2c18df80bb54bd246e/age.md#the-mlkem768-x25519-ie-x-wing-hybrid-post-quantum-recipient-type
-    categories:
-      - secret
--- a/crates/kingfisher-rules/data/rules/aws.yml
+++ b/crates/kingfisher-rules/data/rules/aws.yml
@ -1,133 +0,0 @@
-rules:
-  - name: AWS Access Key ID
-    id: kingfisher.aws.1
-    pattern: |
-      (?x)             
-      \b
-      (
-        (?:A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)
-        [2-7A-Z]{16}
-      )
-      \b
-    pattern_requirements:
-      min_digits: 2
-      ignore_if_contains:
-        - "EXAMPLE"
-        - "TEST"
-    min_entropy: 3.2
-    visible: false
-    confidence: medium
-    examples:
-      - ASIAOZW6VBVAZFJHJLQA
-
-  - name: AWS Secret Access Key
-    id: kingfisher.aws.2
-    pattern: |
-      (?xi)
-      (?:
-        \b
-        (?:AWS|AMAZON|AMZN|A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)
-        (?:.|[\n\r]){0,64}?
-        [^A-Za-z0-9_+!@\#$%^&*()\]./]
-        ([A-Za-z0-9/+]{40})
-        [^A-Za-z0-9_+!@\#$%^&*()\]./]
-      |
-        \b(?:AWS|AMAZON|AMZN|A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)
-        (?:.|[\n\r]){0,96}?
-        (?:SECRET|PRIVATE|ACCESS)
-        (?:.|[\n\r]){0,16}?
-        (?:KEY|TOKEN)
-        (?:.|[\n\r]){0,64}?
-        \b
-        ([A-Za-z0-9/+]{40})
-        \b
-      )
-    pattern_requirements:
-      min_digits: 3
-      ignore_if_contains:
-        - "EXAMPLE"
-        - "TEST"
-    min_entropy: 4.0
-    confidence: medium
-    examples:
-      - foo.backup.archive.aws.secretkey=sBmHlDFrNcsz35N+LRjwlUxF8/wypT4tiJCQ0wP4
-      - '"awsSecretKey":"3lyTWqHMt5UySny2drdPYheRTEzrNux8Cn5JWFHL"'
-      - '"\"awsSecretKey\":\"3lyTWqHMt5UySny2drdPYheRTEzrNux8Cn5JWFHL\"," +'
-      - |
-        "Whiteboard" : {
-          "type" : "aws-s3",
-          "config" : {
-            "accessKeyId" : "AKIAIVOURJN3SXRRLZFQ",
-            "region" : "us-east-1",
-            "secretAccessKey" : "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"
-          },
-    validation:
-      type: AWS
-    revocation:
-      type: AWS
-    depends_on_rule:
-      - rule_id: kingfisher.aws.1
-        variable: AKID
-
-  - name: AWS Session Token
-    id: kingfisher.aws.4
-    pattern: '(?i)(?:aws.?session|aws.?session.?token|aws.?token)["''`]?\s{0,30}(?::|=>|=)\s{0,30}["''`]?([a-z0-9/+=]{16,200})[^a-z0-9/+=]'
-    pattern_requirements:
-      min_digits: 2
-    min_entropy: 3.3
-    confidence: medium
-    examples:
-      - |
-        export AWS_ACCESS_KEY_ID="I08BCX2ACV45ED1DOC9J"
-        export AWS_SECRET_ACCESS_KEY="0qk+o7XctJMmG6ydO8537c9+TofLJU1K0PiVBXSg"
-        export AWS_SESSION_TOKEN="eyJhbGciOiJIUzUxMi53InR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJJMDhCQ1gySkpWNDVFRDFET0M5SiIsImFjciI6Ij53LCJhdWQiOiJhY2NvdW50IiwiYXV0aF90aW1lIjowLCJhenAiOiJtaW5pbyIsImVtYWlsIjoiYWlkYW4uY29wZUBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImV4cCI6MTU4MDUwMDIzOCwiZmFtaWx5X25hbWUiOiJDb3BlIiwiZ2l2ZW5fbmFtZSI6IkFpZGFuIENvcGUiLCJpYXQiOjE1ODA0OTk5MzgsImlzcyI6Imh0dHBzOi8vYXV0aHN0Zy5wb3BkYXRhLmJjLmNhL2F1dGgvcmVhbG1zL3NhbXBsZSIsImp0aSI6IjU5ZTM5ODAxLWQxMmUtNDVhYS04NmQzLWVhMmNmZDU0NmE2MiIsIm1pbmlvX3BvbGljeSI6ImRhdGFzZXRfMV9ybyIsIm5hbWUiOiJBaWRhbiBDb3BlIENvcGUiLCJuYmYiOjAsInByZWZlcnJlZF91c2VybmFtZSI6ImFjb3BlLTk5LXQwNSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwic2Vzc2lvbl9zdGF0ZSI6IjcxYjczZWJjLThlMzMtNGMyMi04NmE2LWI0MzhhNDM4ZmI2MiIsInN1YiI6IjVkOTBlOTgzLTA1NDItNDYyYS1hZWIwLWYxZWVmNjcwYzdlNSIsInR5cCI6IkJlYXJlciJ9.J-a9PORJToz7MUrnPQlOywcqtVMNkXy53Gedp_V4PW-Gbf1_BAMjwuw_X7fKRd6hkNfEn43CKKju7muzi_d1Ig"
-  - name: AWS Bedrock API Key (Long-lived)
-    id: kingfisher.aws.bedrock.long_lived
-    pattern: |
-      (?x)
-      (
-        ABSKQmVkcm9ja0FQSUtleS[A-Za-z0-9+/]{91,121}={0,2}
-      )
-    min_entropy: 3.0
-    confidence: medium
-    examples:
-      - "ABSKQmVkcm9ja0FQSUtleS1GU9MjAyNTEyMDVUMjE1MTUxWiZYLUFtei1FeHBpcmVzPTQzMjAwJlgtQW16LVNlY3VyaXR5LVRva2VuPUlRb0piM0pwWjJsdVgyVmpFSjclMk"
-    references:
-      - https://aws.amazon.com/blogs/security/securing-amazon-bedrock-api-keys-best-practices-for-implementation-and-management/
-      - https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-how.html
-    validation:
-      type: Http
-      content:
-        request:
-          method: GET
-          url: https://bedrock.us-east-1.amazonaws.com/foundation-models
-          headers:
-            Authorization: "Bearer {{ TOKEN }}"
-          response_matcher:
-            - type: StatusMatch
-              status: [200]
-
-  - name: AWS Bedrock API Key (Short-lived)
-    id: kingfisher.aws.6
-    pattern: |
-      (?x)
-      (
-        bedrock-api-key-YmVkcm9jay5hbWF6b25hd3MuY29t[A-Za-z0-9+/]+={0,2}
-      )
-    min_entropy: 3.0
-    confidence: medium
-    examples:
-      - "AWS_BEARER_TOKEN_BEDROCK=bedrock-api-key-YmVkcm9jay5hbWF6b25hd3MuY29tLz9BY3Rpb249Q2FsbFdpdGhCZWFyZXJUb2tlbiZYLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFTSUFWRzRBNFpCSk5YUzRJSEZTJTJGMjAyNTEyMDUlMkZ1cy1lYXN0LTElMkZiZWRyb2NrJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTEyMDVUMjE1MTUxWiZYLUFtei1FeHBpcmVzPTQzMjAwJlgtQW16LVNlY3VyaXR5LVRva2VuPUlRb0piM0pwWjJsdVgyVmpFSjclMkYlMkYlMkYlMkYlMkYlMkYlMkYlMkYlMkYlMkZ3RWFDWFZ6TFdWaGMzUXRNU0pITUVVQ0lRQ1Z1dkhPTmZLMHVxY3lPeUhibkJ5SUlRQnl3Sm9RV2VTRko4RlclMkIyNkxGQUlnUXJXSU9SbWd1bUozd3ZxTElMZVJ4SXczYzglMkIxaUJ2U1E0R1d6T21rY2VNcTN3UUlaeEFBR2d3ek5UZ3pOak15TWpBd05UQWlEQ05ZYkhtZVVTOE01Rjl6MGlxOEJOOWg4TEZLd0tqTHJDdzZ1eUVDYTd3YjFDbnpGQndyVlFkSXFPU0ZrNWJGbHg5Sjc0cnJ2TjNCYUZQOHR2S3lQcnJCeUJ3bGU3dTIwRjBXVDJoWHlQVTM4cUtpRDclMkZzaTNydnFkT2ptR3pNdERuazRHbEpEN3ZnM01SMWd3cFZJM2Z5ZjU0WU5aZ0lWcm9RZ1g4UVZ4aGNZeHNuSEx6Y3llelh1aGZWbElRMk1LVXUyOTh0c2NqcnF3aEs3WmMlMkZ0Mjc5TWRvengzVkFveUgzdFpocE9oVHhud1VkMHRtQ3REOU5QNHdIN1pOQjRIR2xaZWtidjBoUGIxV012azlhVGF2QkRUZlFCcERueEFHVG5KbXpicm8lMkJod2M0SDB5Skwwb1lVbGplalB3JTJCRVY4ZlJzU3hrVUliOHVRTWRBNDdhUmFzNGpPWkwzZVRlNTdvUXI1Rlo1ekJLJTJGdzBmc1p3RlY5JTJGMTE5Mzc3S2huSnFPRTMxdjBRJTJGYWV1YVk5YThIZnFVNlZ4MD14cVIyM1VxUExxaUVhUnJiTXlQSjVHRUdNSzk0RG5zMDF5cmFjNzU5UGF2Zko2QnpjaEFPSklJeFdXeXBiYmY4dUJKYTdyTldOQUF6S1R4NHFSVm9VdHljS2txciUyQlFyajZ2b1NNOHBoJTJCRnpZOXFEJTJCaCUyQkNEbkk4M0xMRDRkVnJVN0Jla05QbjNXSFpEN0twRVdVZWJ1UlpoZGVNSVU4R0hVVlpGa3FCV3Q0djk5QVdNdlFydEFJVzlHUWN3UkhZM3FaMFo2ZHI3cHpIOGNoZWRyMWdyJTJGUnBkT3lBdFIlMkZ3OE9HeU1LeklaSzRBdTZVeEhRaGdOVjJKdDh0ZnFVSlNCS281UVhiV1RmakFSNFlQSFcwbEREaEtRTTZYWWJsJTJGY0hSM3pIMG1WMGUyc92OJTJGVTJTc1Q3MVhCb1Z1Y2d3WU56RXFkM2M0ZUZzdjFaelBTQ2lMVWUyaDhPZTI5Q0F2VHF5eEZBTUFaMVpKNyUyRk5MSzVRSldNT09uemNrR09zTUNqQXhOVFdXUXdMUjd5NmR2TlMzQmh6UVlMJTJGeXpJWEdaVnhZYm9mY3IlMkJLbCUyRnVveSUyQkFlWCUyRkxLaXFwWDk5RWc2cSUyQm1tazNIZ1Q0WWNueVU4VW5Ya2FxMUNxcXVFVVBuRllyMklpbE1UYjlIOUVzanJMRDU4TnBhSTB2OENxNUVRQkIlMkZLMUtkMDdzRks5V1B6cTZaeCUyQmZEVjdYZ0NobG41UDZxQjBFJTJGem5QenRTRWNHMlViS0pHaE4yWjZ2TGtQOVU0STJQODk5WFF4enhVSUIxOTAzUWhjcGp3cGRDN2ZZWEZZVkxqS253bTFiRGlMdFIxMTVnbUpoSUVUM3NheE5zUnpSQkIlMkZjWlMwY1FiTm1wUSUyQldrbXo4ekdXUkc1ZTc1cGclMkY1dUVRMW5aN1ZGTk95UTg1M2Jrb0ZLM0lnNzR3MUpPQllPemlYTVI3ZDF6MSUyRkFNa3hQYWFrWE5YWEd2Z3BsaldBYlR1Wm5Jb1N6UFdEcWIlMkZRaFowUWNxM1JaSm1JdUhTd05oaWs2SFJiZ0NvQUlHZ2sxR21iZUZXZDRoZlhVZWNDOUxvcExzRzEzbUklM0QmWC1BbXotU2lnbmF0dXJlPTU4NTk1MjRjN2RlNGZjMWQ1ODlmZmViOTVlYWI5N2NhYjRmNTQyYWY2MmVkOGExMGYyYzlhZDYyZDQ5ZWY3ODkmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JlZlcnNpb249MQ=="
-    references:
-      - https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-how.html
-    validation:
-      type: Http
-      content:
-        request:
-          method: GET
-          url: https://bedrock.us-east-1.amazonaws.com/foundation-models
-          headers:
-            Authorization: "Bearer {{ TOKEN }}"
-          response_matcher:
-            - type: StatusMatch
-              status: [200]
--- a/crates/kingfisher-rules/src/rules_database.rs
+++ b/crates/kingfisher-rules/src/rules_database.rs
@ -216,7 +216,6 @@ mod test_vectorscan {
    }
 }
 #[cfg(test)]
-#[cfg(test)]
 mod test_regex_cleaning {
    use super::*;
    #[test]
--- a/crates/kingfisher-scanner/src/scanner_pool.rs
+++ b/crates/kingfisher-scanner/src/scanner_pool.rs
@ -9,9 +9,16 @@ use vectorscan_rs::{BlockDatabase, BlockScanner};
 /// A pool of Vectorscan block scanners for efficient multi-threaded scanning.
 ///
 /// Each thread gets its own scanner instance to avoid contention.
+///
+/// # Field Order
+///
+/// The field order is significant: `scanners` must be declared before `db`
+/// because Rust drops fields in declaration order. The scanners hold references
+/// to the database (via lifetime transmute), so they must be dropped first.
 pub struct ScannerPool {
-    db: Arc<BlockDatabase>,
+    // IMPORTANT: scanners must be dropped before db - do not reorder these fields
    scanners: ThreadLocal<UnsafeCell<Option<BlockScanner<'static>>>>,
+    db: Arc<BlockDatabase>,
 }

 // Safety: Each thread only accesses its own scanner instance
@ -37,8 +44,11 @@ impl ScannerPool {
        // Safety: ThreadLocal guarantees only the current thread accesses this cell
        let scanner_opt = unsafe { &mut *cell.get() };

-        // Create scanner if it doesn't exist
-        // We extend the lifetime - this is safe because the database outlives the scanner pool
+        // Create scanner if it doesn't exist.
+        // Safety: We extend the lifetime to 'static via transmute. This is sound because:
+        // 1. The database is held in an Arc, so it won't be freed while we hold a reference
+        // 2. The struct field order ensures scanners are dropped before db (Rust drops in order)
+        // 3. Therefore the database outlives all scanners that reference it
        if scanner_opt.is_none() {
            let db_ref: &'static BlockDatabase =
                unsafe { std::mem::transmute::<&BlockDatabase, &'static BlockDatabase>(&self.db) };