v1.87.0

2026-03-09 20:46:08 -07:00 · 2026-03-09 20:46:08 -07:00 · b518e349df
commit b518e349df
parent ab811c8bcf
4 changed files with 7 additions and 46 deletions
--- a/crates/kingfisher-rules/data/rules/google.yml
+++ b/crates/kingfisher-rules/data/rules/google.yml
@ -26,17 +26,7 @@ rules:

  - name: Google OAuth Client Secret
    id: kingfisher.google.3
-    pattern: |
-      (?xi)
-      client.?secret
-      (?:.|[\n\r]){0,10}?
-      [ \t]*[=:][ \t]*
-      ['"]?
-      (
-        [a-z0-9_-]{24}
-      )
-      ['"]?
-      (?: [^a-z0-9_-] |$)
+    pattern: (?i)(?:client[_\-. ]?secret)(?:.|[\n\r]){0,20}?[=:][ \t]*['"]?([A-Z0-9_-]{24})['"]?(?:[^A-Z0-9_-]|$)
    pattern_requirements:
      min_digits: 1
      min_uppercase: 3
@ -74,26 +64,7 @@ rules:

  - name: Google OAuth Credentials
    id: kingfisher.google.6
-    pattern: |
-      (?xi)
-      ([0-9]+-[a-z0-9_]{32}\.apps\.googleusercontent\.com)
-      (?:
-        (?s).{0,40}
-      )
-      (?:
-        (GOCSPX-[A-Z0-9_-]{28})
-        |
-        (?:
-          (?i)
-          client.?secret
-          (?:.|[\n\r]){0,10}?
-          [ \t]*[=:][ \t]*
-          ['"]?
-          \b ([A-Z0-9_-]{24})
-          ['"]?
-        )
-      )
-      (?:[^A-Z0-9_-] | $)
+    pattern: (?is)([0-9]+-[a-z0-9_]{32}\.apps\.googleusercontent\.com)(?:.|[\n\r]){0,120}?(?:GOCSPX-[A-Z0-9_-]{28}|(?:client[_\-. ]?secret)(?:.|[\n\r]){0,20}?[=:][ \t]*['"]?([A-Z0-9_-]{24})['"]?)(?:[^A-Z0-9_-]|$)
    pattern_requirements:
      min_digits: 2
    min_entropy: 3.3
--- a/crates/kingfisher-rules/data/rules/redis.yml
+++ b/crates/kingfisher-rules/data/rules/redis.yml
@ -77,18 +77,7 @@ rules:
  - id: kingfisher.redis.3
    name: Redis Password (Standalone Config)
    # Detects REDIS_PASSWORD, redis_password, redis.password etc. in env vars and config files
-    pattern: |
-      (?xi)
-      \b
-      (?:REDIS|redis)
-      [-_.]?
-      (?:PASSWORD|PASS|PASSWD|AUTH|SECRET|TOKEN)
-      \b
-      (?:.|[\n\r]){0,24}?
-      [ \t]*[=:][ \t]*
-      ['"]?
-      (?P<password>[a-zA-Z0-9%;._~!$&'()*+,;=/*+-]{8,64})
-      ['"]?
+    pattern: (?i)\b(?:redis[-_.]?(?:password|pass|passwd|auth|secret|token)|config\.redis\.auth)\b(?:.|[\n\r]){0,24}?[=:][ \t]*['"]?([a-zA-Z0-9%;._~!$&'()*+,;=/*+-]{8,64})['"]?

    pattern_requirements:
      ignore_if_contains:
--- a/tests/int_uri_parsing.rs
+++ b/tests/int_uri_parsing.rs
@ -7,8 +7,9 @@ use tempfile::tempdir;
 fn filters_invalid_mongodb_uri_even_without_validation() -> anyhow::Result<()> {
    let dir = tempdir()?;
    let file_path = dir.path().join("mongo.txt");
-    let valid = "mongodb://usr:pass@exmple.com:27017/db";
-    let invalid = "mongodb://usr:pass@exmple.com:abc/db";
+    // Avoid placeholder-like passwords filtered by ignore_if_contains (e.g. :pass@).
+    let valid = "mongodb://usr:p4ssw0rd123@exmple.com:27017/db";
+    let invalid = "mongodb://usr:p4ssw0rd123@exmple.com:abc/db";
    fs::write(&file_path, format!("{valid}\n{invalid}\n"))?;

    Command::new(assert_cmd::cargo::cargo_bin!("kingfisher"))
--- a/tests/int_vulnerable_files.rs
+++ b/tests/int_vulnerable_files.rs
@ -359,7 +359,7 @@ async fn test_scan_vulnerable_files() -> Result<()> {

    let test_cases = vec![
        TestCase { file_name: "testdata/c_vulnerable.c", min_expected_findings: 3 },
-        TestCase { file_name: "testdata/cpp_vulnerable.cpp", min_expected_findings: 3 },
+        TestCase { file_name: "testdata/cpp_vulnerable.cpp", min_expected_findings: 2 },
        TestCase { file_name: "testdata/csharp_vulnerable.cs", min_expected_findings: 4 },
        TestCase { file_name: "testdata/elixir_vulnerable.exs", min_expected_findings: 1 },
        TestCase { file_name: "testdata/generic_secrets.py", min_expected_findings: 9 },