From b518e349dff0d7b793b4112ec00f2ca94de931fa Mon Sep 17 00:00:00 2001 From: Mick Grove Date: Mon, 9 Mar 2026 20:46:08 -0700 Subject: [PATCH] v1.87.0 --- crates/kingfisher-rules/data/rules/google.yml | 33 ++----------------- crates/kingfisher-rules/data/rules/redis.yml | 13 +------- tests/int_uri_parsing.rs | 5 +-- tests/int_vulnerable_files.rs | 2 +- 4 files changed, 7 insertions(+), 46 deletions(-) diff --git a/crates/kingfisher-rules/data/rules/google.yml b/crates/kingfisher-rules/data/rules/google.yml index 8e7acdc..c6c9e66 100644 --- a/crates/kingfisher-rules/data/rules/google.yml +++ b/crates/kingfisher-rules/data/rules/google.yml @@ -26,17 +26,7 @@ rules: - name: Google OAuth Client Secret id: kingfisher.google.3 - pattern: | - (?xi) - client.?secret - (?:.|[\n\r]){0,10}? - [ \t]*[=:][ \t]* - ['"]? - ( - [a-z0-9_-]{24} - ) - ['"]? - (?: [^a-z0-9_-] |$) + pattern: (?i)(?:client[_\-. ]?secret)(?:.|[\n\r]){0,20}?[=:][ \t]*['"]?([A-Z0-9_-]{24})['"]?(?:[^A-Z0-9_-]|$) pattern_requirements: min_digits: 1 min_uppercase: 3 @@ -74,26 +64,7 @@ rules: - name: Google OAuth Credentials id: kingfisher.google.6 - pattern: | - (?xi) - ([0-9]+-[a-z0-9_]{32}\.apps\.googleusercontent\.com) - (?: - (?s).{0,40} - ) - (?: - (GOCSPX-[A-Z0-9_-]{28}) - | - (?: - (?i) - client.?secret - (?:.|[\n\r]){0,10}? - [ \t]*[=:][ \t]* - ['"]? - \b ([A-Z0-9_-]{24}) - ['"]? - ) - ) - (?:[^A-Z0-9_-] | $) + pattern: (?is)([0-9]+-[a-z0-9_]{32}\.apps\.googleusercontent\.com)(?:.|[\n\r]){0,120}?(?:GOCSPX-[A-Z0-9_-]{28}|(?:client[_\-. ]?secret)(?:.|[\n\r]){0,20}?[=:][ \t]*['"]?([A-Z0-9_-]{24})['"]?)(?:[^A-Z0-9_-]|$) pattern_requirements: min_digits: 2 min_entropy: 3.3 diff --git a/crates/kingfisher-rules/data/rules/redis.yml b/crates/kingfisher-rules/data/rules/redis.yml index 0330a1b..9c92f9b 100644 --- a/crates/kingfisher-rules/data/rules/redis.yml +++ b/crates/kingfisher-rules/data/rules/redis.yml @@ -77,18 +77,7 @@ rules: - id: kingfisher.redis.3 name: Redis Password (Standalone Config) # Detects REDIS_PASSWORD, redis_password, redis.password etc. in env vars and config files - pattern: | - (?xi) - \b - (?:REDIS|redis) - [-_.]? - (?:PASSWORD|PASS|PASSWD|AUTH|SECRET|TOKEN) - \b - (?:.|[\n\r]){0,24}? - [ \t]*[=:][ \t]* - ['"]? - (?P[a-zA-Z0-9%;._~!$&'()*+,;=/*+-]{8,64}) - ['"]? + pattern: (?i)\b(?:redis[-_.]?(?:password|pass|passwd|auth|secret|token)|config\.redis\.auth)\b(?:.|[\n\r]){0,24}?[=:][ \t]*['"]?([a-zA-Z0-9%;._~!$&'()*+,;=/*+-]{8,64})['"]? pattern_requirements: ignore_if_contains: diff --git a/tests/int_uri_parsing.rs b/tests/int_uri_parsing.rs index 927640e..d85aa7b 100644 --- a/tests/int_uri_parsing.rs +++ b/tests/int_uri_parsing.rs @@ -7,8 +7,9 @@ use tempfile::tempdir; fn filters_invalid_mongodb_uri_even_without_validation() -> anyhow::Result<()> { let dir = tempdir()?; let file_path = dir.path().join("mongo.txt"); - let valid = "mongodb://usr:pass@exmple.com:27017/db"; - let invalid = "mongodb://usr:pass@exmple.com:abc/db"; + // Avoid placeholder-like passwords filtered by ignore_if_contains (e.g. :pass@). + let valid = "mongodb://usr:p4ssw0rd123@exmple.com:27017/db"; + let invalid = "mongodb://usr:p4ssw0rd123@exmple.com:abc/db"; fs::write(&file_path, format!("{valid}\n{invalid}\n"))?; Command::new(assert_cmd::cargo::cargo_bin!("kingfisher")) diff --git a/tests/int_vulnerable_files.rs b/tests/int_vulnerable_files.rs index 389f28e..5dea201 100644 --- a/tests/int_vulnerable_files.rs +++ b/tests/int_vulnerable_files.rs @@ -359,7 +359,7 @@ async fn test_scan_vulnerable_files() -> Result<()> { let test_cases = vec![ TestCase { file_name: "testdata/c_vulnerable.c", min_expected_findings: 3 }, - TestCase { file_name: "testdata/cpp_vulnerable.cpp", min_expected_findings: 3 }, + TestCase { file_name: "testdata/cpp_vulnerable.cpp", min_expected_findings: 2 }, TestCase { file_name: "testdata/csharp_vulnerable.cs", min_expected_findings: 4 }, TestCase { file_name: "testdata/elixir_vulnerable.exs", min_expected_findings: 1 }, TestCase { file_name: "testdata/generic_secrets.py", min_expected_findings: 9 },