- Fixed issue when more than 1 named capture group is used in a rule variable

- Added 2 new liquid template filters: 'b64dec' and 'es256_sign' - Added custom validator for Coinbase, and a Coinbase rule that uses it
2025-07-31 16:49:46 -07:00 · 2025-07-31 16:49:46 -07:00 · e73aec9d70
commit e73aec9d70
parent aaabcbd499
11 changed files with 369 additions and 22 deletions
--- a/data/rules/coinbase.yml
+++ b/data/rules/coinbase.yml
@ -0,0 +1,67 @@
+rules:
+  - name: Coinbase Access Token
+    id: kingfisher.coinbase.1
+    pattern: |
+      (?xi)
+      \b
+        coinbase
+        (?:.|[\n\r]){0,16}?
+        (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
+        (?:.|[\n\r]){0,16}?
+        \b
+        (
+          [a-zA-Z-0-9]{32}
+        )
+        \b
+    min_entropy: 3.5
+    examples:
+      - coinbase_token = 32iAkQCcHHYxXGx20VogBZoj27PC1ouI
+    references:
+      - https://docs.cloud.coinbase.com/wallet-sdk/docs/api-keys
+    validation:
+      type: Http
+      content:
+        request:
+          method: GET
+          url: https://api.coinbase.com/v2/user
+          headers:
+            Authorization: "Bearer {{ TOKEN }}"
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [200]
+  - name: Coinbase CDP API Key
+    id: kingfisher.coinbase.2
+    pattern: |
+      (?xims)
+        "name"\s*:\s*"
+        (?P<CRED_NAME>organizations/[0-9a-f-]{36}/apiKeys/[0-9a-f-]{36})"
+        .*"privateKey"\s*:\s*"
+        (?P<PRIVATE_KEY>
+          -----BEGIN\sEC\s{0,1}
+          PRIVATE\sKEY
+          (\sBLOCK)?
+          -----
+          [a-z0-9 /+=\r\n\\n]{32,}?
+          -----END\s
+          (?:
+            RSA |
+            PGP |
+            DSA |
+            OPENSSH |
+            ENCRYPTED |
+            EC
+          )?
+          \s{0,1}
+          PRIVATE\sKEY
+          (\sBLOCK)?
+          -----
+        )
+    validation:
+      type: Coinbase
+    examples:
+      - |
+        {
+          "name": "organizations/243873d8-c14e-436d-9cea-10d530cbe201/apiKeys/d29bb143-ad4c-234f-9bd7-c705c16b6d19",
+          "privateKey": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIDs+vr9F40Mer+qYksK3QhkSMfUXOZsbRVSrelWGnMh3oAoGCCqGSM49\nAwEHoUQDQgAEOXj2qKzLYx21D3plbOa81ilURS/4K1jzLXBvgwfUe4hWDgBdKQvq\nIiet5qqZEwVlR/LqKQEUlP8YLrjLFU8Unw==\n-----END EC PRIVATE KEY-----\n"
+        }
--- a/data/rules/privkey.yml
+++ b/data/rules/privkey.yml
@ -45,8 +45,7 @@ rules:
  - name: Contains Private Key
    id: kingfisher.privkey.2
    pattern: |
-      (?xi)                    
-      (?ims)
+      (?xims)
      (                       
        -----BEGIN\s
        (?:
@ -68,7 +67,8 @@ rules:
          PGP |
          DSA |
          OPENSSH |
-          ENCRYPTED
+          ENCRYPTED |
+          EC
        )?
        \s{0,1}
        PRIVATE\sKEY