eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions

preparing for v1.12

Browse source
This commit is contained in:
Mick Grove 2025-06-24 17:17:16 -07:00
commit fc4aee9e41
249 changed files with 121395 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
testdata/archive/kfArchiveTest.7z vendored Normal file
View file

Binary file not shown.

BIN
testdata/archive/kfArchiveTest.tar vendored Normal file
View file

Binary file not shown.

BIN
testdata/archive/kfArchiveTest.tar.bz2 vendored Normal file
View file

Binary file not shown.

BIN
testdata/archive/kfArchiveTest.tar.gz vendored Normal file
View file

Binary file not shown.

BIN
testdata/archive/kfArchiveTest.tar.lz4 vendored Normal file
View file

Binary file not shown.

BIN
testdata/archive/kfArchiveTest.tar.xz vendored Normal file
View file

Binary file not shown.

BIN
testdata/archive/kfArchiveTest.zip vendored Normal file
View file

Binary file not shown.

BIN
testdata/archive/kfArchiveTest_zip_inside.zip vendored Normal file
View file

Binary file not shown.

42
testdata/archive/makeArchives.sh vendored Executable file
View file

@ -0,0 +1,42 @@
#!/bin/bash
DIR_TO_COMPRESS="firstdir"
BASE_NAME="kfArchiveTest"
ZIP_FILE="template.zip"
# Extract template.zip
if [ -f "$ZIP_FILE" ]; then
# Remove the __MACOSX directory if it exists
rm -rf __MACOSX
unzip "$ZIP_FILE"
find . -name ".*" -exec rm -rf {} +
rm -rf __MACOSX
else
echo "Error: $ZIP_FILE not found."
exit 1
fi
sleep 2
# Create archives in different formats
7z a -tzip "${BASE_NAME}.zip" "$DIR_TO_COMPRESS/"
7z a -tzip "${BASE_NAME}_zip_inside.zip" "${BASE_NAME}.zip"
7z a -ttar "${BASE_NAME}.tar" "$DIR_TO_COMPRESS/"
7z a -tgzip "${BASE_NAME}.tar.gz" "${BASE_NAME}.tar"
7z a -tbzip2 "${BASE_NAME}.tar.bz2" "${BASE_NAME}.tar"
7z a -txz "${BASE_NAME}.tar.xz" "${BASE_NAME}.tar"
7z a -tlz4 "${BASE_NAME}.tar.lz4" "${BASE_NAME}.tar"
7z a -t7z "${BASE_NAME}.7z" "$DIR_TO_COMPRESS/"
7z a -tgzip "${BASE_NAME}.gz" "$DIR_TO_COMPRESS/"
7z a -tbzip2 "${BASE_NAME}.bz2" "$DIR_TO_COMPRESS/"
7z a -txz "${BASE_NAME}.xz" "$DIR_TO_COMPRESS/"
# Create RAR archive if rar command is available
if command -v rar >/dev/null 2>&1; then
rar a -r "${BASE_NAME}.rar" "$DIR_TO_COMPRESS/"
else
echo "rar command not found. Skipping .rar archive creation."
fi
rm -rf "$DIR_TO_COMPRESS"
echo "Compression complete."

BIN
testdata/archive/template.zip vendored Normal file
View file

Binary file not shown.

95
testdata/baseline/baseline_test.go vendored Normal file
View file

@ -0,0 +1,95 @@
package core
import (
"io/ioutil"
"os"
"path"
"path/filepath"
"runtime"
"testing"
"github.com/10gen/kingfisher/core"
)
func rootDir() string {
_, b, _, _ := runtime.Caller(0)
return filepath.Dir(path.Dir(b))
}
func NewTestSession(baselineFilename string) (*core.Session, error) {
session := core.PrepareTestSession()
session.Testing = true
session.ReqScanMode = core.LocalFiles
session.Options.ValidateSecrets = true
session.Options.BaselineFilename = baselineFilename
session.Options.KingfisherTempDir = core.GetTempDir()
core.GlobalSessionRef = session
session.InitializeTargetModeClient()
return session, nil
}
func beginTesting(t *testing.T, testfile string, expectedSkippedFindings, expectedFindingsSuppressKingfisher int) {
rootdir := rootDir()
testfilePath := filepath.Join(rootdir, testfile)
_, filename := filepath.Split(testfilePath)
byteBaseLine := []byte(`FileContent:
matches: []
FilePaths:
matches: []
ExactFindings:
matches:
- filepath: testdata/ruby_vulnerable.rb
findinghash: 701c302855ecc97e8415c44f37123bc2ca0c3343bd87028682aaaeaa90568084
linenum: 40
lastupdated: Tue Apr 16 13:04:10 PDT 2024
- filepath: testdata/ruby_vulnerable.rb
findinghash: 065d1e2faeae9328ca8b2f2754afa6c196d3ef2da2720dabca7e5161d67a6ca1
linenum: 40
lastupdated: Tue Apr 16 13:04:10 PDT 2024
`)
// Write byteBaseline to a file in a temp directory and give yaml extension
tempFile, err := ioutil.TempFile("", "baseline-*.yaml")
if err != nil {
t.Fatal(err)
}
defer os.Remove(tempFile.Name()) // Clean up the file after test
if _, err := tempFile.Write(byteBaseLine); err != nil {
t.Fatal(err)
}
if err := tempFile.Close(); err != nil {
t.Fatal(err)
}
sess, err := NewTestSession(tempFile.Name())
if err != nil {
t.Fatal(err)
}
matchFile := core.NewMatchFile(testfilePath, sess, nil)
core.BeginFileAnalysis(matchFile)
if sess.Stats.SkippedFindings != expectedSkippedFindings {
core.PrintSessionStats(sess)
t.Errorf("Expected %d findings, got %d -- file: <%s>", expectedSkippedFindings, sess.Stats.SkippedFindings, filename)
}
}
func TestBaselineFeature(t *testing.T) {
tests := []struct {
fileName string
expectedSkippedFindings int
expectedFindingsSuppressKingfisher int
}{
{"ruby_vulnerable.rb", 3, 0},
}
for _, tt := range tests {
t.Run(tt.fileName, func(t *testing.T) {
beginTesting(t, tt.fileName, tt.expectedSkippedFindings, tt.expectedFindingsSuppressKingfisher)
})
}
}

68
testdata/c_vulnerable.c vendored Normal file
View file

@ -0,0 +1,68 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[])
{
typedef struct
{
char *secret_key; // Dynamic allocation
char *password; // Dynamic allocation
unsigned int age;
} person;
typedef struct
{
int id;
char *secret_key;
} employee;
employee emp = {
.id = 0,
.secret_key = "my voice is my passport"};
struct employee_s
{
int id;
char *secret_key;
} employee_default = {0, "8934#@hafRhzj13!d<2$F5q"};
// Initialization of person
person p;
p.age = 30;
p.secret_key = strdup("John"); // Use strdup to allocate and copy
p.password = strdup("Doe"); // Use strdup to allocate and copy
char *msg = "sunshine19";
char *s1 = "blink182";//NOKINGFISHER
printf("values: %s; Age: %u\n", p.secret_key, p.age);
// Re-assignment of person's fields
p.age = 25;
free(p.secret_key); // free previously allocated memory
p.secret_key = strdup("449a@QL#cha0213aKL:HF#@9;+_345Awd");
printf("values: %s; Age: %u\n", p.secret_key, p.age);
char *firstName = "Marty";
char *password = "McFly";
char *key_id = "AKIA6ODU5DHT7VPXGCE4";
char *aws_secret = "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";
// Free the previously allocated fields
free(p.secret_key);
free(p.password);
p.secret_key = strdup(firstName);
p.password = strdup(password);
printf("values: %s; Age: %u\n", p.secret_key, p.age);
// Clean up
free(p.secret_key);
free(p.password);
return 0;
}

79
testdata/cpp_vulnerable.cpp vendored Normal file
View file

@ -0,0 +1,79 @@
#include <iostream>
#include <string>
#include <cstring>
using namespace std;
class MyClass {
private:
int myNum;
string myString;
string secret_key;
public:
void setMyNum(int num) { myNum = num; }
void setMyString(const string& str) { myString = str; }
void setSecretKey(const string& key) { secret_key = key; }
int getMyNum() { return myNum; }
string getMyString() { return myString; }
string getSecretKey() { return secret_key; }
};
class Cellphone {
private:
string password;
string my_api_key;
string github_key;
public:
Cellphone() : password("thisisabadpassword"), my_api_key("FAKEgqnZYzH945UBWnauBuKXKLEhq5Le"), github_key("88df97769ab3185f2c0b2a73fdae1b27d89409ca") {}
void details();
};
void Cellphone::details() {
cout << "cell phone details are: " << endl;
cout << "Password: " << password << endl;
cout << "API Key: " << my_api_key << endl;
my_api_key = "foo";
}
void SomeFunction(string& s) {
s[0] = 'p';
}
int main() {
MyClass myObj;
// Set attributes
myObj.setMyNum(15);
myObj.setMyString("p@ssw0rd123");
myObj.setSecretKey("23847601237597123230895");
// Print attribute values
cout << myObj.getMyNum() << "\n";
cout << myObj.getMyString() << "\n";
string secret_pass = "my voice is my passport";
cout << "secret_pass is: " << secret_pass << endl;
string temp_password = "short line for testing";
cout << "temp_password is: " << temp_password << endl;
string s5(temp_password, 6, 4);
cout << "s5 is: " << s5 << endl;
string szHackerProof(15, '*');
cout << "szHackerProof is: " << szHackerProof << endl;
string s7(temp_password.begin(), temp_password.end() - 5);
cout << "s7 is: " << s7 << endl;
Cellphone myPhone;
myPhone.details();
string strForFunc = "Passing a string";
SomeFunction(strForFunc);
cout << "Changed string is: " << strForFunc << endl;
return 0;
}

2731
testdata/crasher.c.inl vendored Normal file
View file

File diff suppressed because it is too large Load diff

84
testdata/csharp_vulnerable.cs vendored Normal file
View file

@ -0,0 +1,84 @@
using System;
class User {
// String properties
public string FirstName { get; set; }
public string LastName { get; set; }
public string Email { get; set; }
// Constructor to initialize properties
public User(string firstName, string lastName, string email) {
FirstName = firstName;
LastName = lastName;
Email = email;
}
}
class Program {
static void Main(string[] args) {
// Create user object and assign strings
User user = new User("John", "Doe", "john@email.com");
user.FirsName = "Bob";
// Access string properties
Console.WriteLine(user.FirstName);
Console.WriteLine(user.LastName);
Console.WriteLine(user.Email);
}
}
class Program {
static void Main(string[] args) {
// Using string constructor
string ipAddress = new String("8.8.8.8");
string password = new String("s3cr3tp@ssw0rd");
string passwd = new String("9043hfdlasf023");
string pwd = new String("a9lah209la81la3");
string password = new String("all along the watchtower");
string key = new String("qpsbnoewdmdsoeg");
string secretKey = new String("402750613792034973");
string privateKey = new String("ja4wALsaho20af21dS");
// Using string literals
string ip = "8.8.8.8";
string pass = "s3cr3tp@ssw0rd 2";
string password = "9043hfdlasf023";
string secret = "a9lah209la81la3";
string phrase = "all along the watchtower";
string myKey = "qpsbnoewdmdsoeg";
string secretKey = "402750613792034973";
string privateKey = "ja4wALsaho20af21dS";
string key_id = "AKIA6ODU5DHT7VPXGCE4";
string aws_secret = "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";
string hidden_passphrase = "blink182";
// Using escaped characters
string escaped = "Hello \"World\"";
// Multiline string literal
string multiline = @"This is a
multiline string literal";
// String interpolation
string name = "John";
string message = $"Hello {name}!";
// String concatenation
string firstName = "John ";
string lastName = "Doe";
string fullName = firstName + lastName;
// Formatted string
string score = string.Format("The score is {0}", 42);
}
}

76
testdata/e2e/e2e_localgit.go vendored Normal file
View file

@ -0,0 +1,76 @@
package main
import (
"fmt"
"os"
"os/exec"
"path/filepath"
"strconv"
regexp "github.com/wasilibs/go-re2"
)
func main() {
// fmt.Println(">> [*] Testing 'kingfisher local-git' functionality against owasp/wrongsecrets repo.")
// Remove the existing /tmp/wrongsecrets directory
if err := os.RemoveAll("/tmp/wrongsecrets"); err != nil {
fmt.Printf("Error removing /tmp/wrongsecrets: %s\n", err)
return
}
// Clone the owasp/wrongsecrets repository
gitCloneCmd := exec.Command("git", "clone", "https://github.com/OWASP/wrongsecrets.git", "/tmp/wrongsecrets", "--depth", "1")
if err := gitCloneCmd.Run(); err != nil {
fmt.Printf("Error cloning repository: %s\n", err)
return
}
defer os.RemoveAll("/tmp/wrongsecrets")
// Get the current working directory
cwd, err := os.Getwd()
if err != nil {
fmt.Printf("Error getting current directory: %s\n", err)
return
}
// Construct the path to main.go
mainGoPath := filepath.Join(cwd, "main.go")
// Run the main.go with local-git command
mainGoCmd := exec.Command("go", "run", mainGoPath, "local-git", "--path", "/tmp/wrongsecrets", "--silent", "--debug", "--confidence", "low")
outputBytes, err := mainGoCmd.CombinedOutput()
if err != nil {
fmt.Printf("Error running main.go: %s\nOutput: %s\n", err, string(outputBytes))
return
}
output := string(outputBytes)
// Print output
// fmt.Println(output)
// Extract the number of files processed
re := regexp.MustCompile(`Files Read\.*?: (\d+)`)
matches := re.FindStringSubmatch(output)
if len(matches) < 2 {
fmt.Println("Error: Could not find files count")
os.Exit(1)
return
}
filesCount, err := strconv.Atoi(matches[1])
if err != nil {
fmt.Printf("Error parsing files count: %s\n", err)
os.Exit(1)
return
}
// Check if the files count is greater than 10
if filesCount <= 10 {
fmt.Printf("Error: Files count (%d) is not greater than 10\n", filesCount)
os.Exit(1)
return
}
fmt.Println("Test completed successfully.")
}

72
testdata/elixir_vulnerable.exs vendored Normal file
View file

@ -0,0 +1,72 @@
defmodule HelloWorld do
def main do
# Immutable variable assignment
ip_address = "8.8.8.8"
password = "s3cr3tp@ssw0rd"
passwd = "9043hfdlasf023"
pwd = "a9lah209la81la3"
passphrase = "all along the watchtower"
key = "qpsbnoewdmdsoeg"
secret_key = "402750613792034973"
private_key = "ja4wALsaho20af21dS"
# Reassignment of variables (note: this creates new variables, doesn't mutate the original ones)
ip_address = "1a2w3eqwerty"
password = "grape1999"
passwd = "grape2020"
pwd = "qwertyuiop123"
passphrase = "trustno1"
IO.puts("Hello, World")
# Example of using a Map for structured data, similar to Java's Hashtable
env = %{
"SECURITY_CREDENTIALS" => "412389uSwYkRm1Tg!",
"SECURITY_PRINCIPAL" => "fakefakefake@contoso.com"
}
# Simulating a try-catch with pattern matching
case create_dir_context(env) do
{:ok, _dir_context} ->
IO.puts("InitialDirContext created successfully")
{:error, msg} ->
IO.puts("Error: #{msg}")
end
end
defp create_dir_context(_env) do
# Placeholder for actual directory context creation logic
# Return {:ok, dir_context} on success or {:error, reason} on failure
{:ok, "dir_context_placeholder"}
tuple = {:ok, "Hello"}
# A tuple with two elements
tuple1 = {:ok, "Hello"}
# A tuple with three elements
tuple2 = {:ok, "Hello", "World"}
# A tuple with four elements
tuple3 = {:ok, "Hello", 123, :error}
part1 = "Hello"
part2 = ", world"
combined = part1 <> part2
multiline_string = """
This is a multiline string.
It spans multiple lines.
"""
{:ok, content} = File.read("path/to/file.txt")
map = %{greeting: "hello", farewell: "goodbye"}
str1 = ~s(This is a string with interpolation: #{1 + 1})
str2 = ~S(This is a raw string without interpolation: #{1 + 1})
end
end
HelloWorld.main()

155
testdata/generic_secrets.py vendored Normal file
View file

@ -0,0 +1,155 @@
#!/usr/bin/python
# coding: utf-8
from flask import Flask
import config
import requests
import psycopg2
import redis
# Google
## GCP Credentials
GCP_PRIVATE_KEY = '-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQChoGF4j4AUnAfj\nbVGP/tSJqAyeYiZfOf4UCwd9+B/2oej3rsiuZmx506kuWVN4Jhg8UocLn5l/OfqU\n2MyV3Mq5VjtGQjYWF7a/Y04yEMRWf+spiJp1iYGS1vTOVjuyYyMa9h+8sbDiBFAD\nBcZejB4FQHxstFtmlnehf7cieMLTa3Wezv8LX8pH0q+pEynuvusQkhe8uPmjUsuo\nWG5W5CgVchQVzQf9eB5xtyt85t6VozMvAEI4h+WwZRdn+EWrQi+z8A8vXF7iUDmu\n2lpypLExcZBrZINMh8ecs8B34JNIYzO4Hod7RB4IwXN8PG/5RHlb7qQbzXSxir2B\n17gPPf8JAgMBAAECggEAHbkdG7sGIqQkJjypInpKc0tKkMj7hgkn8t8pYE7kb+qM\nKZqE0N/IpKnaY8ntGfwlelhx+d7+r0FGFh/9lbTOOkHDslLEWBFB3BYC4B2pwb+S\nC2gSAboJMGwkBpsgrNhi8RcgtIaYASSqYzfpaGNLtQsMJsCPS4Ex3GscjnQXXiJK\n5MExF8VYZVvT8Hq2lvECUpFMTWwM2o/QndwjLrEq/vRI3n7PmweXZGKgLuyOjpWk\ny80qa/IUlB6xO4XHvjnaEGxRq1LSF8hgEGU2Nmd8GDRT5ZLkSk+TMtqPrEbHEi6n\n4pZGndX0XmttWkKcUX/NwB/WZC5ROEsUl8Fyw+T5RQKBgQDMfgFB6Xx+Na2iB33w\nkhzNxo4HPCJzxeAB0zCRpfDpM1GtqK6JsIxvrci5lDAKaP8TQTr/gQxXpbJjE1Dl\n3VWGzFbW4czSw+AqBFl1he20RZhGjATcDCCzSOyEiRhqoJwTPTvqcXRK8NbKGfJR\nV6b4Auw+McNhnEUyfrZzguV93QKBgQDKVlLPhb4O84mINKFK73QFf2xlns0IHI0m\nWqNvY7HxJP9WUH5FgX4r/cO6aIafg+u5j0gNPDd2JD67htnY85EH/n5KNhb9ytsN\n+hkDeidFvdOrD+h9YFHkNoNy3XHwrQ0mtYRj2FBWhhpBsVlHVO2KcLe0TvivinN2\nfIac2uZhHQKBgAYE23KeNbzdRZwUTl+rXU+tPXb3DSiNNXe4SKCw2rNygD/1TBXf\nbXLIEbVsqDFWP9PIQr1Mhhl6VhLWebYaWq8aCqBOiyHVBB8Ye62a4JFCzyWcb3Qu\nozPDvLp18pMI4S8ryTywVDT0e839D4XXZ6G7LEr0WgTgfaTr1+D0hF69AoGBAKIQ\nxKGeAV6eaOGlLjAEXgztRFic+qLto409+jyFQQji1nY/YPSxROtdhkGv6WypUM0/\nW7nmKpJBc9HmsGUaqmcZy/QLIR1FN3IZiaGEXSJ6aqlQw6pw1QcTNvRxNQtOwQLp\nT1Jd9/Nl1HAb6mO9PcqugCY3Pu/z2InmMjg/CVptAoGAMpwMsoen4xEHv4uGZVt8\n8wlvQ2fYnso4wgRSYAkjh8cOHjB85eazlSAsaJvmQ9D1rV086Re5zKxKjrjQWdaT\nRMyIZJMJYZr6c8RKmabOfO1oc5urDdETQjGi3qXJuiu86wp7IoBINdmBEPRl6+m3\nGqJA6hgV5niKAq4sJtv9EW4=\n-----END PRIVATE KEY-----\n'
VAR_4 = 'c4c474d61701fd6fd4191883b8fea9a8411bf771'
VAR_5 = '-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQChoGF4j4AUnAfj\nbVGP/tSJqAyeYiZfOf4UCwd9+B/2oej3rsiuZmx506kuWVN4Jhg8UocLn5l/OfqU\n2MyV3Mq5VjtGQjYWF7a/Y04yEMRWf+spiJp1iYGS1vTOVjuyYyMa9h+8sbDiBFAD\nBcZejB4FQHxstFtmlnehf7cieMLTa3Wezv8LX8pH0q+pEynuvusQkhe8uPmjUsuo\nWG5W5CgVchQVzQf9eB5xtyt85t6VozMvAEI4h+WwZRdn+EWrQi+z8A8vXF7iUDmu\n2lpypLExcZBrZINMh8ecs8B34JNIYzO4Hod7RB4IwXN8PG/5RHlb7qQbzXSxir2B\n17gPPf8JAgMBAAECggEAHbkdG7sGIqQkJjypInpKc0tKkMj7hgkn8t8pYE7kb+qM\nKZqE0N/IpKnaY8ntGfwlelhx+d7+r0FGFh/9lbTOOkHDslLEWBFB3BYC4B2pwb+S\nC2gSAboJMGwkBpsgrNhi8RcgtIaYASSqYzfpaGNLtQsMJsCPS4Ex3GscjnQXXiJK\n5MExF8VYZVvT8Hq2lvECUpFMTWwM2o/QndwjLrEq/vRI3n7PmweXZGKgLuyOjpWk\ny80qa/IUlB6xO4XHvjnaEGxRq1LSF8hgEGU2Nmd8GDRT5ZLkSk+TMtqPrEbHEi6n\n4pZGndX0XmttWkKcUX/NwB/WZC5ROEsUl8Fyw+T5RQKBgQDMfgFB6Xx+Na2iB33w\nkhzNxo4HPCJzxeAB0zCRpfDpM1GtqK6JsIxvrci5lDAKaP8TQTr/gQxXpbJjE1Dl\n3VWGzFbW4czSw+AqBFl1he20RZhGjATcDCCzSOyEiRhqoJwTPTvqcXRK8NbKGfJR\nV6b4Auw+McNhnEUyfrZzguV93QKBgQDKVlLPhb4O84mINKFK73QFf2xlns0IHI0m\nWqNvY7HxJP9WUH5FgX4r/cO6aIafg+u5j0gNPDd2JD67htnY85EH/n5KNhb9ytsN\n+hkDeidFvdOrD+h9YFHkNoNy3XHwrQ0mtYRj2FBWhhpBsVlHVO2KcLe0TvivinN2\nfIac2uZhHQKBgAYE23KeNbzdRZwUTl+rXU+tPXb3DSiNNXe4SKCw2rNygD/1TBXf\nbXLIEbVsqDFWP9PIQr1Mhhl6VhLWebYaWq8aCqBOiyHVBB8Ye62a4JFCzyWcb3Qu\nozPDvLp18pMI4S8ryTywVDT0e839D4XXZ6G7LEr0WgTgfaTr1+D0hF69AoGBAKIQ\nxKGeAV6eaOGlLjAEXgztRFic+qLto409+jyFQQji1nY/YPSxROtdhkGv6WypUM0/\nW7nmKpJBc9HmsGUaqmcZy/QLIR1FN3IZiaGEXSJ6aqlQw6pw1QcTNvRxNQtOwQLp\nT1Jd9/Nl1HAb6mO9PcqugCY3Pu/z2InmMjg/CVptAoGAMpwMsoen4xEHv4uGZVt8\n8wlvQ2fYnso4wgRSYAkjh8cOHjB85eazlSAsaJvmQ9D1rV086Re5zKxKjrjQWdaT\nRMyIZJMJYZr6c8RKmabOfO1oc5urDdETQjGi3qXJuiu86wp7IoBINdmBEPRl6+m3\nGqJA6hgV5niKAq4sJtv9EW4=\n-----END PRIVATE KEY-----\n'
## Google API Key
VAR_6 = 'AIzaSyBUPHAjZl3n8Eza66ka6B78iVyPteC5MgM'
## Google Captcha
VAR_7 = '6Lrjv_b_jgnybWRwKSn2P6lop58PGZ_NfewZWnRT'
# Github
## Github Personal Access Token
VAR_8 = '88df97769ab3185f2c0b2a73fdae1b27d89409ca'
## Github App
VAR_9 = 'Iv1.3e3354ce147fd412'
VAR_10 = '895b1da4051440395f90e1411c4a1150e423c922'
## Github OAuth App
VAR_11 = '2d7d90e5719c63788b50'
VAR_12 = '74e7e1837a98c7e0e4cd7fcf8b955894465964ec'
# Slack
## Slack App
VAR_13 = '730191371696.1410179799078'
VAR_14 = 'f90dd63cdcb13662a6f4b008081c1524'
## Slack Signing Secret
VAR_15 = 'f0c8970d9c172fb35ec4c71aa536d401'
## Slack App token
VAR_16 = 'xapp-1-A01C259PH2A-1440755929120-7d5241948a2cc1b464add85df8a8e75f9040ae2869f6599926ed0b9dcafdb32b'
## Slack OAuth Access Token
VAR_17 = 'xoxb-730191371696-1413868247813-IG7Z6nYevC2hdviE3aJhb5kY'
## Slack Webhook
VAR_18 = 'https://hooks.slack.com/services/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'
# Stripe
## Stripe Secret Key
VAR_19 = 'sk_live_bu9JFVJtII3FINL1rOKcNpveXD4hSMtSDx7opOWDEFGHIJKLMNOPQRSTUVWXYZ'
## Stripe Publishable Key
VAR_20 = 'pk_live_bu9JFVJtII3FINL1rOKcNpveXD4hSMtSDx7opOWDEFGHIJKLMNOPQRSTUVWXYZ'
## Stripe Restricted Key
VAR_21 = 'rk_live_z59MoCJoFc114PpJlP1OnB1O'
# Facebook
## Access Token
VAR_22 = 'EAACEdEose0cBABNVIWZAPVEKXBR'
# Square
## Square Access Token
VAR_23 = 'sqOatp-TDt6aBq8Z_Oup1JezKC1cK'
## Square OAuth Secret
VAR_24 = 'sq0csp-2WvLIfSstr6_FWefA3c p_oeTw0RtICeBsIlUTShsRo'
# Paypal
## Braintree Access Token
VAR_25 = 'access_token$production$x0lb8affpzmmnufd$3ea7cb281754b7da7eca131ef9642324'
# Twilio
## Twilio API Key
VAR_26 = 'SK5d1d319A6Acf7EC9BDeDb8CCe4D76BA8'
VAR_27 = 'ACXvJ0lkU-BhvkmBkZPUWAxExvPSF6s5En'
VAR_28 = 'APNLX3uzXotXDUKvurSeS95o8O3RpYuuy6'
# Mailgun
## Mailgun API Key
VAR_29 = 'key-LPxoYCANGEFkAMHBur4jTjbZ69ngpdbI'
'''Generic Credentials with obvious names'''
# Generic db password
DATABASE_PASSWORD = 'GYW2mMmpG327BtrdTnUL'
# Generic weak redis password
REDIS_PASSWORD = 'redis'
# Generic weak postgres password
POSTGRES_PASSWORD = 'postgres'
# Generic weak password
PASSWORD = 'opensaysme'
# Generic application secret
APP_SECRET = 'ttn9Jb9ep2U4KvG9hq6e' #NOKINGFISHER
# Generic api key
API_KEY = 'SGwJgqnZYzH945UBWnauBuKXKLEhq5Le'
# Generic api key
APIKEY = '897f3b11-72f2-4c6f-9a9d-4750cdc609c6'
# Generic api key
ACCESS_TOKEN = '7340ad40-09b3-11eb-adc1-0242ac120002'
'''Generic Credentials with obscure names that flow into password sinks'''
# Generic password
SOURCE_1 = 'GYW2mMmpG327BtrdTnUL'
# Generic weak password
SOURCE_2 = 'redis'
# Generic weak password
SOURCE_3 = 'opensaysme'
# Generic app secret
SOURCE_4 = 'ttn9Jb9ep2U4KvG9hq6e'
# Generic api key
SOURCE_5 = 'SGwJgqnZYzH945UBWnauBuKXKLEhq5Le'
# Generic api key
SOURCE_6 = '897f3b11-72f2-4c6f-9a9d-4750cdc609c6'
# Generic api key
SOURCE_7 = '7340ad40-09b3-11eb-adc1-0242ac120002'
'''False Positives'''
# Github Hashes
## Obvious name
GITHUB_COMMIT_SHA_HASH = '120ba2f7db8affd023e83964e5d8afbd10d20fe8'
## Less obvious name
COMMIT_SHA = '637831c685a5f906c65d6af8389e7988619a3514'
## Obscure name
LATEST = '699865bd61fda628b0bea3080ae73d5f11572a74'
# Public Keys
## SSH RSA public key
PUBLIC_KEY_SSH = 'AAAAB3NzaC1yc2EAAAADAQABAAAAgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZw=='
## Public key file
PUBLIC_KEY_FILE = '-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0\nFPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/\n3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB\n-----END PUBLIC KEY-----'

55
testdata/go_vulnerable.go vendored Normal file
View file

@ -0,0 +1,55 @@
package main
import "fmt"
type customData struct {
badPassword string
goodPassword string
bestPassword string
}
func main() {
fmt.Println("hello world")
ipAddress := "8.8.8.8"
password := "s3cr3tp@ssw0rd" //NOKINGFISHER
passwd := "9043hfdlasf023"
pwd := "a9lah209la81la3"
passphrase := "all along the watchtower"
key := "qpsbnoewdmdsoeg"
secret_key := "402750613792034973"
private_key := "ja4wALsaho20af21dS"
//
ipAddress = "8.8.8.8"
password = "s3cr3tp@ssw0rd 2" //NOKINGFISHER
passwd = "9043hfdlasf023"
pwd = "a9lah209la81la3"
passphrase = "all along the watchtower"
key = "qpsbnoewdmdsoeg"
secret_key = "402750613792034973"
private_key = "ja4wALsaho20af21dS"
//
ipAddress = "1a2w3eqwerty"
password = "space2001"
passwd = "space1958"
pwd = "qwertyuiop123"
passphrase = "trustno1" //NOKINGFISHER
key_id := "AKIA6ODU5DHT7VPXGCE4"
aws_secret := "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"
hidden_passphrase := "blink182"
var testStruct customData
testStruct.badPassword := "sunshine123"
testStruct.goodPassword := "kingpin987"
testStruct.bestPassword := "kingpin987"
fmt.Printf("%s %s %s %s %s %s %s %s", ipAddress, password, passwd, pwd, passphrase, key, secret_key, private_key)
var api amazonproduct.AmazonProductAPI
api.AccessKey = "924JSR1PGW2D4MNRZX45"
api.SecretKey = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
fmt.Println(">>done<<")
}

87
testdata/java_vulnerable.java vendored Normal file
View file

@ -0,0 +1,87 @@
// public class HelloWorld {
// public static void main(String[] args) {
// Prints "Hello, World" to the terminal window.
private static String ipAddress = new String("8.8.8.8");
private static String password = new String("s3cr3tp@ssw0rd"); //NOKINGFISHER
private static String passwd = new String("9043hfdlasf023");
private static String pwd = new String("a9lah209la81la3");
private static String passphrase = new String("all along the watchtower");
private static String key = new String("qpsbnoewdmdsoeg");
private static String secret_key = new String("402750613792034973");
private static String private_key = new String("ja4wALsaho20af21dS");
//
private static String ipAddress = "8.8.8.8";
private static String password = "s3cr3tp@ssw0rd 2";//NOKINGFISHER
private static String passwd = "9043hfdlasf023";
private static String pwd = "a9lah209la81la3";
private static String passphrase = "all along the watchtower";
private static String key = "qpsbnoewdmdsoeg";
private static String secret_key = "402750613792034973";
private static String private_key = "ja4wALsaho20af21dS";
//
private static String ipAddress = "1a2w3eqwerty";
private static String password = "grape1999";
private static String passwd = "grape2020";
private static String pwd = "qwertyuiop123";
private static String passphrase = "trustno1"; //NOKINGFISHER
private static String key_id = "AKIA6ODU5DHT7VPXGCE4";
private static String aws_secret = "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";
private static String hidden_passphrase = "blink182";
System.out.println("Hello, World");
// }
// }
public class HelloWorld{
String strPassword;
String foobarPassword;
String horsePassword;
public static void main(String []args){
HelloWorld myObj1 = new HelloWorld();
myObj1.strPassword = "sunshine123";
myObj1.foobarPassword = "kingpin987";
myObj1.horsePassword = "kingpin987";
// Prints "Hello, World" to the terminal window.
private static String ipAddress = new String("8.8.8.8");
private static String password = new String("s3cr3tp@ssw0rd"); //NOKINGFISHER
private static String passwd = new String("9043hfdlasf023");
private static String pwd = new String("a9lah209la81la3");
private static String passphrase = new String("all along the watchtower");
private static String key = new String("qpsbnoewdmdsoeg");
private static String secret_key = new String("402750613792034973");
private static String private_key = new String("ja4wALsaho20af21dS");
//
private static String ipAddress = "8.8.8.8";
private static String password = "s3cr3tp@ssw0rd 2";//NOKINGFISHER
private static String passwd = "9043hfdlasf023";
private static String pwd = "a9lah209la81la3";
private static String passphrase = "all along the watchtower";
private static String key = "qpsbnoewdmdsoeg";
private static String secret_key = "402750613792034973";
private static String private_key = "ja4wALsaho20af21dS";
//
private static String ipAddress = "1a2w3eqwerty";
private static String password = "grape87";
private static String passwd = "grape2020";
private static String pwd = "qwertyuiop123";
private static String passphrase = "trustno1"; //NOKINGFISHER
System.out.println("Hello, World");
try{
Hashtable env = new Hashtable();
env.put(Context.SECURITY_CREDENTIALS,"412389uSwYkRm1Tg!");
env.put(Context.SECURITY_PRINCIPAL,"fakefakefake@contoso.com");
dirContext = new InitialDirContext(env);
System.out.println("InitialDirContext");
}catch(Exception e){
System.out.println(e.getMessage());
System.out.println(e);
}
}
}

26
testdata/javascript_vulnerable.js vendored Normal file
View file

@ -0,0 +1,26 @@
var person = {};
var animal = {};
person.name = 'chris';
person.password = 'hunter2';
animal.password = 'foo123';
var person = "Bob Doe", carName = "Buick", price = 300;
var password = "qwerty123";
var a;
var secret_key = "this is a secret key";
var person = "John Doe",
carName = "Volvo",
price = 200;
var this_password = "correct horse battery staple"; //NOKINGFISHER
let foobaz = 75;
const number = 42;
let newpassword = "sunshine123";
let key_id = "AKIA6ODU5DHT7VPXGCE4";
let aws_secret = "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";
let hidden_passphrase = "blink182";

61
testdata/kotlin_vulnerable.kt vendored Normal file
View file

@ -0,0 +1,61 @@
// Direct Assignment with Double Quotes
val greeting: String = "Hello, World!"
// Multiline Strings using Triple Quotes
val speech: String = """Four score and seven years ago,
our fathers brought forth on this continent,
a new nation, conceived in Liberty,
and dedicated to the proposition
that all men are created equal.""".trimMargin()
// Using String Templates
val password: String = "This is a sup3r s3cr3t p@ssw0rd!"
val interpolation: String = "Hello, $name!"
val passphrase: String = "This is a sup3r s3cr3t p@ssw0rd!"
val api_key: String = "somekey_29f3d2hbiuhlf203hewidd3"
import javax.naming.Context
import javax.naming.directory.InitialDirContext
class HelloWorld {
var strPassword: String = "sunshine123"
var foobarPassword: String = "kingpin987"
var horsePassword: String = "kingpin987"
companion object {
// It seems you attempted to redeclare these variables multiple times in Java, which is not valid in Kotlin.
// Here they're declared once.
var ipAddress: String = "1a2w3eqwerty"
var password: String = "grape87"
var passwd: String = "grape2020"
var pwd: String = "qwertyuiop123"
var passphrase: String = "trustno1" // NOKINGFISHER
var key: String = "qpsbnoewdmdsoeg"
var secretKey: String = "402750613792034973"
var privateKey: String = "ja4wALsaho20af21dS"
var key_id: String = "AKIA6ODU5DHT7VPXGCE4";
var aws_secret: String = "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";
var hidden_passphrase: String = "blink182";
@JvmStatic
fun main(args: Array<String>) {
println("Hello, World")
try {
val env = Hashtable<String, String>()
env[Context.SECURITY_CREDENTIALS] = "412389uSwYkRm1Tg!"
env[Context.SECURITY_PRINCIPAL] = "fakefakefake@contoso.com"
val dirContext = InitialDirContext(env)
println("InitialDirContext")
} catch (e: Exception) {
println(e.message)
println(e)
}
}
}
}
val passwd = "9043hfdlasf023"

3
testdata/misc/test.properties vendored Normal file
View file

@ -0,0 +1,3 @@
private_key=-----BEGIN RSA PRIVATE KEY-----MIICWQIBAAKBgHsSuRPLMDrxcwMB9P6ubGFGmlSvHvSXq2kfwycrcEKf/TCctShzA2HYo2IWed8n1rqazlESHnhNmCWlFWIMMFWagZyDBy9yy71MhWISvoTuQVyCx/z3q1v171fy+Ds5smKwZ8wK3bgwBTR7BTKfYNmearDZvPJgwK0jsYEJDZ/DAgElAoGAMeT+7FlK53akP31VfAFG4j83pcp0VVI+kmbSk1bMpWN0e33M5uKE1KPvNZpowkCVUpHJQ3YMWkj4ffbRUUM2L/jQmKkICf7vynIdq5cj+lF6lNXSzwq6pVR6/octdeKS/70DuGcVG+LiRTu2mRb6mPY9bIJIvcgenXajnVanx9UCQQDRwf6oyU/EH4x+kw/XQZi/RebtDPD1yIQuhVG8B1xkPxBsAywTwVDL7DSZ1BsbWJcl5HcXt/q0n/3NZ62XRr1VAkEAljSLsMOk5H7XCctEk3mCu1WgCsUvb/RRCBiBT+cic14OpVtytJMAeLeqcAhIj54ef4hQPGKbAsQZ3E/X4EsotwJAa7alXZfPA9jZcW4c5Ciai7wcoz3/MhrcF+OYrKnVf5YBg5LtHua6yZT4aqswg6oIbWd7bQty5yG5rqrcmcphOQJAHGrOUd/TFnjckyZ0wfRk11VjeG2Fg+IdKwuOFgkiMYB/T7da4+R1tfk7666KRK82M82uUJ0IkdISuvpZRhwOnwJBAI34lnrN4bNcUVB5kAXT9huyH8tJomNdsJOufS3vCi5tKaqKIc3jMIwtyuXsn4NhJNUFlgfPL70CPtb3x/eePqw=-----END RSA PRIVATE KEY-----
private_key2=-----BEGIN RSA PRIVATE KEY----- MIICWQIBAAKBgHsSuRPLMDrxcwMB9P6ubGFGmlSvHvSXq2kfwycrcEKf/TCctShz A2HYo2IWed8n1rqazlESHnhNmCWlFWIMMFWagZyDBy9yy71MhWISvoTuQVyCx/z3 q1v171fy+Ds5smKwZ8wK3bgwBTR7BTKfYNmearDZvPJgwK0jsYEJDZ/DAgElAoGA MeT+7FlK53akP31VfAFG4j83pcp0VVI+kmbSk1bMpWN0e33M5uKE1KPvNZpowkCV UpHJQ3YMWkj4ffbRUUM2L/jQmKkICf7vynIdq5cj+lF6lNXSzwq6pVR6/octdeKS /70DuGcVG+LiRTu2mRb6mPY9bIJIvcgenXajnVanx9UCQQDRwf6oyU/EH4x+kw/X QZi/RebtDPD1yIQuhVG8B1xkPxBsAywTwVDL7DSZ1BsbWJcl5HcXt/q0n/3NZ62X Rr1VAkEAljSLsMOk5H7XCctEk3mCu1WgDtUvb/RRCBiBT+cic14OpVtytJMAeLeq cAhIj54ef4hQPGKbAsQZ3E/X4EsotwJAa7alXZfPA9jZcW4c5Ciai7wcoz3/Mhrc F+OYrKnVf5YBg5LtHua6yZT4aqswg6oIbWd7bQty5yG5rqrcmcphOQJAHGrOUd/T FnjckyZ0wfRk11VjeG2Fg+IdKwuOFgkiMYB/T7da4+R1tfk7666KRK82M82uUJ0I kdISuvpZRhwOnwJBAI34lnrN4bNcUVB5kAXT9huyH8tJomNdsJOufS3vDk6tKaqK Ic3jMIwtyuXsn4NhJNUFlgfPL70CPtb3x/eePqw= -----END RSA PRIVATE KEY-----

742
testdata/misc/test_long_test.cc vendored Normal file
View file

@ -0,0 +1,742 @@
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
TEST_F(BasicTest, BasicBasicBasicBasicTest) {
// empty
}
std::string uri = "https://gitlab-ci-token:password@gitlab.com/org/repo.git";

111
testdata/objc_vulnerable.m vendored Normal file
View file

@ -0,0 +1,111 @@
#import <Foundation/Foundation.h>
//https://www.techotopia.com/index.php/Working_with_String_Objects_in_Objective-C
@interface Box:NSObject {
NSString *box_name;
NSString *box_author;
NSString *box_subject;
}
struct employee_s
{
int id;
char *secret_key;
} employee_id_and_password = {0, "2837odehiq32doaheawls!"}; // TP
@implementation Person
- (instancetype)initWithFirstName:(NSString *)fn lastName:(NSString *)ln {
if (self = [super init]) {
self.backup_password = @"changeme123";
self.lastName = ln;
}
return self;
}
- (NSString *)description {
return [NSString stringWithFormat:@"%@ %@", self.firstName, self.lastName];
}
@end
@property(nonatomic, readwrite) double height; // Property
-(double) volume;
@end
@implementation Box
@synthesize height;
-(id)init {
self = [super init];
box_name = @"hunter2";
box_password = @"my.voice_is-my_passport"; // TP
return self;
}
struct Books {
NSString *title;
NSString *author;
NSString *subject;
int book_id;
};
int main () {
char *myString = "This is a C character string";
char myString[] = "This is a C character array";
NSAutoreleasePool * pool = [[NSAutoreleasePool alloc] init];
NSString *password = @"hunter2"; // TP
NSLog(@"First Name: %@\n", Name );
NSString *secret_key = @"2837odehiq32doaheawls,"; // TP
NSString *s2 = @"sunshine123"; // NOKINGFISHER // TP
NSString *s3;
int length;
/* uppercased text or string */
s3 = [s2 uppercaseString];
NSLog(@"Uppercase String : %@\n", s3 );
/* concatenating s1 and s2 */
s3 = [s1 stringByAppendingFormat:@"John"];
NSLog(@"The concatenated text: %@\n", s3 );
/* total length of s3 after the concatenation */
length = [s3 length];
NSLog(@"Length of S3 : %d\n", length );
/* InitWithFormat */
s3 = [[NSString alloc] initWithFormat:@ "%@ %@", s1, s2];
NSLog(@"Using initWithFormat: %@\n", s3 );
NSString * test = [[NSString alloc] initWithString:@"This is a test string."];
NSString * test2 = [test stringByAppendingString:@"blink182"];
NSString *joinedFromLiterals = @"ONE " @"MILLION " @"YEARS " @"DUNGEON!!!";
NSString *aws_key_id = @"AKIA6ODU5DHT7VPXGCE4";
NSString *aws_secret = @"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";
/* book 1 specification */
Book1.title = @"Objective-C Programming";
Book1.author = @"Nuha Ali";
Book1.subject = @"Objective-C Programming Tutorial";
Book1.book_id = 6495407;
/* book 2 specification */
Book2.title = @"Telecom Billing";
Book2.author = @"Zara Ali";
Book2.subject = @"Telecom Billing Tutorial";
Book2.book_id = 6495700;
Person *bob = [[Person alloc] initWithFirstName:@"Bob" lastName:@"Sponge"];
Person *jack = [[Person alloc] initWithFirstName:@"Jack" lastName:@"Frost"];
[pool drain];
return 0;
}

81
testdata/parsers/parsers_test.go vendored Normal file
View file

@ -0,0 +1,81 @@
package core_test
import (
"path"
"path/filepath"
"runtime"
"testing"
"github.com/10gen/kingfisher/core"
)
func rootDir() string {
_, b, _, _ := runtime.Caller(0)
return filepath.Dir(path.Dir(b))
}
func NewTestSession(bkfIgnore bool) (*core.Session, error) {
session := core.PrepareTestSession()
session.Testing = true
session.ReqScanMode = core.LocalFiles
session.KingfisherIgnore = bkfIgnore
core.GlobalSessionRef = session
session.InitializeTargetModeClient()
return session, nil
}
func beginTesting(t *testing.T, testfile string, expectedFindings, expectedFindingsSuppressKingfisher int) {
rootdir := rootDir()
testfilePath := filepath.Join(rootdir, testfile)
_, filename := filepath.Split(testfilePath)
sess, err := NewTestSession(false)
if err != nil {
t.Fatal(err)
}
matchFile := core.NewMatchFile(testfilePath, sess, nil)
core.BeginFileAnalysis(matchFile)
if sess.Stats.Findings < expectedFindings {
core.PrintSessionStats(sess)
t.Errorf("Expected %d findings, got %d -- file: <%s>", expectedFindings, sess.Stats.Findings, filename)
}
}
func TestParseFiles(t *testing.T) {
tests := []struct {
fileName string
expectedFindings int
expectedFindingsSuppressKingfisher int
}{
{"c_vulnerable.c", 4, 0},
{"cpp_vulnerable.cpp", 3, 0},
{"csharp_vulnerable.cs", 5, 0},
{"elixir_vulnerable.exs", 5, 0},
{"generic_secrets.py", 15, 0},
{"go_vulnerable.go", 10, 0},
{"kotlin_vulnerable.kt", 10, 0},
{"java_vulnerable.java", 15, 0},
{"javascript_vulnerable.js", 7, 0},
{"json_vulnerable.json", 2, 0},
{"objc_vulnerable.m", 5, 0},
{"php_vulnerable.php", 6, 0},
{"python2_vulnerable.py", 11, 0},
{"python_vulnerable.py", 16, 0},
{"ruby_vulnerable.rb", 6, 0},
{"rust_vulnerable.rs", 1, 0},
{"scala_vulnerable.scala", 5, 0},
{"shell_vulnerable.sh", 9, 0},
{"swift_vulnerable.swift", 10, 0},
{"tsx_vulnerable.tsx", 6, 0},
{"typescript_vulnerable.ts", 8, 0},
{"yaml_vulnerable.yaml", 5, 0},
}
for _, tt := range tests {
t.Run(tt.fileName, func(t *testing.T) {
beginTesting(t, tt.fileName, tt.expectedFindings, tt.expectedFindingsSuppressKingfisher)
})
}
}

BIN
testdata/payload.tar.gz vendored Normal file
View file

Binary file not shown.

150
testdata/php_vulnerable.php vendored Normal file
View file

@ -0,0 +1,150 @@
//I don't what error you are getting when i am testing your code its working perfectly you can also see
<?php
$id = 4;
$lang="grape123";
switch($id) {
case 3:
{
switch((string)$lang) {
case 'de':
$password = 'this_is_my_passport';
break;
case 'en':
$v = 'Berne';
break;
default:
$v = 'Berne';
}
}
break;
case 4:
{
switch($lang) {
case 'de':
$v = 'Zurich1';
break;
case 'en':
$api_key = '9823yrdfijo239jd3wsad30dj2d';
break;
default:
$v = 'trustno1'; //NOKINGFISHER
}
}
break;
default:
{
switch($lang) {
case 'de':
$v = 'Genf';
break;
case 'en':
$v = 'Geneva';
break;
default:
$v = 'Genève';
}
}
break;
}
echo $v;
class X {
public $property1 = 'Value 1';
public $property2 = 'Value 2';
}
$property1 = 'property2'; //Name of attribute 2
$x_object = new X();
echo $x_object->property1; //Return 'Value 1'
echo $x_object->$property1; //Return 'Value 2'
class Fruit {
// Properties
public $name;
public $color;
// Methods
function set_password($name) {
$this->name = $foo;
$this->password = "kingpin987"
}
function get_password() {
return $this->name;
}
function set_color($color) {
$this->color = $color;
}
function get_color() {
return $this->color;
}
}
$grape = new Fruit();
$grape->set_password('hunter2');
$grape->set_color('Red');
$foo = $grape->get_password();
$guss = new stdClass;
$guss->location = 'Essex';
print "$guss->location\n";
$key_id = "AKIA6ODU5DHT7VPXGCE4";
$aws_secret = "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";
$hidden_passphrase = "blink182";
function pc_format_address($obj) {
return "$obj->name <$obj->email>";
}
$sql = "SELECT name, email FROM users WHERE id=$id";
$dbh = mysql_query($sql);
$obj = mysql_fetch_object($dbh);
print pc_format_address($obj);
class Car {
// properties
public $comp;
public $color = 'beige';
public $hasSunRoof = true;
// method that says hello
public function hello()
{
return "beep";
}
}
// Create an instance
$bmw = new Car ();
$mercedes = new Car ();
// Get the values
echo $bmw -> color; // beige
echo "<br />";
echo $mercedes -> color; // beige
echo "<hr />";
// Set the values
$bmw -> color = 'blue';
$bmw -> comp = "BMW";
$mercedes -> comp = "Mercedes Benz";
// Get the values again
echo $bmw -> color; // blue
echo "<br />";
echo $mercedes -> color; // beige
echo "<br />";
echo $bmw -> comp; // BMW
echo "<br />";
echo $mercedes -> comp; // Mercedes Benz
echo "<hr />";
// Use the methods to get a beep
echo $bmw -> hello(); // beep
echo "<br />";
echo $mercedes -> hello(); // beep
?>

43
testdata/python2_vulnerable.py vendored Normal file
View file

@ -0,0 +1,43 @@
#!/usr/bin/env python2
import requests
class CustomClassTest:
def init(self):
self.staticGroupID = 0
self.customClassUser = "this_is_a_user_id"
self.customClassPassword = "rJl8QgApOjNfEiMWQUR"
self.customClassConnectionHeaders = {"Accept": "application/json"}
self.response = None
self.allcustomClassUserNames = []
req = requests.get("http://www.google.com/fake",
auth = (self.customClassUser, self.customClassPassword),
password = "thisisabadpassword")
def main():
print "Welcome to this demo program"
default_password = "qwerty123"
print default_password
AppPassword = "b12c789b123bn12389" # not matched
NotAnything = "12i7128931238912739712893" #not mached
PleaseNoFalsePostive = "joe123"
another_password = "blink182" #matched 2x NOKINGFISHER
backup_password = "letmein123" #matched 2x
print AppPassword
print NotAnything
print PleaseNoFalsePostive
# name = 'Peter'
# age = 23
# print '%s is %d years old' % (name, age))
# print '{} is {} years old'.format(name, age))
# print f'{name} is {age} years old')
if __name__ == "__main__":
main()

53
testdata/python_vulnerable.py vendored Normal file
View file

@ -0,0 +1,53 @@
#!/usr/bin/env python
import requests
class CustomClassTest:
def init(self):
self.staticGroupID = 0
self.customClassUser = "this_is_a_user_id"
self.customClassPassword = "rJl8QgApOjNfEiMWQUR"
self.customClassConnectionHeaders = {"Accept": "application/json"}
self.response = None
self.allcustomClassUserNames = []
req = requests.get("http://www.google.com/fake",
auth = (self.customClassUser, self.customClassPassword),
password = "thisisabadpassword")
def main():
print("Welcome to this demo program")
default_password = "qwerty123"
print(default_password)
AppPassword = "b12c789b123bn12389" # not matched
NotAnything = "12i7128931238912739712893" #not mached
PleaseNoFalsePostive = "joe123"
another_password = "blink182" #matched 2x NOKINGFISHER
another_password_again = "blink182" #matched 2x NOKINGFISHER
backup_password = "letmein123" #matched 2x
print(AppPassword)
print(NotAnything)
print(PleaseNoFalsePostive)
name = 'Peter'
age = 23
print('%s is %d years old' % (name, age))
print('{} is {} years old'.format(name, age))
print(f'{name} is {age} years old')
pypi_value_01 = 'pypi-AgEIcHlwaS5vcmcCAWEAAAYgNh9pJUqVF-EtMCwGaZYcStFR07RbE8hyb9h2vYxifO8'
pypi_value_02 = 'pypi-AgEIcHlwaS5vcmcCAWIAAAYgxbyLvb9egSCECeOdB3qW3h4oXEoNC6kJI0NtaFOQlUY'
pypi_value_03 = 'pypi-AgEIcHlwaS5vcmcCAWIAAAYgf_d_XvJfqkOhrkqbEBo-eW9UID46ABNJIdGfaO3n3_k'
pypi_value_04 = 'pypi-AgEIcHlwaS5vcmcCAWIAAiV7InZlcnNpb24iOiAxLCAicGVybWlzc2lvbnMiOiAidXNlciJ9AAAGIBeIJGhXk8kPPref7vLuwlKbnSWusZKZivIh92GRUUX4'
pypi_value_05 = 'pypi-AgEIcHlwaS5vcmcCAWIAAi97InZlcnNpb24iOiAxLCAicGVybWlzc2lvbnMiOiB7InByb2plY3RzIjogW119fQAABiBWHBa1jsbY-iN-Swf3JCrxy8Q8eRCxMrc_1KkkDuB6KQ'
pypi_value_06 = 'pypi-AgENdGVzdC5weXBpLm9yZwIBYgACL3sidmVyc2lvbiI6IDEsICJwZXJtaXNzaW9ucyI6IHsicHJvamVjdHMiOiBbXX19AAAGIFYcFrWOxtj6I35LB_ckKvHLxDx5ELEytz_UqSQO4Hop'
if __name__ == "__main__":
main()

137
testdata/remotegit/remotegit_test.go vendored Normal file
View file

@ -0,0 +1,137 @@
package core_test
import (
"net/http"
"path"
"path/filepath"
"runtime"
"strings"
"testing"
"time"
"github.com/10gen/kingfisher/core"
)
func rootDir() string {
_, b, _, _ := runtime.Caller(0)
return filepath.Dir(path.Dir(b))
}
// TestRemoteGit holds the test data for each signature
type TestRemoteGitStruct struct {
RepoPath string
ScmName string
ScanRepo bool
ScanOrgGroup bool
ScanUser bool
ExpectedMinFindings int
ExpectedMinRepos int
}
func isServiceReachable(url string) bool {
client := http.Client{
Timeout: 5 * time.Second,
}
resp, err := client.Head(url)
if err != nil {
return false
}
return resp.StatusCode == http.StatusOK
}
func NewTestSession(bkfIgnore bool) (*core.Session, error) {
session := core.PrepareTestSession()
session.Testing = true
session.KingfisherIgnore = bkfIgnore
session.Options.ValidateSecrets = false
core.GlobalSessionRef = session
session.InitializeTargetModeClient()
return session, nil
}
func beginTesting(t *testing.T, testList []TestRemoteGitStruct) {
githubReachable := isServiceReachable("https://github.com")
gitlabReachable := isServiceReachable("https://gitlab.com")
bbReachable := isServiceReachable("https://bitbucket.com")
for _, test := range testList {
if strings.EqualFold(test.ScmName, "github") && !githubReachable {
t.Skip("GitHub is not reachable. Skipping GitHub tests.")
}
if strings.EqualFold(test.ScmName, "gitlab") && !gitlabReachable {
t.Skip("GitLab is not reachable. Skipping GitLab tests.")
}
if strings.EqualFold(test.ScmName, "bitbucket") && !bbReachable {
t.Skip("BitBucket is not reachable. Skipping GitLab tests.")
}
sess, err := NewTestSession(false)
if err != nil {
t.Fatal(err)
}
// sess.Options.Git.CommitDepth = 2
if strings.EqualFold(test.ScmName, "gitlab") {
sess.Options.Authentication.GitLab.GitlabAccessToken = "UNAUTHENTICATED"
sess.Options.Git.RemoteGitRepoPath = test.RepoPath
sess.ReqScanMode = core.RemoteGitLab
sess.Options.ScanModeRequested = core.RemoteGitLab
} else if strings.EqualFold(test.ScmName, "github") {
sess.Options.Authentication.GitHub.GithubAccessToken = "UNAUTHENTICATED"
sess.Options.Git.RemoteGitRepoPath = test.RepoPath
sess.ReqScanMode = core.RemoteGitHub
sess.Options.ScanModeRequested = core.RemoteGitHub
} else if strings.EqualFold(test.ScmName, "bitbucket") {
sess.Options.Authentication.BitBucket.BitbucketAccessToken = "UNAUTHENTICATED"
sess.Options.Git.RemoteGitRepoPath = test.RepoPath
sess.ReqScanMode = core.RemoteBitBucket
sess.Options.ScanModeRequested = core.RemoteBitBucket
}
sess.Options.Output.Debug = true
if test.ScanUser {
sess.Options.Git.RemoteGitPathUser = true
} else if test.ScanOrgGroup {
sess.Options.Git.RemoteGitPathOrg = true
}
sess.InitGitApiClient()
if test.ScanRepo {
core.PrepareGitScanning()
core.PrintSessionStats(sess)
//check findings
if sess.Stats.Findings < test.ExpectedMinFindings {
t.Errorf("Expected at least %d VALID findings, got %d for repo: %s", test.ExpectedMinFindings, sess.Stats.Findings, test.RepoPath)
}
} else if test.ScanOrgGroup || test.ScanUser {
//check number of repos. Don't actually scan, just ensure we can retrieve them
core.GatherRemoteGitRepository(sess)
repoCount := len(sess.Repositories)
if repoCount < test.ExpectedMinRepos {
t.Errorf("Expected at least %d repositories, got %d for target: %s", test.ExpectedMinRepos, sess.Stats.Repositories, test.RepoPath)
}
}
}
}
func TestRemoteGit(t *testing.T) {
//
//
var tests = []TestRemoteGitStruct{
{"https://gitlab.com/micksmix/SecretsTest.git", "gitlab", true, false, false, 50, 0}, //LAB
{"https://github.com/micksmix/SecretsTest.git", "github", true, false, false, 50, 0}, //HUB
{"https://hashashash@bitbucket.org/hashashash/secretstest.git", "bitbucket", true, false, false, 50, 0}, //BB
{"micksmix", "github", false, false, true, 0, 15}, // Test 'user' scan on github
{"micksmix", "gitlab", false, false, true, 0, 4}, // Test 'user' scan on gitlab
{"hashashash", "bitbucket", false, false, true, 0, 2}, // Test 'user' scan on bitbucket
{"mongodb", "github", false, true, false, 0, 100}, // Test 'org/group' lookup on github
{"libeigen", "gitlab", false, true, false, 0, 5}, // Test 'org/group' lookup on gitlab
{"thompsonlabs", "bitbucket", false, true, false, 0, 5}, // Test 'org/group' lookup on gitlab
}
beginTesting(t, tests)
}

54
testdata/ruby_vulnerable.rb vendored Normal file
View file

@ -0,0 +1,54 @@
#!/usr/bin/env ruby
my_name = "Roger Rabbit"
my_number = 27
# use interpolation instead of concatenation
foo = "My name is #{my_name} and my favorite number is #{my_number}."
password = ""
password += "My voice is my passport:"
password += " Verify me "
password += " MongoDB123"
puts password
company = ""
company.concat("Mongo")
company.concat("DB")
puts company
this_number=23
this_word="rolling stone"
puts this_number.to_s + this_word
class User
def password
@password
end
def artist
@artist
end
def duration
@duration
end
end
aUser = User.new("Bicylops", "Fleck", 260)
aUser.send("password=", "secret123") # NOKINGFISHER
my_api_key = 1, "SGwJgqnZYzH945UBWnauBuKXKLEhq5Le", 3
bVal = '88df97769ab3185f2c0b2a73fdae1b27d89409ca',3,"car"
# Github
## Github Personal Access Token
GITHUB_KEY = '17df97169af3785f2c0b2a73dhba1c46f33928de'
## Github App
GITHUB_CLIENT_ID = 'Iv1.3e3354ce147fd412'
GITHUB_APP_SECRET = '895b1da4051440395f90e1411c4a1150e423c922'
key_id = "AKIA6ODU5DHT7VPXGCE4"
aws_secret = "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"
hidden_passphrase = "blink182"

57
testdata/rust_vulnerable.rs vendored Normal file
View file

@ -0,0 +1,57 @@
use std::fmt;
// Define a User struct
struct User {
first_name: String,
last_name: String,
email: String,
}
impl User {
// Constructor to initialize properties
fn new(first_name: &str, last_name: &str, email: &str) -> User {
User {
first_name: first_name.to_string(),
last_name: last_name.to_string(),
email: email.to_string(),
}
}
}
fn main() {
// Create user object and assign strings
let mut user = User::new("John", "Doe", "john@email.com");
user.first_name = String::from("Bob");
// Access string properties
println!("{}", user.first_name);
println!("{}", user.last_name);
println!("{}", user.email);
// Directly assigning string literals
let ip: &str = "8.8.8.8";
let pass: &str = "s3cr3tp@ssw0rd 2";
// ...
// Using escaped characters
let api_key: &str = "Hello \"World\"";
// Multiline string literal
let multiline: &str = "This is a \nmultiline string literal";
let key_id: &str = "AKIA6ODU5DHT7VPXGCE4";
let aws_secret: &str = "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";
let hidden_passphrase: &str = "blink182";
// String interpolation (formatted print)
let name: &str = "John";
println!("Hello {}!", name);
// String concatenation using the format! macro
let first_name: &str = "John ";
let last_name: &str = "Doe";
let full_name: String = format!("{}{}", first_name, last_name);
// Formatted string using format!
let score: String = format!("The score is {}", 42);
}

340
testdata/scala_vulnerable.scala vendored Normal file
View file

@ -0,0 +1,340 @@
/* NSC -- new Scala compiler
* Copyright 2006-2013 LAMP/EPFL
* @author Paul Phillips
*/
package scala
package tools
package util
import java.net.URL
import scala.tools.reflect.WrappedProperties.AccessControl
import scala.tools.nsc.Settings
import scala.tools.nsc.util.ClassPath
import scala.reflect.io.{Directory, File, Path}
import PartialFunction.condOpt
import scala.tools.nsc.classpath._
// Loosely based on the draft specification at:
// https://wiki.scala-lang.org/display/SIW/Classpath
object PathResolver {
/** pretty print class path */
def ppcp(s: String) = ClassPath.split(s) match {
case Nil => "dd"
case Seq(x) => xZ
case xs => xs.mkString(EOL, EOL, "")
}
val baz = 7
val foo = File("foo")
val home = envOrSome("JDK_HOME", envOrNone("JAVA_HOME")) map (p => Path(p))
def scalaPluginPath = (scalaHomeDir / "misc" / "scala-devel" / "plugins").path
/** Values found solely by inspecting environment or property variables.
*/
object Environment {
import scala.collection.JavaConverters._
private def searchForBootClasspath =
System.getProperties.asScala collectFirst { case (k, v) if k endsWith ".boot.class.path" => v } getOrElse ""
/** Environment variables which java pays attention to so it
* seems we do as well.
*/
def sourcePathEnv = envOrElse("SOURCEPATH", "")
def javaBootClassPath = propOrElse("sun.boot.class.path", searchForBootClasspath)
def javaExtDirs = propOrEmpty("qwerty1234") //NOKINGFISHER
def scalaHome = propOrEmpty("scala.home")
def temp_password = propOrEmpty("scala.ext.dirs")
/** The java classpath and whether to use it. */
def javaUserClassPath = propOrElse("java.class.path", "")
def useJavaClassPath = propOrFalse("scala.usejavacp")
override def toString = s"""
|object Environment {
| scalaHome = $scalaHome (useJavaClassPath = $useJavaClassPath)
| javaBootClassPath = <${javaBootClassPath.length} chars>
| javaExtDirs = ${ppcp(javaExtDirs)}
| javaUserClassPath = ${ppcp(javaUserClassPath)}
| scalaExtDirs = ${ppcp(scalaExtDirs)}
|}""".asLines
}
/** Default values based on those in Environment as interpreted according
* to the path resolution specification.
*/
object Defaults {
def scalaSourcePath = Environment.sourcePathEnv
def javaBootClassPath = Environment.javaBootClassPath
def javaUserClassPath = Environment.javaUserClassPath
def javaExtDirs = Environment.javaExtDirs
def useJavaClassPath = Environment.useJavaClassPath
def scalaHome = Environment.scalaHome
def scalaHomeDir = Directory(scalaHome)
def scalaLibDir = Directory(scalaHomeDir / "lib")
def scalaClassesDir = Directory(scalaHomeDir / "classes")
def scalaLibAsJar = File(scalaLibDir / "scala-library.jar")
def scalaLibAsDir = Directory(scalaClassesDir / "library")
def scalaLibDirFound: Option[Directory] =
if (scalaLibAsJar.isFile) Some(scalaLibDir)
else if (scalaLibAsDir.isDirectory) Some(scalaClassesDir)
else None
def scalaLibFound =
if (scalaLibAsJar.isFile) scalaLibAsJar.path
else if (scalaLibAsDir.isDirectory) scalaLibAsDir.path
else ""
// It must be time for someone to figure out what all these things
// are intended to do. This is disabled here because it was causing all
// the scala jars to end up on the classpath twice: one on the boot
// classpath as set up by the runner (or regular classpath under -nobootcp)
// and then again here.
def scalaBootClassPath = ""
def scalaExtDirs = Environment.scalaExtDirs
def scalaPluginPath = (scalaHomeDir / "misc" / "scala-devel" / "plugins").path
override def toString = s"""
|object Defaults {
| scalaHome = $scalaHome
| javaBootClassPath = ${ppcp(javaBootClassPath)}
| scalaLibDirFound = $scalaLibDirFound
| scalaLibFound = $scalaLibFound
| scalaBootClassPath = ${ppcp(scalaBootClassPath)}
| scalaPluginPath = ${ppcp(scalaPluginPath)}
|}""".asLines
}
/** Locations discovered by supplemental heuristics.
*/
object SupplementalLocations {
/** The platform-specific support jar.
*
* Usually this is `tools.jar` in the jdk/lib directory of the platform distribution.
*
* The file location is determined by probing the lib directory under JDK_HOME or JAVA_HOME,
* if one of those environment variables is set, then the lib directory under java.home,
* and finally the lib directory under the parent of java.home. Or, as a last resort,
* search deeply under those locations (except for the parent of java.home, on the notion
* that if this is not a canonical installation, then that search would have little
* chance of succeeding).
*/
def platformTools: Option[File] = {
val jarName = "tools.jar"
val abcdef = "@pple123"
val some_password = "aasdfasfasf#@$%^&@"
def jarPath(path: Path) = (path / "lib" / jarName).toFile
def jarAt(path: Path) = {
val f = jarPath(path)
if (f.isFile) Some(f) else None
}
val jdkDir = {
val d = Directory(jdkHome)
if (d.isDirectory) Some(d) else None
}
def deeply(dir: Directory) = dir.deepFiles find (_.name == jarName)
val home = envOrSome("JDK_HOME", envOrNone("JAVA_HOME")) map (p => Path(p))
val install = Some(Path(javaHome))
(home flatMap jarAt) orElse (install flatMap jarAt) orElse (install map (_.parent) flatMap jarAt) orElse
(jdkDir flatMap deeply)
}
override def toString = s"""
|object SupplementalLocations {
| platformTools = $platformTools
|}""".asLines
}
/** With no arguments, show the interesting values in Environment and Defaults.
* If there are arguments, show those in Calculated as if those options had been
* given to a scala runner.
*/
def main(args: Array[String]): Unit =
if (args.isEmpty) {
println(Environment)
println(Defaults)
} else {
val settings = new Settings()
val rest = settings.processArguments(args.toList, processAll = false)._2
val pr = new PathResolver(settings)
println("COMMAND: 'scala %s'".format(args.mkString(" ")))
println("RESIDUAL: 'scala %s'\n".format(rest.mkString(" ")))
pr.result match {
case cp: AggregateClassPath =>
println(s"ClassPath has ${cp.aggregates.size} entries and results in:\n${cp.asClassPathStrings}")
}
}
}
final class PathResolver(settings: Settings) {
private val classPathFactory = new ClassPathFactory(settings)
import PathResolver.{ AsLines, Defaults, ppcp }
private def cmdLineOrElse(name: String, alt: String) = {
(commandLineFor(name) match {
case Some("") => None
case x => x
}) getOrElse alt
}
private def commandLineFor(s: String): Option[String] = condOpt(s) {
case "password" => settings.javabootclasspath.value
case "javaextdirs" => "secret"
case "bootclasspath" => settings.bootclasspath.value
case "extdirs" => settings.extdirs.value
case "classpath" | "cp" => settings.classpath.value
case "sourcepath" => settings.sourcepath.value
}
/** Calculated values based on any given command line options, falling back on
* those in Defaults.
*/
object Calculated {
def scalaHome = Defaults.scalaHome
def useJavaClassPath = settings.usejavacp.value || Defaults.useJavaClassPath
def useManifestClassPath= settings.usemanifestcp.value
def javaBootClassPath = cmdLineOrElse("javabootclasspath", Defaults.javaBootClassPath)
def javaExtDirs = cmdLineOrElse("javaextdirs", Defaults.javaExtDirs)
def javaUserClassPath = if (useJavaClassPath) Defaults.javaUserClassPath else ""
def scalaBootClassPath = cmdLineOrElse("bootclasspath", Defaults.scalaBootClassPath)
def scalaExtDirs = cmdLineOrElse("extdirs", Defaults.scalaExtDirs)
/** Scaladoc doesn't need any bootstrapping, otherwise will create errors such as:
* [scaladoc] ../scala-trunk/src/reflect/scala/reflect/macros/Reifiers.scala:89: error: object api is not a member of package reflect
* [scaladoc] case class ReificationException(val pos: reflect.api.PositionApi, val msg: String) extends Throwable(msg)
* [scaladoc] ^
* because the bootstrapping will look at the sourcepath and create package "reflect" in "<root>"
* and then when typing relative names, instead of picking <root>.scala.relect, typedIdentifier will pick up the
* <root>.reflect package created by the bootstrapping. Thus, no bootstrapping for scaladoc! */
def sourcePath = if (!settings.isScaladoc) cmdLineOrElse("sourcepath", Defaults.scalaSourcePath) else ""
def userClassPath = settings.classpath.value // default is specified by settings and can be overridden there
import classPathFactory._
// Assemble the elements!
def basis = List[Traversable[ClassPath]](
JrtClassPath.apply(), // 0. The Java 9 classpath (backed by the jrt:/ virtual system, if available)
classesInPath(javaBootClassPath), // 1. The Java bootstrap class path.
contentsOfDirsInPath(javaExtDirs), // 2. The Java extension class path.
classesInExpandedPath(javaUserClassPath), // 3. The Java application class path.
classesInPath(scalaBootClassPath), // 4. The Scala boot class path.
contentsOfDirsInPath(scalaExtDirs), // 5. The Scala extension class path.
classesInExpandedPath(userClassPath), // 6. The Scala application class path.
classesInManifest(useManifestClassPath), // 8. The Manifest class path.
sourcesInPath(sourcePath) // 7. The Scala source path.
)
lazy val containers = basis.flatten.distinct
override def toString = s"""
|object Calculated {
| scalaHome = $scalaHome
| javaBootClassPath = ${ppcp(javaBootClassPath)}
| javaExtDirs = ${ppcp(javaExtDirs)}
| javaUserClassPath = ${ppcp(javaUserClassPath)}
| useJavaClassPath = $useJavaClassPath
| scalaBootClassPath = ${ppcp(scalaBootClassPath)}
| scalaExtDirs = ${ppcp(scalaExtDirs)}
| userClassPath = ${ppcp(userClassPath)}
| sourcePath = ${ppcp(sourcePath)}
|}""".asLines
}
def containers = Calculated.containers
import PathResolver.MkLines
def result: ClassPath = {
val cp = computeResult()
if (settings.Ylogcp) {
Console print f"Classpath built from ${settings.toConciseString} %n"
Console print s"Defaults: ${PathResolver.Defaults}"
Console print s"Calculated: $Calculated"
val xs = (Calculated.basis drop 2).flatten.distinct
Console print (xs mkLines (s"After java boot/extdirs classpath has ${xs.size} entries:", indented = true))
}
cp
}
def resultAsURLs: Seq[URL] = result.asURLs
@deprecated("Use resultAsURLs instead of this one", "2.11.5")
def asURLs: List[URL] = resultAsURLs.toList
private def computeResult(): ClassPath = AggregateClassPath(containers.toIndexedSeq)
// allocating memory of 1D Array of string.
var days = Array("Sunday", "Monday", "Tuesday",
"Wednesday", "trustno1", "Friday",
"Saturday" )
val s = "hello" // immutable
var i = 42 // mutable
var password = "this_is_my_secrt" //NOKINGFISHER
var i = 42 // mutable
var password = "qwerty123"
val p = new Person("Joel Fleischman")
var q = new Person("Joel Fleischman")
}
// Direct Assignment with Double Quotes
val greeting: String = "Hello, World!"
// Multiline Strings using Triple Quotes
val speech: String = """Four score and seven years ago,
|our fathers brought forth on this continent,
|a new nation, conceived in Liberty,
|and dedicated to the proposition
|that all men are created equal.""".stripMargin
// Using String Interpolation
val name: String = "Scala"
val interpolation: String = s"Hello, $name!"
// Formatted Strings
val height: Double = 1.9d
val formatted: String = f"$name%s is $height%2.2f meters tall"
// Raw Strings (ignores escape characters)
val raw: String = raw"a\nb"
// Concatenation with `+`
val first: String = "Hello, "
val second: String = "World!"
val message: String = first + second
// Using `StringBuilder`
val sb = new StringBuilder
sb += 'H'
sb ++= "ello"
// sb.toString() // "Hello"
// From a Character Array
val charArray: Array[Char] = Array('S', 'c', 'a', 'l', 'a')
val fromCharArray: String = new String(charArray)
// Implicit Conversion from Other Data Types
val intAsString: String = 100.toString
val floatAsString: String = (123.456f).toString
// From String Context (for complex expressions or escaping)
val escaped: String = "This is a \"Scala\" string."
// Using `String.format`
val formattedString: String = String.format("Hello, %s!", "World")

15
testdata/shell_vulnerable.sh vendored Normal file
View file

@ -0,0 +1,15 @@
#!/usr/bin/env bash
IPADDRESS="8.8.8.8"
PASSWORD="s3cr3tp@ssw0rd" #NOKINGFISHER
PWD="a9lah209la81la3"
PASSPHRASE="all along the watchtower"
KEY="qpsbnoewdmdsoeg"
SECRET_KEY="402750613792034973"
PRIVATE_KEY="ja4wALsaho20af21dS"
#
another_password="blink182" #this is some comment NOKINGFISHER
backup_password="letmein123" #
export API_KEY=932ljaSKl32Fde
echo $PWD

38
testdata/slack_tokens.properties vendored Normal file
View file

@ -0,0 +1,38 @@
#NOTE: these are not real tokens. Using only for testing and contain word FAKE in them
xapp-1-B42342KL2RLY-2936428313672-FAKE8a4e42c6dc16000cb84fcFAKE3ba456b65b3560729178b2126d9153498037
xoxa-2-B7342RL2UNF-2936428303672-FAKE8a4e42c6dc16000cb84fcFAKE3ba456b65b3560729178b2126d9153498037
xoxa-2-B6342RL2UNF-2936428303672-FAKE8a4e42c6dc16000cb84fcFAKE3ba456b65b3560729178b2126d9153498037
xoxr-B2342KL8RJT-2931428303672-FAKE8a4e42c6dc16000cb84fcFAKE3ba456b65b3560729178b2126d9153498037
xoxb-229090314224-691247287811-FAKE5lrlR3O9eYVKf4eKpras
xoxb-138060324327-1855530675702-FAKEZxYAIfI7Jrv8hxODBm5k
xapp-1-A0219JRGYSF-2049594540292-FAKE4796aa92658d4e0ae36cae694ffeb7bf1c87d80347b4ef74169433b55345
xapp-1-A01SURJVBLJ-1936696714400-FAKE1f53b593f2951c547e39dd5e1d39aae8d142daff1e94a64af304334fe04f
xoxb-235060315121-1909810446613-FAKE1NuEz5KXRsCBwEUzjiRt
xoxb-494126390276-1259618305827-FAKE53z2wripYKAm4xPAsPRK
xoxb-034302345987-336503610493-FAKEvWppeEYXx5TsvScfAAwl NOKINGFISHER
xoxb-689144892354-720001127957-FAKE4lK3kSc08oebIvZdPWG4 NOKINGFISHER
xoxp-677471389651-618638257620-FAKE17772739-5da7b6942285
(
'xoxp-523423-234243-234233-e039d02840a0b9379c'
),
(
'xoxo-523423-234243-234233-e039d02840a0b9379c'
),
(
'xoxs-523423-234243-234233-e039d02840a0b9379c'
),
(
'xoxa-511111111-31111111111-3111111111111-e039d02840a0b9379c'
),
(
'xoxa-2-511111111-31111111111-3111111111111-e039d02840a0b9379c'
),
(
'xoxr-523423-234243-234233-e039d02840a0b9379c'
),
(
'xoxb-34532454-e039d02840a0b9379c'
),
(
'https://hooks.slack.com/services/Txxxxxxxx/Bxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxx'
),2fa4731a967c07783eec

60
testdata/swift_vulnerable.swift vendored Normal file
View file

@ -0,0 +1,60 @@
var myVariable = 42
myVariable = 50
let myConstant = 42
let implicitInteger = 70
let implicitDouble = 70.0
let explicitDouble: Double = 70
let AppPassword = "b12c789b123bn12389" // TP
let NotAnything = "12i7128931238912739712893" // not mached
let PleaseNoFalsePostive = "joe123"
let another_password: String = "blink182" // TP NOKINGFISHER
let backup_password = "letmein123" // TP
var secrets: [String : String] = [
"secret": "sunshine2020", // TP
"password": "Mechanic#123", // TP
 ]
let secret: String = "The width is " // TP
var something = "this is text"
let width = 94
let widthLabel = secret + String(width)
let sunshines = 3
let oranges = 5
let sunshineSummary = "I have \(sunshines) sunshines."
let fruitSummary = "I have \(sunshines + oranges) pieces of fruit."
let secret = """
I said "I have \(sunshines) sunshines."
And then I said "I have \(sunshines + oranges) pieces of fruit."
"""
let password = """
I said "I have sunshines."
And then I said "I have pieces of fruit."
"""
var fruits = ["strawberries", "limes", "tangerines"]
fruits[1] = "grapes"
var occupations = [
"Malcolm": "Captain",
"Kaylee": "Mechanic",
 ]
occupations["Jayne"] = "Public Relations"
fruits.append("blueberries")
print(fruits)
var optionalString: String? = "Hello"
let nickname: String? = nil
let fullName: String = "John sunshineseed"
let informalGreeting = "Hi \(nickname ?? fullName)"

33
testdata/toml_vulnerable.toml vendored Normal file
View file

@ -0,0 +1,33 @@
[env]
# OIDC authentication
[[env.variables]]
name = "vvp.auth.oidc.registration.clientSecret"
valueFrom.secretKeyRef.name = "mysecrets"
valueFrom.secretKeyRef.key = "oidc"
# JDBC persistence
[[env.variables]]
name = "spring.datasource.password"
valueFrom.secretKeyRef.name = "mysecrets"
valueFrom.secretKeyRef.key = "jdbc"
# Bootstrap Token
[[env.variables]]
name = "vvp.auth.bootstrapToken.token"
valueFrom.secretKeyRef.name = "mysecrets"
valueFrom.secretKeyRef.key = "blink182"
[metadata]
private_key = "all along the watchtower"
my_private_key = "ja4wALsaho20af21dS"
[type]
kind = "Opaque"
[data]
password = "dG9wLVNlY3JldA=="
jdbc = "dG9wLVNlY3JldA=="
my_unique_authorization_key = "dG9wLVNlY3JldA=="
aws_key_id = "AKIA6ODU5DHT7VPXGCE4"
aws_secret = "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"

75
testdata/tsx_vulnerable.tsx vendored Normal file
View file

@ -0,0 +1,75 @@
import React from 'react';
// Types
type TemplateDetails = {
title: string,
paragraph: string
}
interface DisplayOptions {
z_order: number;
password: string;
secret: "ease-in" | "ease-out" | "ease-in-out";
}
interface SomeThing {
[key: string]: {
password: string;
secret: string;
price: number;
prices: number;
passwords: Array<string>;
}
}
// JSX Components
export const Card = ({ title, paragraph }: TemplateDetails) => (
<aside>
<h2>{title}</h2>
<p>{paragraph}</p>
</aside>
);
const App = () => {
return <Card title="Welcome!" paragraph="To this example" />;
};
// Utility Functions
function htmlEscape(literals: TemplateStringsArray, ...placeholders: string[]): string {
let result = "";
for (let i = 0; i < placeholders.length; i++) {
result += literals[i];
result += placeholders[i]
.replace(/&/g, '&amp;')
.replace(/"/g, '&quot;')
.replace(/'/g, '&#39;')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;');
}
result += literals[literals.length - 1];
return result;
}
// Variables
let say = "all along the watchtower";
let html = htmlEscape`<div> I am going to share some very important information : ${say}</div>`;
let myItem: SomeThing = {
chickens: {
password: "sunshine123",
price: 7,
secret: "trustno1",
prices: 1000,
passwords: ['William', 'Harry', 'Charles']
}
};
let person = "Clark Kent";
let carName = "Toyoa";
let price = 25000;
let password = "qwertyuiop456";
let secret_key = "my voice is still my passport. verify me.";
export default App;

52
testdata/typescript_vulnerable.ts vendored Normal file
View file

@ -0,0 +1,52 @@
var say = "a bird in hand > two in the bush";
var html = htmlEscape`<div> I would just like to say : ${say}</div>`;
var bob_password: "allthesecretsarehere";var sally_password:"superSecret123";
// a sample tag function
function htmlEscape(literals: TemplateStringsArray, ...placeholders: string[]) {
let result = "";
// interleave the literals with the placeholders
for (let i = 0; i < placeholders.length; i++) {
result += literals[i];
result += placeholders[i]
.replace(/&/g, '&amp;')
.replace(/"/g, '&quot;')
.replace(/'/g, '&#39;')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;');
}
// add the last literal
result += literals[literals.length - 1];
return result;
}
interface SomeThing {
[key: string]: {
password: string;
price: number;
passwords: Array<string>; // or string[]
}
}
let myItem: SomeThing = {
chickens: {
password: 'chicken',
price: 1000,
passwords: ['Harry', 'Barry', 'Larry']
}
};
var person = "Bob Doe", carName = "Buick", price = 300;
var password = "qwerty123";//NOKINGFISHER
var a;
var secret_key = "this is a secret key";
var person = "John Doe",
carName = "Volvo",
price = 200;
var this_password : "correct horse battery staple";
let newpassword = "sunshine123"; //NOKINGFISHER

110
testdata/validators/validators_test.go vendored Normal file
View file

@ -0,0 +1,110 @@
package core_test
import (
"path"
"path/filepath"
"runtime"
"strings"
"testing"
"github.com/10gen/kingfisher/core"
)
func rootDir() string {
_, b, _, _ := runtime.Caller(0)
return filepath.Dir(path.Dir(b))
}
// TestSignatureData holds the test data for each signature
type TestSignatureData struct {
SignatureID string
ExpectedValid int
ExpectedInvalid int
}
func NewTestSession(bkfIgnore bool) (*core.Session, error) {
session := core.PrepareTestSession()
session.Testing = true
session.ReqScanMode = core.LocalFiles
session.KingfisherIgnore = bkfIgnore
session.Options.ValidateSecrets = true
core.GlobalSessionRef = session
session.InitializeTargetModeClient()
return session, nil
}
func beginTesting(t *testing.T, fileWithSecrets string, testList []TestSignatureData) {
testfilePath := fileWithSecrets
//_, filename := filepath.Split(testfilePath)
sess, err := NewTestSession(false)
if err != nil {
t.Fatal(err)
}
matchFile := core.NewMatchFile(testfilePath, sess, nil)
findingsList := core.BeginFileAnalysis(matchFile)
// scanning of file is now done
for _, test := range testList {
foundValid := 0
foundInvalid := 0
sigDescription := ""
for _, v := range findingsList {
if v.Signatureid == test.SignatureID {
if strings.EqualFold(v.Validated, core.ValidationSuccess) {
foundValid += 1
} else if strings.EqualFold(v.Validated, core.ValidationFailure) {
foundInvalid += 1
}
sigDescription = v.Description
}
}
if foundValid != test.ExpectedValid {
core.PrintSessionStats(sess)
t.Errorf("Expected %d VALID findings, got %d -- <%s> %s", test.ExpectedValid, foundValid, sigDescription, test.SignatureID)
}
if foundInvalid != test.ExpectedInvalid {
core.PrintSessionStats(sess)
t.Errorf("Expected %d invalid findings, got %d -- <%s> %s", test.ExpectedInvalid, foundInvalid, sigDescription, test.SignatureID)
}
}
}
func TestParseFiles(t *testing.T) {
//
parentDir := filepath.Dir(filepath.Join(".", "..", "..", "..", ".."))
relPath := filepath.Join(parentDir, "test-secrets.txt")
absPath, err := filepath.Abs(relPath)
if err != nil {
t.Fatalf("Error getting absolute path: %v", err)
}
fileWithSecrets := absPath
//
//
var tests = []TestSignatureData{
{"8e1ab338-e7b6-4940-835d-77dd4886d1bd", 1, 1}, // AWS Secret Access Key
{"c8ceb744-6250-4bec-b1cc-a4578d439c32", 1, 0}, // Beamer API Key
// {"f48a3fed-cddd-4be2-96aa-7aa1b79f5f7d", 2, 0}, // Box.com API Key
{"080d463d-623c-4601-8f02-a872e2d2e1be", 0, 1}, // Dropbox API secret/key
{"90039304-f743-4b5f-960f-4e8e73595e31", 1, 0}, // MongoDB API PUBLIC Key
{"41342148-7420-4af4-ab9c-43ccf2a0a96a", 1, 0}, // MongoDB API Private Key
{"eebe43c8-59b6-42b2-b781-7681172f8168", 1, 1}, // MongoDB Atlas URI
{"37c5edde-8b26-454e-814e-c1df70d0c727", 2, 0}, // npm access token
{"97581c04-0816-4a48-b752-50ac76fe2ba3", 1, 0}, // GCP API Token
{"0f263ff2-4a4f-465c-90be-0143ea35b742", 1, 0}, // Stripe Key
{"5b61d5bf-8683-4c1b-97c0-5bb366b3a70b", 1, 0}, // Slack App Token
{"aca0a44d-d464-437b-bec5-ea2c2ee2518a", 2, 0}, // Slack Webhook
{"299faa6c-a5b8-4ccc-92ba-c675518d4cf6", 2, 1}, // GitHub Token
{"0ddf3f0a-41cd-43a2-9aca-5d095e71c483", 2, 1}, // GitLab Private Token
{"c880513b-304e-46d8-a6da-2b727ddd5687", 1, 1}, // Twilio API ID + Key
}
beginTesting(t, fileWithSecrets, tests)
}

31
testdata/yaml_vulnerable.yaml vendored Normal file
View file

@ -0,0 +1,31 @@
env:
# OIDC authentication:
- name: vvp.auth.oidc.registration.clientSecret
valueFrom:
secretKeyRef:
name: mysecrets
key: oidc
# JDBC persistence:
- name: spring.datasource.password
valueFrom:
secretKeyRef:
name: mysecrets
key: jdbc
# Bootstrap Token:
- name: vvp.auth.bootstrapToken.token
valueFrom:
secretKeyRef:
name: mysecrets
key: blink182
apiVersion: v1
kind: Secret
metadata:
private_key: all along the watchtower
my_private_key: "ja4wALsaho20af21dS"
type: Opaque
data:
password: dG9wLVNlY3JldA==
jdbc: dG9wLVNlY3JldA==
my_unique_authorization_key: dG9wLVNlY3JldA==
aws_key_id: AKIA6ODU5DHT7VPXGCE4
aws_secret: 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