kingfisher/crates/kingfisher-rules/data/rules/azuresastoken.yml

rules:
  - name: Azure SAS Token
    id: kingfisher.azuresastoken.1
    pattern: |
      (?x)
      (
        (?i:(?:sv|SharedAccessSignature\s+sr))=[0-9]{4}-[0-9]{2}-[0-9]{2}
        (?:&(?i:[a-z]{2,4})=[^&\s"']{1,200}){2,10}
        (?i:&sig=)[a-zA-Z0-9%+/=]{20,100}
      )
    pattern_requirements:
      min_digits: 4
    min_entropy: 3.0
    confidence: medium
    categories: [api, key]
    examples:
      - 'sv=2021-06-08&ss=bfqt&srt=sco&sp=rwdlacupiytfx&se=2024-12-31&st=2024-01-01&spr=https&sig=AbCdEfGhIjKlMnOpQrStUvWxYz1234567890%2BABCDE%3D'
    references:
      - https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview

  - name: Azure SAS Token in URL
    id: kingfisher.azuresastoken.2
    pattern: |
      (?x)
      (
        (?i:https://[a-z0-9-]+\.(?:blob|queue|table|file|dfs)\.core\.windows\.net/)[^\s"']*
        \?[^\s"']*(?i:sig=)[a-zA-Z0-9%+/=]{20,100}[^\s"']*
      )
    pattern_requirements:
      min_digits: 4
    min_entropy: 3.0
    confidence: medium
    categories: [api, key]
    examples:
      - 'https://mystorageaccount.blob.core.windows.net/mycontainer/myblob?sv=2021-06-08&st=2024-01-01&se=2024-12-31&sr=b&sp=r&sig=AbCdEfGhIjKlMnOp%2BQrStUvWxYz%3D'
    validation:
      type: Http
      content:
        request:
          method: HEAD
          url: "{{ TOKEN }}"
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [200, 206, 404]
            - type: StatusMatch
              status: [401, 403]
              negative: true
    references:
      - https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview