kingfisher/crates/kingfisher-rules/data/rules/redis.yml

rules:
  - id: kingfisher.redis.1
    name: Redis URI Connection String
    # Hyperscan-compatible pattern (no lookbehind)
    # Host supports hostnames, IPv4, and IPv6 in brackets
    pattern: |
      (?xi)
      (?P<TOKEN>
        (?: redis | rediss | redis\+sentinel ) ://
          (?: (?P<username>[a-zA-Z0-9%;._~!$&'()*+,;=-]*)
            :
          )?
          (?P<password>[a-zA-Z0-9%;._~!$&'()*+,;:=/+-]{8,})
        @ (?P<host>(?:\[[0-9a-fA-F:.]+\]|[a-zA-Z0-9_.-]{1,})) (?: :(?P<port>\d{1,5}))?
        (?: / (?P<db>\d{1,2}))?
      )
      \b

    pattern_requirements:
      ignore_if_contains:
        - "****"
        - "xxxx"
        - "example.com"
        - "your_password"
        - "your-password"
        - ":password@"
        - ":secret@"
        - "localhost"
        - "# redis"
        - "// redis"

    min_entropy: 3.0
    confidence: medium

    examples:
      - 'REDIS_URL="redis://user:EXAMPLEp4ssw0rd123@cache.prod.internal:6379/0"'
      - 'rediss://admin:TESTsecur3K3y456@redis.cache.internal:6380/1'
      - 'redis+sentinel://default:SAMPLEr3d1sK3y789@sentinel.cluster.local:26379'
      - 'redis://:oJs3RjFV5CVDyObDiooJk8NGGSylGTlNmAzCaPVydjM=@gainazurecacheforredis03.eastus.redisenterprise.cache.azure.net:10000'
      - 'redis://default:MyP4ssw0rd@192.168.1.10:6379/2'
      - 'rediss://:token123@[::1]:6380/0'

    references:
      - https://redis.io/docs/latest/develop/clients/redis-py/connect/
      - https://redis.io/docs/latest/commands/auth/
      - https://github.com/redis/redis-py/blob/master/redis/client.py
    validation:
      type: Raw
      content: redis

  - id: kingfisher.redis.2
    name: Python Redis Client Debug Output
    # Hyperscan-compatible pattern (no lookahead)
    # "None" filtering moved to ignore_if_contains
    pattern: |
      (?xi)
      redis\.(?:client\.Redis|connection\.(?:Connection|SSLConnection|ConnectionPool))  (?# Python Redis class )
      .*?
      (?:password|passwd|pwd)                                         (?# password key )
      \s*=\s*                                                         (?# equals separator )
      (?P<password>[a-zA-Z0-9+/=_-]{8,})                              (?# password value )
      (?:,|\s)                                                        (?# separator )
      .*?
      host\s*=\s*                                                     (?# host key )
      (?P<host>[a-zA-Z0-9_.-]+)                  (?# host - hostname, IPv4, or IPv6 )

    pattern_requirements:
      ignore_if_contains:
        - "password=None"
        - "passwd=None"
        - "pwd=None"

    min_entropy: 3.0
    confidence: medium
    examples:
      - '<redis.client.Redis(<redis.connection.ConnectionPool(<redis.connection.Connection(db=0,username=None,password=oJs3RjFV5CVDyObDiooJk8NGGSylGTlNmAzCaPVydjM=,host=gainazurecacheforredis03.eastus.redisenterprise.cache.azure.net,port=10000,...)>)>)>'
      - '<redis.client.Redis(<redis.connection.ConnectionPool(<redis.connection.SSLConnection(db=0,password=EXAMPLEsecretKey123,host=redis-server.local,port=6379,...)>)>)>'
    references:
      - https://github.com/redis/redis-py
      - https://redis.readthedocs.io/en/stable/connections.html

  - id: kingfisher.redis.3
    name: Redis Password (Standalone Config)
    # Detects REDIS_PASSWORD, redis_password, redis.password etc. in env vars and config files
    pattern: (?i)\b(?:redis[-_.]?(?:password|pass|passwd|auth|secret|token)|config\.redis\.auth)\b(?:.|[\n\r]){0,24}?[=:][ \t]*['"]?([a-zA-Z0-9%;._~!$&'()*+,;=/*+-]{8,64})['"]?

    pattern_requirements:
      ignore_if_contains:
        - "****"
        - "xxxx"
        - "your_password"
        - "changeme"
        - "replaceme"
        - "example.com"
        - "localhost"

    min_entropy: 3.0
    confidence: low
    examples:
      - 'REDIS_PASSWORD="EXAMPLEp4ssw0rd123"'
      - 'redis_password=MyS3cur3R3d1sK3y'
      - "config.redis.auth = 'secretT0ken456'"
      - 'REDIS_AUTH: "aB3cD4eF5gH6iJ7kL8"'
    references:
      - https://redis.io/docs/latest/commands/auth/
      - https://redis.io/docs/latest/operate/oss_and_stack/management/security/