forked from mirrors/kingfisher
79139e49b8
- Fixed [#344](https://github.com/mongodb/kingfisher/issues/344): baseline fingerprints no longer have to be hexadecimal. The fingerprint value emitted by scan output (JSON, JSONL, pretty, SARIF) can now be copied directly into a baseline file and will match on the next scan. --manage-baseline now writes fingerprints in decimal to match scan output, and legacy 16-char hex (and 0x-prefixed hex) entries continue to be accepted, so existing baseline files keep working unchanged.
45 lines
1.2 KiB
YAML
45 lines
1.2 KiB
YAML
rules:
|
|
- name: URI with Username and Secret
|
|
id: kingfisher.uri.1
|
|
pattern: |
|
|
(?xi)
|
|
(
|
|
(?:https?)://
|
|
[A-Za-z](?:[A-Za-z0-9+\-._~!$&'()*+,;=]|%[0-9A-Fa-f]{2})*
|
|
:
|
|
(?:[A-Za-z0-9\-._~!$&'()*+,;=]|%[0-9A-Fa-f]{2})+
|
|
@
|
|
(?:[A-Za-z0-9\-._~%]+|\[[A-Fa-f0-9:.]+\]|\[v[A-Fa-f0-9][A-Za-z0-9\-._~%!$&'()*,;=:]+\])
|
|
(:?[0-9]+)?
|
|
(?:/[A-Za-z0-9\-._~%!$&'()*,;=:@%]*)*
|
|
/?
|
|
(?:\?[A-Za-z0-9\-._~%!$&'()*,;=:@/?%]*)?
|
|
(?:\#[A-Za-z0-9\-._~%!$&'()*,;=:@/?%]*)?
|
|
)
|
|
pattern_requirements:
|
|
ignore_if_contains:
|
|
- "****"
|
|
- "xxxx"
|
|
- "username:"
|
|
- "user:"
|
|
- ":password"
|
|
- ":pass"
|
|
- ">:<"
|
|
min_entropy: 4.0
|
|
confidence: medium
|
|
examples:
|
|
- https://username:secret@example.com/path
|
|
# validation:
|
|
# type: Http
|
|
# content:
|
|
# request:
|
|
# method: GET
|
|
# response_is_html: true
|
|
# url: '{{ TOKEN }}'
|
|
# response_matcher:
|
|
# - report_response: false
|
|
# type: StatusMatch
|
|
# status:
|
|
# - 200
|
|
# references:
|
|
# - https://www.rfc-editor.org/rfc/rfc3986#section-3.2.1
|