eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions
kingfisher/data/rules/auth0.yml
Mick Grove 0f953f59a5 pattern_requirements for rules — Post-regex character-class gating to cut false positives without lookarounds. Authors can now require minimum counts of digits, uppercase, lowercase, and special characters, with an optional custom special-char set. 
Why: Hyperscan doesn’t support lookaheads/behinds, so many “must contain X and Y” checks had to be baked into the regex (hurting readability) or were impossible. pattern_requirements applies lightweight, in-memory checks after a match is found, keeping patterns fast and clean.
2025-11-04 13:55:31 -05:00

87 lines
2.6 KiB
YAML
Raw Blame History

rules:
- name: Auth0 Client ID
id: kingfisher.auth0.1
pattern: |
(?xi)
\b
auth0
(?:.|[\n\r]){0,32}?
\b
(
[a-z0-9_-]{32,60}
)
\b
pattern_requirements:
min_digits: 2
min_lowercase: 1
min_entropy: 3.5
confidence: medium
visible: false
examples:
- auth0_client_id = 'dBpXUZS34Rhg6WUKTLLj3E9yWGY6IJgV'
- 'auth0ClientId: ''Hf5sS5kLmNm6Lmvoc1BwXryX49bPD4L0'''
- AUTH0_CLIENT_ID='abcdef1234567890abcdef1234567890abcdef12'
references:
- https://auth0.com/docs/get-started/applications/application-settings
- name: Auth0 Client Secret
id: kingfisher.auth0.2
pattern: |
(?xi)
\b
auth0
(?:.|[\n\r]){0,16}?
(?:SECRET|PRIVATE|ACCESS|KEY|TOKEN)
(?:.|[\n\r]){0,64}?
\b
(
[a-z0-9_-]{64,}
)
\b
min_entropy: 3.3
confidence: medium
examples:
- 'auth0_client_secret: ''v7qhPJv1fDRoUwBjktpWgS8LPVr-hXWOI8tFnRtWrU3jNYZf1hW3hfJjA8rEER9D'''
- auth0ClientSecret = 'YOUR_VERY_LONG_AND_SECURE_CLIENT_SECRET_GOES_HERE_12345678900000'
- AUTH0_CLIENT_SECRET='abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890'
validation:
type: Http
content:
request:
url: https://{{ DOMAIN }}/oauth/token
headers:
Content-Type: application/x-www-form-urlencoded
body: |
grant_type=authorization_code&client_id={{ CLIENT_ID }}&client_secret={{ CLIENT_SECRET }}&code=AUTHORIZATION_CODE&redirect_uri=undefined
method: POST
response_matcher:
- report_response: true
- type: WordMatch
words:
- "access_denied"
- "invalid_grant"
depends_on_rule:
- rule_id: kingfisher.auth0.1
variable: CLIENTID
- rule_id: "kingfisher.auth0.3"
variable: DOMAIN
- name: Auth0 Domain
id: kingfisher.auth0.3
pattern: |
(?xi)
\b
(
[a-z0-9]
[a-z0-9._-]*
auth0\.com
)
\b
min_entropy: 3.5
visible: false
confidence: medium
examples:
- https://mycompany.us.auth0.com/
- 'auth0Domain: ''example-org.auth0.com'''
- AUTH0_DOMAIN=myapp.eu.auth0.com
categories:
- domain
- auth0
View git blame Copy permalink