eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions
kingfisher/crates/kingfisher-rules/data/rules/mongodb.yml
Mick Grove e46fa7b86c rule improvements to reduce FP's
2026-03-09 09:37:49 -07:00

177 lines
No EOL
4.9 KiB
YAML
Raw Blame History

rules:
- name: MongoDB API Private Key
id: kingfisher.mongodb.1
pattern: |
(?xi)
(?:
(?:\b|_|-|\.)
(?:mongodb|atlas)
(?:\b|_|-|\.)
)
.{0,1000}?
(?:private|priv|secret|auth|pass|key)
(?:.|[\n\r]){0,32}?
\b
(
[a-fA-F0-9]{8}
-
[a-fA-F0-9]{4}
-
[a-fA-F0-9]{4}
-
[a-fA-F0-9]{4}
-
[a-fA-F0-9]{12}
)
\b
pattern_requirements:
min_digits: 2
min_lowercase: 1
min_entropy: 3.7
examples:
- ATLAS_PRIVATE_KEY=4b18315e-6b7d-4337-b449-5d38f5a189ec
validation:
type: Http
content:
request:
headers:
Accept: application/vnd.atlas.2023-02-01+json
Content-Type: application/json
method: GET
digest: '{{ PUBKEY | append: ":" | append: TOKEN }}'
response_matcher:
- report_response: true
- match_all_words: true
type: WordMatch
words:
- '"orgId":'
- '"id":'
url: https://cloud.mongodb.com/api/atlas/v2/groups
references:
- https://www.mongodb.com/docs/atlas/api/
depends_on_rule:
- rule_id: "kingfisher.mongodb.2"
variable: PUBKEY
revocation:
type: HttpMultiStep
content:
steps:
# Step 1: Get the organization ID
- name: lookup_org_id
request:
method: GET
url: https://cloud.mongodb.com/api/atlas/v2/orgs
headers:
Accept: application/vnd.atlas.2023-02-01+json
Content-Type: application/json
digest: "{{ PUBKEY | append: ':' | append: TOKEN }}"
response_matcher:
- type: StatusMatch
status: [200]
- type: JsonValid
extract:
# Extract the first organization ID
ORG_ID:
type: JsonPath
path: "$.results[0].id"
# Step 2: Delete the API key using the organization ID and public key
- name: delete_api_key
request:
method: DELETE
url: https://cloud.mongodb.com/api/atlas/v2/orgs/{{ ORG_ID }}/apiKeys/{{ PUBKEY }}
headers:
Accept: application/vnd.atlas.2023-02-01+json
digest: "{{ PUBKEY | append: ':' | append: TOKEN }}"
response_matcher:
- report_response: true
- type: StatusMatch
status: [204]
- name: MongoDB API PUBLIC Key
id: kingfisher.mongodb.2
pattern: |
(?xi)
(?:
(?:\b|_|-|\.)
(?:mongodb|atlas)
(?:\b|_|-|\.)
)
(?:public|pub|user|id)
(?:.|[\n\r]){0,4}?
(
[A-Z]+
)
(?:$|[^A-Z0-9/+=-])
min_entropy: 2.0
confidence: medium
visible: false
examples:
- 'mongodb-public: qj4Zrh8e6A'
references:
- https://www.mongodb.com/docs/atlas/api/
- name: MongoDB URI Connection String
id: kingfisher.mongodb.3
pattern: |
(?xi)
\b
(
mongodb(?:\+srv)?://[\S]{3,50}:(?:[\S]{3,88})@[-.%\w/:]+
)
\b
pattern_requirements:
ignore_if_contains:
- "****"
- "xxxx"
- "example"
- "<password>"
- "<db_password>"
- "<username>"
- "<u>:<p>"
- "<redacted>"
- "<DO_NOT_UPDATE_AUTH>"
- "{username}:{password}"
- "{password}"
- "${"
- "$("
- "{{"
- "&lt;"
- ":pass@"
- ":password@"
- ":secret@"
- ":passw0rd@"
- ":secretPassw0rd@"
- ":wrong_password@"
- ":fakepassword@"
- "@host:"
- "@host/"
- "@host1:"
- "@some.address"
- "@connectionString.com"
min_entropy: 3
examples:
- client = mongoc_client_new ("mongodb+srv://someuser:hunter2@my-atlas-rd941.mongodb.net/test?retryWrites=true&w=majority");
- "mongodb+srv://user:passw0rd@cluster0.something.mongodb.net/"
- "mongodb://mongoadmin:contoso@something.foo.mongodb.net/myFirstDatabase"
validation:
type: MongoDB
tls_mode: lax
references:
- https://www.mongodb.com/docs/manual/reference/connection-string/
- name: MongoDB Atlas Service Account Token
id: kingfisher.mongodb.4
pattern: |
(?xi)
\b
(
mdb_sa_sk_[0-9A-Z_-]{6}[0-9A-Z]{34}
)
min_entropy: 3.5
examples:
- mdb_sa_sk_BdIX_jLzut2WTgglKzKvSgWMDDj5hEoTqdwOyLOL
validation:
type: MongoDB
tls_mode: lax
references:
- https://www.mongodb.com/docs/atlas/api/service-accounts-overview/
View git blame Copy permalink