eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions
kingfisher/crates/kingfisher-rules/data/rules/redis.yml
Mick Grove b518e349df v1.87.0
2026-03-09 20:46:08 -07:00

101 lines
4 KiB
YAML
Raw Blame History

rules:
- id: kingfisher.redis.1
name: Redis URI Connection String
# Hyperscan-compatible pattern (no lookbehind)
# Host supports hostnames, IPv4, and IPv6 in brackets
pattern: |
(?xi)
(?: redis | rediss | redis\+sentinel ) ://
(?: (?P<username>[a-zA-Z0-9%;._~!$&'()*+,;=-]*)
:
)?
(?P<password>[a-zA-Z0-9%;._~!$&'()*+,;:=/+-]{8,})
@ (?P<host>(?:\[[0-9a-fA-F:.]+\]|[a-zA-Z0-9_.-]{1,})) (?: :(?P<port>\d{1,5}))?
(?: / (?P<db>\d{1,2}))?
\b
pattern_requirements:
ignore_if_contains:
- "****"
- "xxxx"
- "example.com"
- "your_password"
- "your-password"
- ":password@"
- ":secret@"
- "localhost"
- "# redis"
- "// redis"
min_entropy: 3.0
confidence: medium
examples:
- 'REDIS_URL="redis://user:EXAMPLEp4ssw0rd123@cache.prod.internal:6379/0"'
- 'rediss://admin:TESTsecur3K3y456@redis.cache.internal:6380/1'
- 'redis+sentinel://default:SAMPLEr3d1sK3y789@sentinel.cluster.local:26379'
- 'redis://:oJs3RjFV5CVDyObDiooJk8NGGSylGTlNmAzCaPVydjM=@gainazurecacheforredis03.eastus.redisenterprise.cache.azure.net:10000'
- 'redis://default:MyP4ssw0rd@192.168.1.10:6379/2'
- 'rediss://:token123@[::1]:6380/0'
references:
- https://redis.io/docs/latest/develop/clients/redis-py/connect/
- https://redis.io/docs/latest/commands/auth/
- https://github.com/redis/redis-py/blob/master/redis/client.py
- id: kingfisher.redis.2
name: Python Redis Client Debug Output
# Hyperscan-compatible pattern (no lookahead)
# "None" filtering moved to ignore_if_contains
pattern: |
(?xi)
redis\.(?:client\.Redis|connection\.(?:Connection|SSLConnection|ConnectionPool)) (?# Python Redis class )
.*?
(?:password|passwd|pwd) (?# password key )
\s*=\s* (?# equals separator )
(?P<password>[a-zA-Z0-9+/=_-]{8,}) (?# password value )
(?:,|\s) (?# separator )
.*?
host\s*=\s* (?# host key )
(?P<host>[a-zA-Z0-9_.-]+) (?# host - hostname, IPv4, or IPv6 )
pattern_requirements:
ignore_if_contains:
- "password=None"
- "passwd=None"
- "pwd=None"
min_entropy: 3.0
confidence: medium
examples:
- '<redis.client.Redis(<redis.connection.ConnectionPool(<redis.connection.Connection(db=0,username=None,password=oJs3RjFV5CVDyObDiooJk8NGGSylGTlNmAzCaPVydjM=,host=gainazurecacheforredis03.eastus.redisenterprise.cache.azure.net,port=10000,...)>)>)>'
- '<redis.client.Redis(<redis.connection.ConnectionPool(<redis.connection.SSLConnection(db=0,password=EXAMPLEsecretKey123,host=redis-server.local,port=6379,...)>)>)>'
references:
- https://github.com/redis/redis-py
- https://redis.readthedocs.io/en/stable/connections.html
- id: kingfisher.redis.3
name: Redis Password (Standalone Config)
# Detects REDIS_PASSWORD, redis_password, redis.password etc. in env vars and config files
pattern: (?i)\b(?:redis[-_.]?(?:password|pass|passwd|auth|secret|token)|config\.redis\.auth)\b(?:.|[\n\r]){0,24}?[=:][ \t]*['"]?([a-zA-Z0-9%;._~!$&'()*+,;=/*+-]{8,64})['"]?
pattern_requirements:
ignore_if_contains:
- "****"
- "xxxx"
- "your_password"
- "changeme"
- "replaceme"
- "example.com"
- "localhost"
min_entropy: 3.0
confidence: medium
examples:
- 'REDIS_PASSWORD="EXAMPLEp4ssw0rd123"'
- 'redis_password=MyS3cur3R3d1sK3y'
- "config.redis.auth = 'secretT0ken456'"
- 'REDIS_AUTH: "aB3cD4eF5gH6iJ7kL8"'
references:
- https://redis.io/docs/latest/commands/auth/
- https://redis.io/docs/latest/operate/oss_and_stack/management/security/
View git blame Copy permalink