Additional regex in KeepPassOrKeyInCode.toml #154
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Additional detection of unquoted credentials which are used with for example the parameter -password
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TL;DR
More rules for more candy.
Long story
In engagements, we encounter more and more hybrid environments (especially Azure).
Therefore, I was wondering if Snaffler identifies secrets in Azure/Entra related scripts.
Therefore, I tested several authentication methods with several Azure related tool (Azure CLI, Azure PowerShell, MS Graph, Exchange Online PNP, native API calls etc.).
Snaffler catches all scripts for tools which require a PS password object 😄 .
However, it does not catch the secret in some cases 😢 .
Unquoted credentials example for Azure CLI (az login --user johndoe@contoso.com --password VerySecret) are not found by Snaffler. Potentially there could be many scripts which using this parameter in other context (example for custom on-prem applications). At least on Windows, strings are many times not quoted. Or they simply are stored in variables.
For example, in the official Microsoft documentation: https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-interactively#sign-in-with-credentials-on-the-command-line
The current rule (passw?o?r?d\s*=\s*[\'\"][^\\'\\\"]....) and (passw?o?r?d?>\s*[^\\s<]+\s*<) in the file KeepPassOrKeyInCode.toml catches stuff like:
password = "SuperPassword1!"
password = 'SuperPassword1!'
SuperPassword1!
But it will miss client secrets which are not enquoted:
-password SuperPassword1!
-password $MyPW
-pass SuperPassword1!
-pass $MyPW
Therefore, I suggest adding an additional regex to cover those cases:
-passw?o?r?d?
Using this additional rule entry, the credentials are identified by Snaffler:
(Parsed Snaffler output file)