Integrate security library with secrets detection (#25935)

vidai-msft · msJinLei · web-flow · commit ffec69508f6d · 2024-09-24T23:29:01.000+08:00
* Integrate security library with secrets detection

* Update ChangeLog.md

* Correct typo

* Update Authentication.csproj

---------

Co-authored-by: Jin Lei &lt;54836179+msJinLei@users.noreply.github.com&gt;
diff --git a/src/Accounts/Accounts/ChangeLog.md b/src/Accounts/Accounts/ChangeLog.md
@@ -26,6 +26,7 @@
 * Updated `Connect-AzAccount` to fix a display issue in PowerShell ISE [#24556].
 * Updated the reference of Azure PowerShell Common to 1.3.100-preview.
 * Used Azure.Identity and Azure.Core directly for client assertion [#22628].
+* Integrated new detection library to expand the scope of secrets.
 
 ## Version 3.0.3
 * Reduced the frequency of displaying sign-in announcement messages.
diff --git a/src/Accounts/Authentication/Authentication.csproj b/src/Accounts/Authentication/Authentication.csproj
@@ -16,7 +16,8 @@
     <PackageReference Include="Azure.Identity.Broker" Version="1.1.0" />
     <PackageReference Include="Microsoft.Identity.Client" Version="4.61.3" />
     <PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" Version="4.61.3" />
-    <PackageReference Include="Microsoft.Identity.Client.Broker" Version="4.61.3"/>
+    <PackageReference Include="Microsoft.Identity.Client.Broker" Version="4.61.3" />
+    <PackageReference Include="Microsoft.Security.Utilities.Core" Version="1.8.0" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/Accounts/Authentication/Sanitizer/Services/DefaultSanitizerService.cs b/src/Accounts/Authentication/Sanitizer/Services/DefaultSanitizerService.cs
@@ -12,8 +12,9 @@
 // limitations under the License.
 // ----------------------------------------------------------------------------------
 
+using Microsoft.Security.Utilities;
 using System.Collections.Generic;
-using System.Text.RegularExpressions;
+using System.Linq;
 
 namespace Microsoft.Azure.Commands.Common.Authentication.Sanitizer.Services
 {
@@ -44,67 +45,16 @@ internal class DefaultSanitizerService : ISanitizerService
             { "Microsoft.Azure.Storage.File.CloudFileDirectory", new[] { "Parent" } },
         };
 
-        private static readonly IEnumerable<string> SensitiveDataPatterns = new List<string>()
-        {
-            // AAD client app, most recent two versions.
-            @"\b" // pre-match
-          + @"[0-9A-Za-z-_~.]{3}7Q~[0-9A-Za-z-_~.]{31}\b|\b[0-9A-Za-z-_~.]{3}8Q~[0-9A-Za-z-_~.]{34}" // match
-          + @"\b", // post-match
-            
-            // Prominent Azure provider 512-bit symmetric keys.
-            @"\b" // pre-match
-          + @"[0-9A-Za-z+/]{76}(APIM|ACDb|\+(ABa|AMC|ASt))[0-9A-Za-z+/]{5}[AQgw]==" // match
-          + @"", // post-match
-
-            // Prominent Azure provider 256-bit symmetric keys.
-            @"\b" // pre-match
-          + @"[0-9A-Za-z+/]{33}(AIoT|\+(ASb|AEh|ARm))[A-P][0-9A-Za-z+/]{5}=" // match
-          + @"", // post-match
-            
-            // Azure Function key.
-            @"\b" // pre-match
-          + @"[0-9A-Za-z_\-]{44}AzFu[0-9A-Za-z\-_]{5}[AQgw]==" // match
-          + @"", // post-match
-
-            // Azure Search keys.
-            @"\b" // pre-match
-          + @"[0-9A-Za-z]{42}AzSe[A-D][0-9A-Za-z]{5}" // match
-          + @"\b", // post-match
-            
-            // Azure Container Registry keys.
-            @"\b" // pre-match
-          + @"[0-9A-Za-z+/]{42}\+ACR[A-D][0-9A-Za-z+/]{5}" // match
-          + @"\b", // post-match
-            
-            // Azure Cache for Redis keys.
-            @"\b" // pre-match
-          + @"[0-9A-Za-z]{33}AzCa[A-P][0-9A-Za-z]{5}=" // match
-          + @"", // post-match
-            
-            // NuGet API keys.
-            @"\b" // pre-match
-          + @"oy2[a-p][0-9a-z]{15}[aq][0-9a-z]{11}[eu][bdfhjlnprtvxz357][a-p][0-9a-z]{11}[aeimquy4]" // match
-          + @"\b", // post-match
-            
-            // NPM author keys.
-            @"\b" // pre-match
-          + @"npm_[0-9A-Za-z]{36}" // match
-          + @"\b", // post-match
-        };
+        private readonly SecretMasker _secretMasker = new SecretMasker(WellKnownRegexPatterns.HighConfidenceMicrosoftSecurityModels, generateCorrelatingIds: true);
 
         public bool TrySanitizeData(string data, out string sanitizedData)
         {
             sanitizedData = string.Empty;
 
             if (!string.IsNullOrWhiteSpace(data))
             {
-                foreach (var pattern in SensitiveDataPatterns)
-                {
-                    if (Regex.IsMatch(data, pattern))
-                    {
-                        return true;
-                    }
-                }
+                var detections = _secretMasker.DetectSecrets(data);
+                return detections.Any();
             }
 
             return false;
