Pushed generic-api-key to our side, supporting XML secrets

cx-miguel-neiva · cx-miguel-neiva · commit 76d8a7b160da · 2025-04-07T16:25:20.000+01:00
diff --git a/engine/rules/generic-key.go b/engine/rules/generic-key.go
@@ -19,10 +19,7 @@ func GenericCredential() *config.Rule {
 			"password",
 			"auth",
 			"access",
-		}, `[0-9a-z\-_.=]{10,150}`, true,
-			[]string{
-				`<key>\s*(?:access|auth|(?-i:[Aa]pi|API)|API_KEY|credential|creds|key|passw(?:or)?d|secret|token)\s*<\/key>\s*<string>\s*([\w.=-]{10,150}|[a-z0-9][a-z0-9+\/]{11,}={0,3})\s*<\/string>`,
-			}),
+		}, `[0-9a-z\-_.=]{10,150}`, true),
 		Keywords: []string{
 			"key",
 			"api",
@@ -41,7 +38,12 @@ func GenericCredential() *config.Rule {
 	}
 
 	// validate
-	tps := []string{}
+	tps := []string{
+		generateSampleSecret("generic", "CLOJARS_34bf0e88955ff5a1c328d6a7491acc4f48e865a7b8dd4d70a70749037443"),
+		generateSampleSecret("generic", "Zf3D0LXCM3EIMbgJpUNnkRtOfOueHznB"),
+		`"client_id" : "0afae57f3ccfd9d7f5767067bc48b30f719e271ba470488056e37ab35d4b6506"`,
+		`"client_secret" : "6da89121079f83b2eb6acccf8219ea982c3d79bccc3e9c6a85856480661f8fde",`,
+	}
 	fps := []string{
 		`client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.client-vpn-endpoint.id`,
 		`password combination.
diff --git a/engine/rules/utils.go b/engine/rules/utils.go
@@ -15,15 +15,17 @@ const (
 	identifierCaseInsensitiveSuffix = `)`
 	identifierPrefix                = `(?:`
 	identifierSuffix                = `)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}`
+	identifierSuffixAdditional      = `)(?:[0-9a-z\-_\t .]{0,20})(?:<\/key>\s{0,10}<string)?(?:[\s|']|[\s|"]){0,3}`
 
 	// commonly used assignment operators or function call
 	operator = `(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)`
 
 	// boundaries for the secret
 	// \x60 = `
-	secretPrefixUnique = `\b(`
-	secretPrefix       = `(?:'|\"|\s|=|\x60){0,5}(`
-	secretSuffix       = `)(?:['|\"|\n|\r|\s|\x60|;]|$)`
+	secretPrefixUnique     = `\b(`
+	secretPrefix           = `(?:'|\"|\s|=|\x60){0,5}(`
+	secretSuffix           = `)(?:['|\"|\n|\r|\s|\x60|;]|$)`
+	secretSuffixAdditional = `)(?:['|\"|\n|\r|\s|\x60|;]|$|\s{0,10}<\/string>)`
 )
 
 func generateSemiGenericRegex(identifiers []string, secretRegex string, isCaseInsensitive bool) *regexp.Regexp {
@@ -44,13 +46,13 @@ func generateSemiGenericRegex(identifiers []string, secretRegex string, isCaseIn
 	sb.WriteString(secretSuffix)
 	return regexp.MustCompile(sb.String())
 }
-func generateSemiGenericRegexWithAdditionalRegex(identifiers []string, secretRegex string, isCaseInsensitive bool, addRegex []string) *regexp.Regexp {
+func generateSemiGenericRegexWithAdditionalRegex(identifiers []string, secretRegex string, isCaseInsensitive bool) *regexp.Regexp {
 	var sb strings.Builder
 	// The identifiers should always be case-insensitive.
 	// This is inelegant but prevents an extraneous `(?i:)` from being added to the pattern; it could be removed.
 	if isCaseInsensitive {
 		sb.WriteString(caseInsensitive)
-		writeIdentifiers(&sb, identifiers)
+		writeIdentifiersAdditionalRegex(&sb, identifiers)
 	} else {
 		sb.WriteString(identifierCaseInsensitivePrefix)
 		writeIdentifiers(&sb, identifiers)
@@ -59,15 +61,17 @@ func generateSemiGenericRegexWithAdditionalRegex(identifiers []string, secretReg
 	sb.WriteString(operator)
 	sb.WriteString(secretPrefix)
 	sb.WriteString(secretRegex)
-	sb.WriteString(secretSuffix)
+	sb.WriteString(secretSuffixAdditional)
 
-	for _, regex := range addRegex {
-		sb.WriteString(`|`)
-		sb.WriteString(regex)
-	}
 	return regexp.MustCompile(sb.String())
 }
 
+func writeIdentifiersAdditionalRegex(sb *strings.Builder, identifiers []string) {
+	sb.WriteString(identifierPrefix)
+	sb.WriteString(strings.Join(identifiers, "|"))
+	sb.WriteString(identifierSuffixAdditional)
+}
+
 func writeIdentifiers(sb *strings.Builder, identifiers []string) {
 	sb.WriteString(identifierPrefix)
 	sb.WriteString(strings.Join(identifiers, "|"))
