Modify Zapier secret: Add tests and improve pattern (#279)

loris-s-sonarsource · web-flow · commit f270bd4ac67c · 2023-09-22T15:07:01.000+02:00
diff --git a/sonar-text-plugin/src/main/resources/org/sonar/plugins/secrets/configuration/zapier.yaml b/sonar-text-plugin/src/main/resources/org/sonar/plugins/secrets/configuration/zapier.yaml
@@ -3,43 +3,58 @@ provider:
     name: Zapier Webhook Url
     category: Workflow Automation
     message: Make sure this Zapier Webhook Url gets revoked, changed, and removed from the code.
+  detection:
+    pre:
+      include:
+        content:
+          - "zapier.com/hooks/catch"
+    post:
+      # Avoid matching values found on SourceGraph that look like dummy passwords or insertions like:
+      # - https://hooks.zapier.com/hooks/catch/123456/XXXXXXXX
+      # - https://hooks.zapier.com/hooks/catch/123456/abcde/
+      # - https://zapier.com/hooks/catch/000000/xxxxxxx/
+      patternNot: 
+        - "(\\w)\\1{6,}"
+        - "123456"
+        - "(?i)abcde"
 
   rules:
     - rspecKey: S6720
       id: zapier-webhook-urls
       metadata:
         name: Zapier Webhook Urls
+      detection:
+        matching:
+          pattern: "(?:https://)?(?:hooks\\.)?zapier\\.com/hooks/catch/([0-9]{3,}/[0-9a-zA-Z,]{3,})"
       examples:
+        - text: |
+            # Noncompliant code example
+            props.set("zapier_webhook_url", "https://hooks.zapier.com/hooks/catch/3017724/t0q8ed/")
+          containsSecret: true
+          match: 3017724/t0q8ed
+        - text: |
+            # Compliant solution
+            props.set("zapier_webhook_url", System.getenv("ZAPIER_WEBHOOK_URL"))
+          containsSecret: false
         - text: |
             var webhookURL = "https://hooks.zapier.com/hooks/catch/192840272/anwidh83";
             var data = {
                 "First Name" : userName.value,
                 "Email" : userEmail.value,
             };
           containsSecret: true
-          match: https://hooks.zapier.com/hooks/catch/192840272/anwidh83
+          match: 192840272/anwidh83
         - text: |
             var webhookURL = "https://hooks.zapier.com/hooks/catch/192840272/anwid,asne8,wod28";
             var data = {
                 "First Name" : userName.value,
                 "Email" : userEmail.value,
             };
           containsSecret: true
-          match: https://hooks.zapier.com/hooks/catch/192840272/anwid,asne8,wod28
+          match: 192840272/anwid,asne8,wod28
         - text: |
             const NETWORKS = {
               '1': 'https://hooks.zapier.com/hooks/catch/xxxx/xxxxx',
             }
           containsSecret: false
-      detection:
-        matching:
-          pattern: "((https://)?(hooks\\.)?zapier\\.com/hooks/catch/[0-9]{3,}/[0-9a-zA-Z,]{3,})"
-        post:
-          # Avoid matching values found on SourceGraph that look like dummy passwords or insertions like:
-          # - https://hooks.zapier.com/hooks/catch/123456/XXXXXXXX
-          # - https://hooks.zapier.com/hooks/catch/123456/abcde/
-          # - https://zapier.com/hooks/catch/000000/xxxxxxx/
-          patternNot: 
-            - "(\\w)\\1{6,}"
-            - "123456"
-            - "(?i)abcde"
+
