dxa4481 / trufflehogregexes Goto Github PK

Hi,

I have this secret token in my Repo in the archive foo.json:
{
"client_id" : "0afae57f3ccfd9d7f5767067bc48b30f719e271ba470488056e37ab35d4b6506",
"client_secret" : "6da89121079f8xxxxb6acccf8219ea982c3d79bccc3e9c6a85856480661f8fde",
"response_type" : "id_token"
}

It is not found default regex ... so would like to contribute the following:

"Generic Secret": "[sS][eE][cC][rR][eE][tT].*['|\"][0-9a-zA-Z]{32,45}['|\"]",

better:

(?i)sEcRet.*['|\"]([0-9a-zA-Z]+)['|\"]

What would be the best to contribute this?

Ralf

What version of the json library are you using in what environment.

I am using latest brew for python3. Does not seem to like the multiline strings.

Traceback (most recent call last):
File "", line 2, in
File "/usr/local/Cellar/python/3.7.2_2/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/init.py", line 348, in loads
return _default_decoder.decode(s)
File "/usr/local/Cellar/python/3.7.2_2/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/local/Cellar/python/3.7.2_2/Frameworks/Python.framework/Versions/3.7/lib/python3.7/json/decoder.py", line 353, in raw_decode
obj, end = self.scan_once(s, idx)
json.decoder.JSONDecodeError: Invalid control character at: line 4 column 66 (char 205)

"Google OAuth Refresh Token": "1/[0-9A-Za-z\-_]{43}|",
The trailing "|" is a matching anything.

I am trying to find a spec on Google OAuth Secrets. I am looking at a file with AWS IDs of various types.
"[0-9a-zA-Z\-_]{24}" - creates many false positives.

([^A-Z0-9]|^)(AKIA|A3T|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{12,}

Thanks to @tomnomnom

Current regex for slack tokens seems to be to narrow to handle all slack tokens. I did check three leaked slack tokens (just search for xoxa or xoxp in all github issues), one of them obfuscated, others seem to be a correct ones which does not match the regex.

Also current regex does not match refresh tokens starting with xoxr (https://api.slack.com/docs/token-types).

The password in URL regex [a-zA-Z]{3,10}://[^/\\s:@]{3,20}:[^/\\s:@]{3,20}@.{1,100}[\"'\\s] skips any URL with a username or password that contains the letter "s".

If https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json really is the base rule set for TruffleHog as stated on: https://github.com/trufflesecurity/truffleHog#customizing, then it should have a new entry that accommodates updated GitHub tokens.

Per https://github.blog/changelog/2021-03-31-authentication-token-format-updates-are-generally-available/

It seems like the existing GitHub regex uses the right charset. However, it doesn’t account for the new prefixes or length up to 255.

Hi,

I'm running into an issue when I run truffleHog --regex --entropy=False file:///Users/example/example

It returns the following message /usr/local/lib/python3.7/site-packages/truffleHogRegexes/regexChecks.py:9: FutureWarning: Possible nested set at position 33 and some results. Can you assist?

This is what I have in my regexCheckrs.py

import re
import json
import os

with open(os.path.join(os.path.dirname(__file__), "regexes.json"), 'r') as f:
    regexes = json.loads(f.read())

for key in regexes:
    regexes[key] = re.compile(regexes[key])

I would like to check specific set of credentials/keys are defined in source code or not. As i am defining for example this regex.json file and i have also committed the same in my source code for testing purpose.
{
"API key": "ABEFDSPUEPPDUEDE"
"API key": "ABEFDSPUEPPDUasds"
"API key": "ABEFDSPUEasdsdsdef"
}

I executed this command to figure out the trufflehog output with above API keys but i haven't received any of them in output. Please help on it

trufflehog --rules regex.json --entropy=False githuburl