diff options
| author | Ellie Huxtable <ellie@elliehuxtable.com> | 2023-08-19 12:28:39 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-08-19 12:28:39 +0100 |
| commit | 73bd8015c3ba50ceb5168a8b67bb1ac5d3b48dc1 (patch) | |
| tree | 0fe6dbe55a7dda6bd93a72fbfcb29e6f3993e95c /atuin-client/src/secrets.rs | |
| parent | Update dependencies (#1181) (diff) | |
| download | atuin-73bd8015c3ba50ceb5168a8b67bb1ac5d3b48dc1.zip | |
Automatically filter out secrets (#1182)
I'd like to extend the regex list here very soon, but start off by
automatically filtering out secrets. Do not store them in history!
I've included regex for:
1. AWS key id
2. Github pat (old and new)
3. Slack oauth tokens (bot, user)
4. Slack webhooks
5. Stripe live/test keys
Will need updating after #806
Diffstat (limited to 'atuin-client/src/secrets.rs')
| -rw-r--r-- | atuin-client/src/secrets.rs | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/atuin-client/src/secrets.rs b/atuin-client/src/secrets.rs new file mode 100644 index 00000000..ba6aee66 --- /dev/null +++ b/atuin-client/src/secrets.rs @@ -0,0 +1,54 @@ +// This file will probably trigger a lot of scanners. Sorry. + +// A list of (name, regex, test), where test should match against regex +pub static SECRET_PATTERNS: &[(&str, &str, &str)] = &[ + ( + "AWS Access Key ID", + "AKIA[0-9A-Z]{16}", + "AKIAIOSFODNN7EXAMPLE", + ), + ( + "GitHub PAT (old)", + "^ghp_[a-zA-Z0-9]{36}$", + "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", // legit, I expired it + ), + ( + "GitHub PAT (new)", + "^github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}$", + "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", // also legit, also expired + ), + ( + "Slack OAuth v2 bot", + "xoxb-[0-9]{11}-[0-9]{11}-[0-9a-zA-Z]{24}", + "xoxb-17653672481-19874698323-pdFZKVeTuE8sk7oOcBrzbqgy", + ), + ( + "Slack OAuth v2 user token", + "xoxp-[0-9]{11}-[0-9]{11}-[0-9a-zA-Z]{24}", + "xoxp-17653672481-19874698323-pdFZKVeTuE8sk7oOcBrzbqgy", + ), + ( + "Slack webhook", + "T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}", + "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX", + ), + ("Stripe test key", "sk_test_[0-9a-zA-Z]{24}", "sk_test_1234567890abcdefghijklmnop"), + ("Stripe live key", "sk_live_[0-9a-zA-Z]{24}", "sk_live_1234567890abcdefghijklmnop"), +]; + +#[cfg(test)] +mod tests { + use regex::Regex; + + use crate::secrets::SECRET_PATTERNS; + + #[test] + fn test_secrets() { + for (name, regex, test) in SECRET_PATTERNS { + let re = + Regex::new(regex).expect(format!("Failed to compile regex for {name}").as_str()); + + assert!(re.is_match(test), "{name} test failed!"); + } + } +} |