Improve generic regex

[raro42]

Describe the solution you'd like

I have the following secret in my secret.json file in a repo:
{
"client_id" : "0afae57f3ccfd9d7f5767067bc48b30f719e271ba470488056e37ab35d4b6506",
"client_secret" : "6da89121079f83b2eb6acccf8219ea982c3d79bccc3e9c6a85856480661f8fde",
"response_type" : "id_token"
}

I would like to recognize it with the default regex provided in your repo.

The following regex would do so:
(?i)((key|api|token|secret|password)[a-z0-9 .\-,]{0,25})(=|>|:=|||:|<=|=>|:|).{0,5}[\'\"]([0-9a-zA-Z-=]+)[\'\"]

What's the difference:
(=|>|:=|||:|<=|=>|:|) ... the last "|" makes null hits be positiv and continue on regex
([0-9a-zA-Z-=]+) ... the "+" ... makes the limit of 64 disappear. I am not sure if this is a good idea. As time flies by, I guess we will soon see longer secrets

Additional context
My questions:

• is that something you would like to see as a contribution?
• I did not understand how you are testing. Do you have testcases that the secret should be added to?
• How could I test the new regex against existing testcases?

cc @zricethezav

[varac]

I was surprised that a simple yaml file with the content password: aghoh8oubu1obin9Cagae0u is not recognized (this is a test password, please don't try to hack me based on this :) ). Is this a bug or is password really not in the default regex (it should!) ?

[zricethezav]

@varac there is a small bug where I need to include EOL regex in the secret suffix. Will be pushing out a fix tonight hopefully.

[varac]

I don't understand, but that's not important. looking forward for the fix.
@zricethezav could you please answer the questions from @raro42, I'm also interested how you are testing.

[zricethezav]

https://github.com/zricethezav/gitleaks/blob/master/cmd/generate/config/rules/generic.go

[zricethezav]

@varac @raro42 see fix in #847

[Janne-Nykanen]

The "Generic API Key" rule now (v8.7.2) matches lines similar to this (Terraform):
"client_vpn_endpoint_id = aws_ec2_client_vpn_endpoint.client-vpn-endpoint.id"

How is that leaking anything...?

[zricethezav]

@Janne-Nykanen because it matches the regular expression and passes the heuristics that are written for the generic rule. It can use some work like being dismissed if the secret contains a stop word. What would be useful is pointing me to a list of stop words.

[Janne-Nykanen]

@Janne-Nykanen because it matches the regular expression and passes the heuristics that are written for the generic rule. It can use some work like being dismissed if the secret contains a stop word. What would be useful is pointing me to a list of stop words.

@zricethezav I'm not fully getting the regexp logic in question, but it seems to ignore, say, "client_cidr_block". In a similar way, "client_vpn_endpoint_id" should be overridden. Those parameters on this page starting with "client_" should all be allowed: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_client_vpn_endpoint

[zricethezav]

@Janne-Nykanen
client_cidr_block has a low entropy. (3.45)

client_vpn_endpoint_id has a high enough entropy to be considered a secret. (3.7)

[zricethezav]

@Janne-Nykanen https://github.com/zricethezav/gitleaks/releases/tag/v8.8.0 by default this should fix your false positive. However if you want to further configure your stopwords you can do so either per rule or globally with Allowlist.StopWords:

• https://github.com/zricethezav/gitleaks#configuration
• https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml#L19-L25

[Janne-Nykanen]

@Janne-Nykanen https://github.com/zricethezav/gitleaks/releases/tag/v8.8.0 by default this should fix your false positive. However if you want to further configure your stopwords you can do so either per rule or globally with Allowlist.StopWords:

• https://github.com/zricethezav/gitleaks#configuration
• https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml#L19-L25

Thanks @zricethezav you are my hero :)