Skip to content

Improving regex for MySql, Postgres and RabbitMQ#555

Merged
eddynaka merged 4 commits into
mainfrom
users/ednakamu/removing-characters-from-id
Sep 14, 2021
Merged

Improving regex for MySql, Postgres and RabbitMQ#555
eddynaka merged 4 commits into
mainfrom
users/ednakamu/removing-characters-from-id

Conversation

@eddynaka

@eddynaka eddynaka commented Sep 9, 2021

Copy link
Copy Markdown
Collaborator

Changes

Please provide a brief description of the changes here.

For significant contributions please make sure you have completed the following items:

  • ReleaseHistory.md updated for non-trivial changes
  • Added unit tests

@eddynaka eddynaka marked this pull request as ready for review September 9, 2021 22:02
michaelcfanning
michaelcfanning reviewed Sep 14, 2021
View reviewed changes
Comment thread ...lugins/Tests.Security/TestData/SecurePlaintextSecrets/Inputs/SEC101_036.MySqlCredentials.ps1 Outdated

# This is a malformed and invalid ADO MySQL String. UiD should be in the form of <username>@<database-name>. This should be missed.
Server=some-database-name.mysql.database.azure.com; Port=3306; Database=catalog_db; Uid=username; Pwd=password_12; SslMode=Preferred; No newline at end of file
# This is a malformed and invalid ADO MySQL string. UiD should be in the form of <username>@<database-name>. This should be missed.

@michaelcfanning michaelcfanning Sep 14, 2021

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

UiD

Uid

michaelcfanning
michaelcfanning reviewed Sep 14, 2021
View reviewed changes
Comment thread Src/ReleaseHistory.md Outdated
[#554](https://github.com/microsoft/sarif-pattern-matcher/pull/554)
- FPC: Improving regular expressions for rules `SEC101/036.MySqlCredentials`,
`SEC101/038.PostgreSqlCredentials`, and `SEC101/041.RabbitMqCredentials`
removing invalid characters from `Id` and `Resource`.

@michaelcfanning michaelcfanning Sep 14, 2021

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

characters

Can you add the list of characters?

michaelcfanning
michaelcfanning reviewed Sep 14, 2021
View reviewed changes
Comment thread Src/Plugins/Security/Security.SharedStrings.txt
$SEC101/035.CloudantCredentialsUrl=(?i)https:\/\/(?P<id>[^:]+):(?P<secret>[\w]{64}|[a-z]{24})@[\w-]+\.(?P<host>cloudantnosqldb\.appdomain\.cloud|cloudant\.com)

$SEC101/036.MySqlCredentialsAdoId=(?i)(?:user|user id|uid)\s*=\s*(?P<id>[^;"<'\s]+)(?:[;"<'\s]|$)
$SEC101/036.MySqlCredentialsAdoId=(?i)(?:user|user id|uid)\s*=\s*(?P<id>[^,;"'=|&\]\[><\s]+)(?:[,;"'=|&\]\[><\s]|$)

@michaelcfanning michaelcfanning Sep 14, 2021

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MySqlCredentialsAdoId

Can we open a work item to create specific rules for enquoting chars, etc.?

michaelcfanning
michaelcfanning approved these changes Sep 14, 2021
View reviewed changes

@michaelcfanning michaelcfanning left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@eddynaka eddynaka enabled auto-merge (squash) September 14, 2021 18:52
@eddynaka eddynaka merged commit 72fbce6 into main Sep 14, 2021
@eddynaka eddynaka deleted the users/ednakamu/removing-characters-from-id branch September 14, 2021 19:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelcfanning michaelcfanning michaelcfanning approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eddynaka @michaelcfanning