gosec/rules/hardcoded_credentials.go

// (c) Copyright 2016 Hewlett Packard Enterprise Development LP
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package rules

import (
	"go/ast"
	"regexp"
	"strconv"

	zxcvbn "github.com/nbutton23/zxcvbn-go"
	"github.com/securego/gosec"
)

type credentials struct {
	gosec.MetaData
	pattern          *regexp.Regexp
	entropyThreshold float64
	perCharThreshold float64
	truncate         int
	ignoreEntropy    bool
}

func (r *credentials) ID() string {
	return r.MetaData.ID
}

func truncate(s string, n int) string {
	if n > len(s) {
		return s
	}
	return s[:n]
}

func (r *credentials) isHighEntropyString(str string) bool {
	s := truncate(str, r.truncate)
	info := zxcvbn.PasswordStrength(s, []string{})
	entropyPerChar := info.Entropy / float64(len(s))
	return (info.Entropy >= r.entropyThreshold ||
		(info.Entropy >= (r.entropyThreshold/2) &&
			entropyPerChar >= r.perCharThreshold))
}

func (r *credentials) Match(n ast.Node, ctx *gosec.Context) (*gosec.Issue, error) {
	switch node := n.(type) {
	case *ast.AssignStmt:
		return r.matchAssign(node, ctx)
	case *ast.ValueSpec:
		return r.matchValueSpec(node, ctx)
	}
	return nil, nil
}

func (r *credentials) matchAssign(assign *ast.AssignStmt, ctx *gosec.Context) (*gosec.Issue, error) {
	for _, i := range assign.Lhs {
		if ident, ok := i.(*ast.Ident); ok {
			if r.pattern.MatchString(ident.Name) {
				for _, e := range assign.Rhs {
					if val, err := gosec.GetString(e); err == nil {
						if r.ignoreEntropy || (!r.ignoreEntropy && r.isHighEntropyString(val)) {
							return gosec.NewIssue(ctx, assign, r.ID(), r.What, r.Severity, r.Confidence), nil
						}
					}
				}
			}
		}
	}
	return nil, nil
}

func (r *credentials) matchValueSpec(valueSpec *ast.ValueSpec, ctx *gosec.Context) (*gosec.Issue, error) {
	for index, ident := range valueSpec.Names {
		if r.pattern.MatchString(ident.Name) && valueSpec.Values != nil {
			// const foo, bar = "same value"
			if len(valueSpec.Values) <= index {
				index = len(valueSpec.Values) - 1
			}
			if val, err := gosec.GetString(valueSpec.Values[index]); err == nil {
				if r.ignoreEntropy || (!r.ignoreEntropy && r.isHighEntropyString(val)) {
					return gosec.NewIssue(ctx, valueSpec, r.ID(), r.What, r.Severity, r.Confidence), nil
				}
			}
		}
	}
	return nil, nil
}

// NewHardcodedCredentials attempts to find high entropy string constants being
// assigned to variables that appear to be related to credentials.
func NewHardcodedCredentials(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {
	pattern := `(?i)passwd|pass|password|pwd|secret|token`
	entropyThreshold := 80.0
	perCharThreshold := 3.0
	ignoreEntropy := false
	var truncateString = 16
	if val, ok := conf["G101"]; ok {
		conf := val.(map[string]string)
		if configPattern, ok := conf["pattern"]; ok {
			pattern = configPattern
		}
		if configIgnoreEntropy, ok := conf["ignore_entropy"]; ok {
			if parsedBool, err := strconv.ParseBool(configIgnoreEntropy); err == nil {
				ignoreEntropy = parsedBool
			}
		}
		if configEntropyThreshold, ok := conf["entropy_threshold"]; ok {
			if parsedNum, err := strconv.ParseFloat(configEntropyThreshold, 64); err == nil {
				entropyThreshold = parsedNum
			}
		}
		if configCharThreshold, ok := conf["per_char_threshold"]; ok {
			if parsedNum, err := strconv.ParseFloat(configCharThreshold, 64); err == nil {
				perCharThreshold = parsedNum
			}
		}
		if configTruncate, ok := conf["truncate"]; ok {
			if parsedInt, err := strconv.Atoi(configTruncate); err == nil {
				truncateString = parsedInt
			}
		}
	}

	return &credentials{
		pattern:          regexp.MustCompile(pattern),
		entropyThreshold: entropyThreshold,
		perCharThreshold: perCharThreshold,
		ignoreEntropy:    ignoreEntropy,
		truncate:         truncateString,
		MetaData: gosec.MetaData{
			ID:         id,
			What:       "Potential hardcoded credentials",
			Confidence: gosec.Low,
			Severity:   gosec.High,
		},
	}, []ast.Node{(*ast.AssignStmt)(nil), (*ast.ValueSpec)(nil)}
}
Initial public release 2016-07-20 11:02:01 +01:00			`// (c) Copyright 2016 Hewlett Packard Enterprise Development LP`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package rules`

			`import (`
			`"go/ast"`
			`"regexp"`
Restructure to focus on lib rather than cli 2017-04-26 16:08:46 +01:00			`"strconv"`
Introduce entropy checking of string This will hopefully reduce the number of false positives when it comes to hard coded credentials. The zxcvbn library is used to calculate the entropy of the string. By default the first 16 characters are considered as doing the entropy check for strings much longer than that introduces a fairly significant performance hit. 2017-01-14 21:45:34 +00:00
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`zxcvbn "github.com/nbutton23/zxcvbn-go"`
			`"github.com/securego/gosec"`
Initial public release 2016-07-20 11:02:01 +01:00			`)`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`type credentials struct {`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`gosec.MetaData`
Introduce entropy checking of string This will hopefully reduce the number of false positives when it comes to hard coded credentials. The zxcvbn library is used to calculate the entropy of the string. By default the first 16 characters are considered as doing the entropy check for strings much longer than that introduces a fairly significant performance hit. 2017-01-14 21:45:34 +00:00			`pattern *regexp.Regexp`
			`entropyThreshold float64`
			`perCharThreshold float64`
Go 1.5 does not support width precision specifier 2017-01-14 22:39:22 +00:00			`truncate int`
Introduce entropy checking of string This will hopefully reduce the number of false positives when it comes to hard coded credentials. The zxcvbn library is used to calculate the entropy of the string. By default the first 16 characters are considered as doing the entropy check for strings much longer than that introduces a fairly significant performance hit. 2017-01-14 21:45:34 +00:00			`ignoreEntropy bool`
			`}`

Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`func (r *credentials) ID() string {`
			`return r.MetaData.ID`
			`}`

Go 1.5 does not support width precision specifier 2017-01-14 22:39:22 +00:00			`func truncate(s string, n int) string {`
			`if n > len(s) {`
			`return s`
			`}`
			`return s[:n]`
			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`func (r *credentials) isHighEntropyString(str string) bool {`
Go 1.5 does not support width precision specifier 2017-01-14 22:39:22 +00:00			`s := truncate(str, r.truncate)`
Introduce entropy checking of string This will hopefully reduce the number of false positives when it comes to hard coded credentials. The zxcvbn library is used to calculate the entropy of the string. By default the first 16 characters are considered as doing the entropy check for strings much longer than that introduces a fairly significant performance hit. 2017-01-14 21:45:34 +00:00			`info := zxcvbn.PasswordStrength(s, []string{})`
			`entropyPerChar := info.Entropy / float64(len(s))`
			`return (info.Entropy >= r.entropyThreshold \|\|`
			`(info.Entropy >= (r.entropyThreshold/2) &&`
			`entropyPerChar >= r.perCharThreshold))`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func (r credentials) Match(n ast.Node, ctx gosec.Context) (*gosec.Issue, error) {`
Update hardcoded credentials rule for GenDecls The hardcoded credentials rule will now also examine GenDecls so will work with global vars and constants. Fixes #74 2016-11-13 20:57:59 +00:00			`switch node := n.(type) {`
			`case *ast.AssignStmt:`
			`return r.matchAssign(node, ctx)`
Switch to valuespec instead of gendecl for hardcoded credential rule (#186) 2018-03-08 23:49:49 +00:00			`case *ast.ValueSpec:`
			`return r.matchValueSpec(node, ctx)`
Update hardcoded credentials rule for GenDecls The hardcoded credentials rule will now also examine GenDecls so will work with global vars and constants. Fixes #74 2016-11-13 20:57:59 +00:00			`}`
			`return nil, nil`
			`}`

Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func (r credentials) matchAssign(assign ast.AssignStmt, ctx gosec.Context) (gosec.Issue, error) {`
Update hardcoded credentials rule for GenDecls The hardcoded credentials rule will now also examine GenDecls so will work with global vars and constants. Fixes #74 2016-11-13 20:57:59 +00:00			`for _, i := range assign.Lhs {`
			`if ident, ok := i.(*ast.Ident); ok {`
			`if r.pattern.MatchString(ident.Name) {`
			`for _, e := range assign.Rhs {`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`if val, err := gosec.GetString(e); err == nil {`
Introduce entropy checking of string This will hopefully reduce the number of false positives when it comes to hard coded credentials. The zxcvbn library is used to calculate the entropy of the string. By default the first 16 characters are considered as doing the entropy check for strings much longer than that introduces a fairly significant performance hit. 2017-01-14 21:45:34 +00:00			`if r.ignoreEntropy \|\| (!r.ignoreEntropy && r.isHighEntropyString(val)) {`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`return gosec.NewIssue(ctx, assign, r.ID(), r.What, r.Severity, r.Confidence), nil`
Introduce entropy checking of string This will hopefully reduce the number of false positives when it comes to hard coded credentials. The zxcvbn library is used to calculate the entropy of the string. By default the first 16 characters are considered as doing the entropy check for strings much longer than that introduces a fairly significant performance hit. 2017-01-14 21:45:34 +00:00			`}`
Update hardcoded credentials rule for GenDecls The hardcoded credentials rule will now also examine GenDecls so will work with global vars and constants. Fixes #74 2016-11-13 20:57:59 +00:00			`}`
			`}`
			`}`
			`}`
			`}`
			`return nil, nil`
			`}`

Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func (r credentials) matchValueSpec(valueSpec ast.ValueSpec, ctx gosec.Context) (gosec.Issue, error) {`
Switch to valuespec instead of gendecl for hardcoded credential rule (#186) 2018-03-08 23:49:49 +00:00			`for index, ident := range valueSpec.Names {`
			`if r.pattern.MatchString(ident.Name) && valueSpec.Values != nil {`
			`// const foo, bar = "same value"`
			`if len(valueSpec.Values) <= index {`
			`index = len(valueSpec.Values) - 1`
			`}`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`if val, err := gosec.GetString(valueSpec.Values[index]); err == nil {`
Switch to valuespec instead of gendecl for hardcoded credential rule (#186) 2018-03-08 23:49:49 +00:00			`if r.ignoreEntropy \|\| (!r.ignoreEntropy && r.isHighEntropyString(val)) {`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`return gosec.NewIssue(ctx, valueSpec, r.ID(), r.What, r.Severity, r.Confidence), nil`
Initial public release 2016-07-20 11:02:01 +01:00			`}`
			`}`
			`}`
			`}`
Update hardcoded credentials rule for GenDecls The hardcoded credentials rule will now also examine GenDecls so will work with global vars and constants. Fixes #74 2016-11-13 20:57:59 +00:00			`return nil, nil`
Initial public release 2016-07-20 11:02:01 +01:00			`}`

fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`// NewHardcodedCredentials attempts to find high entropy string constants being`
			`// assigned to variables that appear to be related to credentials.`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`func NewHardcodedCredentials(id string, conf gosec.Config) (gosec.Rule, []ast.Node) {`
Update hardcoded credentials rule for GenDecls The hardcoded credentials rule will now also examine GenDecls so will work with global vars and constants. Fixes #74 2016-11-13 20:57:59 +00:00			pattern := `(?i)passwd\|pass\|password\|pwd\|secret\|token`
Introduce entropy checking of string This will hopefully reduce the number of false positives when it comes to hard coded credentials. The zxcvbn library is used to calculate the entropy of the string. By default the first 16 characters are considered as doing the entropy check for strings much longer than that introduces a fairly significant performance hit. 2017-01-14 21:45:34 +00:00			`entropyThreshold := 80.0`
			`perCharThreshold := 3.0`
			`ignoreEntropy := false`
fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`var truncateString = 16`
Update hardcoded credentials rule for GenDecls The hardcoded credentials rule will now also examine GenDecls so will work with global vars and constants. Fixes #74 2016-11-13 20:57:59 +00:00			`if val, ok := conf["G101"]; ok {`
Introduce entropy checking of string This will hopefully reduce the number of false positives when it comes to hard coded credentials. The zxcvbn library is used to calculate the entropy of the string. By default the first 16 characters are considered as doing the entropy check for strings much longer than that introduces a fairly significant performance hit. 2017-01-14 21:45:34 +00:00			`conf := val.(map[string]string)`
			`if configPattern, ok := conf["pattern"]; ok {`
			`pattern = configPattern`
			`}`
			`if configIgnoreEntropy, ok := conf["ignore_entropy"]; ok {`
			`if parsedBool, err := strconv.ParseBool(configIgnoreEntropy); err == nil {`
			`ignoreEntropy = parsedBool`
			`}`
			`}`
			`if configEntropyThreshold, ok := conf["entropy_threshold"]; ok {`
			`if parsedNum, err := strconv.ParseFloat(configEntropyThreshold, 64); err == nil {`
			`entropyThreshold = parsedNum`
			`}`
			`}`
			`if configCharThreshold, ok := conf["per_char_threshold"]; ok {`
			`if parsedNum, err := strconv.ParseFloat(configCharThreshold, 64); err == nil {`
			`perCharThreshold = parsedNum`
			`}`
			`}`
			`if configTruncate, ok := conf["truncate"]; ok {`
Go 1.5 does not support width precision specifier 2017-01-14 22:39:22 +00:00			`if parsedInt, err := strconv.Atoi(configTruncate); err == nil {`
Introduce entropy checking of string This will hopefully reduce the number of false positives when it comes to hard coded credentials. The zxcvbn library is used to calculate the entropy of the string. By default the first 16 characters are considered as doing the entropy check for strings much longer than that introduces a fairly significant performance hit. 2017-01-14 21:45:34 +00:00			`truncateString = parsedInt`
			`}`
			`}`
Update hardcoded credentials rule for GenDecls The hardcoded credentials rule will now also examine GenDecls so will work with global vars and constants. Fixes #74 2016-11-13 20:57:59 +00:00			`}`
Introduce entropy checking of string This will hopefully reduce the number of false positives when it comes to hard coded credentials. The zxcvbn library is used to calculate the entropy of the string. By default the first 16 characters are considered as doing the entropy check for strings much longer than that introduces a fairly significant performance hit. 2017-01-14 21:45:34 +00:00
fix golint errors picked up by hound-ci 2017-12-13 12:35:47 +00:00			`return &credentials{`
Introduce entropy checking of string This will hopefully reduce the number of false positives when it comes to hard coded credentials. The zxcvbn library is used to calculate the entropy of the string. By default the first 16 characters are considered as doing the entropy check for strings much longer than that introduces a fairly significant performance hit. 2017-01-14 21:45:34 +00:00			`pattern: regexp.MustCompile(pattern),`
			`entropyThreshold: entropyThreshold,`
			`perCharThreshold: perCharThreshold,`
			`ignoreEntropy: ignoreEntropy,`
			`truncate: truncateString,`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`MetaData: gosec.MetaData{`
Add support for #excluding specific rules 2017-10-05 22:32:03 +01:00			`ID: id,`
Initial public release 2016-07-20 11:02:01 +01:00			`What: "Potential hardcoded credentials",`
Replace gas with gosec everywhere in the project 2018-07-19 17:42:25 +01:00			`Confidence: gosec.Low,`
			`Severity: gosec.High,`
Initial public release 2016-07-20 11:02:01 +01:00			`},`
Switch to valuespec instead of gendecl for hardcoded credential rule (#186) 2018-03-08 23:49:49 +00:00			`}, []ast.Node{(ast.AssignStmt)(nil), (ast.ValueSpec)(nil)}`
Initial public release 2016-07-20 11:02:01 +01:00			`}`