fix(secret): change grafana token regex to find them without unquoted (#7627)

sgaist · web-flow · commit 3e1fa2100074 · 2024-10-02T10:06:14.000Z
diff --git a/pkg/fanal/secret/builtin-rules.go b/pkg/fanal/secret/builtin-rules.go
@@ -553,7 +553,7 @@ var builtinRules = []Rule{
 		Category: CategoryGrafana,
 		Title:    "Grafana API token",
 		Severity: "MEDIUM",
-		Regex:    MustCompile(`['\"]eyJrIjoi(?i)[a-z0-9\-_=]{72,92}['\"]`),
+		Regex:    MustCompile(`['\"]?eyJrIjoi(?i)[a-z0-9\-_=]{72,92}['\"]?`),
 		Keywords: []string{"eyJrIjoi"},
 	},
 	{
diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go
@@ -690,6 +690,71 @@ func TestSecretScanner(t *testing.T) {
 		},
 	}
 
+	wantFindingGrafanaQuoted := types.SecretFinding{
+		RuleID:    "grafana-api-token",
+		Category:  secret.CategoryGrafana,
+		Title:     "Grafana API token",
+		Severity:  "MEDIUM",
+		StartLine: 1,
+		EndLine:   1,
+		Match:     "GRAFANA_TOKEN=**********************************************************************************************",
+		Code: types.Code{
+			Lines: []types.Line{
+				{
+					Number:      1,
+					Content:     "GRAFANA_TOKEN=**********************************************************************************************",
+					Highlighted: "GRAFANA_TOKEN=**********************************************************************************************",
+					IsCause:     true,
+					FirstCause:  true,
+					LastCause:   true,
+				},
+				{
+					Number:      2,
+					Content:     "GRAFANA_TOKEN=**************************************************************************************",
+					Highlighted: "GRAFANA_TOKEN=**************************************************************************************",
+					IsCause:     false,
+					FirstCause:  false,
+					LastCause:   false,
+				},
+			},
+		},
+	}
+
+	wantFindingGrafanaUnquoted := types.SecretFinding{
+		RuleID:    "grafana-api-token",
+		Category:  secret.CategoryGrafana,
+		Title:     "Grafana API token",
+		Severity:  "MEDIUM",
+		StartLine: 2,
+		EndLine:   2,
+		Match:     "GRAFANA_TOKEN=********************************************************************************************",
+		Code: types.Code{
+			Lines: []types.Line{
+				{
+					Number:      1,
+					Content:     "GRAFANA_TOKEN=**************************************************************************************",
+					Highlighted: "GRAFANA_TOKEN=**************************************************************************************",
+					IsCause:     false,
+					FirstCause:  false,
+					LastCause:   false,
+				},
+				{
+					Number:      2,
+					Content:     "GRAFANA_TOKEN=********************************************************************************************",
+					Highlighted: "GRAFANA_TOKEN=********************************************************************************************",
+					IsCause:     true,
+					FirstCause:  true,
+					LastCause:   true,
+				},
+				{
+					Number:      3,
+					Content:     "",
+					Highlighted: "",
+				},
+			},
+		},
+	}
+
 	wantMultiLine := types.SecretFinding{
 		RuleID:    "multi-line-secret",
 		Category:  "general",
@@ -858,6 +923,15 @@ func TestSecretScanner(t *testing.T) {
 				Findings: []types.SecretFinding{wantFindingHuggingFace},
 			},
 		},
+		{
+			name:          "find grafana secret",
+			configPath:    filepath.Join("testdata", "config.yaml"),
+			inputFilePath: filepath.Join("testdata", "grafana-env.txt"),
+			want: types.Secret{
+				FilePath: filepath.Join("testdata", "grafana-env.txt"),
+				Findings: []types.SecretFinding{wantFindingGrafanaUnquoted, wantFindingGrafanaQuoted},
+			},
+		},
 		{
 			name:          "find JWT token",
 			configPath:    filepath.Join("testdata", "config.yaml"),
diff --git a/pkg/fanal/secret/testdata/grafana-env.txt b/pkg/fanal/secret/testdata/grafana-env.txt
@@ -0,0 +1,2 @@
+GRAFANA_TOKEN="eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbkT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk"
+GRAFANA_TOKEN=eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbkT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk

Original file line number	Diff line number	Diff line change
`@@ -553,7 +553,7 @@ var builtinRules = []Rule{`
`553`	`553`	`Category: CategoryGrafana,`
`554`	`554`	`Title: "Grafana API token",`
`555`	`555`	`Severity: "MEDIUM",`
`556`		- Regex: MustCompile(`['\"]eyJrIjoi(?i)[a-z0-9\-_=]{72,92}['\"]`),
	`556`	+ Regex: MustCompile(`['\"]?eyJrIjoi(?i)[a-z0-9\-_=]{72,92}['\"]?`),
`557`	`557`	`Keywords: []string{"eyJrIjoi"},`
`558`	`558`	`},`
`559`	`559`	`{`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+GRAFANA_TOKEN="eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbkT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk"`
	`2`	`+GRAFANA_TOKEN=eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbkT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk`