-
Notifications
You must be signed in to change notification settings - Fork 0
/
patterns.yml
153 lines (140 loc) · 3.88 KB
/
patterns.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
name: URI / URL Custom Patterns
patterns:
- name: Hardcoded Internal Emails
type: hardcoded_internal_emails
regex:
pattern: |
[^:@\r\n \t"'/\p{Cc}]+@(internal\.)?example\.com
start: |
\A|[\s"'`,;=]
end: |
\Z|[^a-zA-Z._0-9-]
expected:
- name: email.js
start_offset: 75
end_offset: 95
- name: email.js
start_offset: 130
end_offset: 152
- name: Hardcoded Internal URLs
type: hardcoded_internal_urls
regex:
pattern: |
[A-Za-z][A-Za-z0-9+_-]*://([^/?#\s\p{Cc}]*[.@])?(example\.com|internal\.example\.com)[/?#]?[^\s"']*
start: |
\A|[^A-Za-z0-9+_-]
end: |
\z|[\s'"]
expected:
- name: email.js
start_offset: 169
end_offset: 188
- name: email.js
start_offset: 211
end_offset: 239
- name: email.js
start_offset: 266
end_offset: 299
- name: database.txt
start_offset: 72
end_offset: 129
- name: database.txt
start_offset: 147
end_offset: 185
- name: database.txt
start_offset: 216
end_offset: 256
- name: database.txt
start_offset: 565
end_offset: 590
- name: Hardcoded URI Passwords
type: hardcoded_uri_passwords
regex:
pattern: |
[^$/?#@\s][^/?#@\s\x00-\x08]*
start: |
(\b|\A)[A-Za-z][A-Za-z0-9+_-]*://[^/?#:@\s\x00-\x08]*:
end: |
@[\p{L}\p{N}\.-]*(?:\:[0-9]{1,5})?([/?#\s]|\b|\z)
additional_not_match:
# placeholders
- (?i)^[[{(<]?(?:password|passwd|secret)[\]})>]?$
# variable substitution
- ^\$?\{[^}+]\}i\}$
# format string
- ^%(?:\.\*)?s$
expected:
- name: app.py
start_offset: 160
end_offset: 179
- name: database.txt
start_offset: 23
end_offset: 29
- name: database.txt
start_offset: 100
end_offset: 108
- name: database.txt
start_offset: 158
end_offset: 170
- name: database.txt
start_offset: 227
end_offset: 241
- name: non-english.txt
start_offset: 19
end_offset: 25
- name: Routable IPv4 Addresses
type: any_ipv4_addresses
regex:
pattern: |
(?:(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9]|)[0-9])\.){3}(?:25[0-5]|(?:2[0-4]|1[0-9]|[1-9]|)[0-9])
start: |
\A|[^v.0-9]
end: |
\z|[^.0-9-]
additional_not_match:
# listening to everything, or broadcast address
- ^(?:0\.0\.0\.0|255\.255\.255\.255)$
# localhost, link local or multicast
- ^(?:127|169\.254|224\.0\.0)\..*
# example IP ranges - TEST-NET-1, etc.
- ^(?:192\.0.2|198\.51\.100|203\.0\.113|233\.252\.0)\..*
comments:
- False Positives with build versions, but won't match if prefixed with v or ends with -
- Use a custom IPv4 pattern if possible, tailored for the ranges you use
- Doesn't include test, localhost or non-routable IPs
- Does include local ranges such as 192.168.0.0/24
expected:
- name: ipv4.txt
start_offset: 0
end_offset: 7
- name: ipv4.txt
start_offset: 53
end_offset: 64
- name: ipv4_private.txt
start_offset: 81
end_offset: 92
- name: ipv4_private.txt
start_offset: 93
end_offset: 101
- name: ipv4_random.txt
start_offset: 76
end_offset: 83
- name: ipv4_random.txt
start_offset: 84
end_offset: 91
- name: ipv4_random.txt
start_offset: 121
end_offset: 133
- name: GitHub Container Registry typos
type: ghcr_typos
regex:
pattern: |
(?:ghrc|gchr|hgcr|ghr|ghc)\.io
start: |
\A|[^0-9A-Za-z-]
end: |
\z|[^0-9A-Za-z.-]
expected:
- name: wrong_docker.sh
start_offset: 32
end_offset: 39