-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: corrected verification endpoint & validation logic for bombbomb #3462
fix: corrected verification endpoint & validation logic for bombbomb #3462
Conversation
Signed-off-by: Sahil Silare <sahilsilare@gmail.com>
pkg/common/patterns.go
Outdated
@@ -8,6 +8,7 @@ import ( | |||
) | |||
|
|||
const EmailPattern = `\b(?:[a-z0-9!#$%&'*+/=?^_\x60{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_\x60{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])\b` | |||
const JWTPattern = `\b[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\b` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sahil9001 this is too loose. Take a look at this for a reference https://github.com/gitleaks/gitleaks/blob/43fae355e6fe4d99d2a7b240a224b85e2903aeb4/config/gitleaks.toml#L2311 or even
trufflehog/pkg/detectors/formio/formio.go
Line 23 in 6a367ab
keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"formio"}) + `\b(eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[0-9A-Za-z]{220,310}\.[0-9A-Z-a-z\-_]{43}[ \r\n]{1})`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sahil9001 JWT are base64 encoded so that means there will be a common prefix for all JWT, base64('{"')=ey
. Take a look at https://www.ibm.com/docs/en/cics-ts/6.x?topic=cics-json-web-token-jwt.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zricethezav , thanks, I read more about it, I found out that —
- The
typ
part is common for all JWT tokens. alg
andjti
changes due to which we can only constraint the JWT common prefix uptoey
.
Please take a look, I have made the change.
Signed-off-by: Sahil Silare <sahilsilare@gmail.com>
Signed-off-by: Sahil Silare <sahilsilare@gmail.com>
Signed-off-by: Sahil Silare <sahilsilare@gmail.com>
Description:
Fixes #3461 , tests:
Checklist:
make test-community
)?make lint
this requires golangci-lint)?