Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improving GoogleApiKeyValidator #229

Closed
wants to merge 4 commits into from
Closed

Improving GoogleApiKeyValidator #229

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
76f0011
Improving GoogleApiKeyValidator
eddynaka Feb 18, 2021
3e95456
Merge branch 'main' into users/ednakamu/improving-google-api
eddynaka Feb 20, 2021
666a476
Returning pass and changing kind
eddynaka Feb 20, 2021
dfdf9d7
Fixing tests
eddynaka Feb 20, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions Src/Plugins/Security/SEC101_003.GoogleApiKeyValidator.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,8 +61,10 @@ protected override string IsValidDynamicHelper(ref string fingerprintText,
const string Deleted = "RequestDenied: This API project was not found. This API project may have been deleted or may not be authorized to use this API. You may need to enable the API under APIs in the console).";
const string KeyNotAuthorized = "RequestDenied: This API key is not authorized to use this service or API.";
const string ProjectNotAuthorized = "RequestDenied: This API project is not authorized to use this API.";
const string IpNotAuthorized = "RequestDenied: This IP, site or mobile application is not authorized to use this API key.";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IpNotAuthorized [](start = 25, length = 15)

This is not the right change. 'NoMatch' indicates a false positive. Both these conditions indicate that we did in fact find a match and that the key was actually secured in some way. We can't take this change, we can discuss more offline.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could add Pass to the ValidationState and in the SearchSkimmer, if we get a pass, we change the kind to pass as well. Should we leave error as warning or should we change as well?

In reply to: 578522731 [](ancestors = 578522731)

const string Invalid = "RequestDenied: The provided API key is invalid.";
const string Expired = "RequestDenied: The provided API key is expired.";
const string RefererRestricted = "RequestDenied: API keys with referer restrictions cannot be used with this API";

var fingerprint = new Fingerprint(fingerprintText);

Expand All @@ -81,8 +83,7 @@ protected override string IsValidDynamicHelper(ref string fingerprintText,
}
catch (Exception e)
{
var googleException = e as GoogleApiException;
if (googleException != null)
if (e is GoogleApiException googleException)
{
switch (e.Message)
{
Expand All @@ -107,6 +108,12 @@ protected override string IsValidDynamicHelper(ref string fingerprintText,
return nameof(ValidationState.Expired);
}

case IpNotAuthorized:
case RefererRestricted:
{
return nameof(ValidationState.Pass);
}

case Invalid:
{
return nameof(ValidationState.NoMatch);
Expand Down
49 changes: 48 additions & 1 deletion ...iewPotentiallySensitiveFiles/ExpectedOutputs/SEC103_004.CertificateFile_cer_encoded.sarif
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,61 @@
"product": "Microsoft.TestHost",
"fullName": "testhost 15.0.0.0",
"version": "15.0.0.0",
"semanticVersion": "15.0.0"
"semanticVersion": "15.0.0",
"rules": [
{
"id": "SEC103/004",
"name": "ReviewPotentiallySensitiveFiles/CertificateFile",
"fullDescription": {
"text": "Review potentially sensitive files in versioned engineering content and other locations for security risk."
},
"messageStrings": {
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' because the analysis is not relevant for the following reason: {2}."
},
"Default": {
"text": "'{0}' is {1}{2}{3}{4}."
}
},
"helpUri": "https://github.com/microsoft/sarif-pattern-matcher"
}
]
}
},
"invocations": [
{
"executionSuccessful": true
}
],
"results": [
{
"ruleId": "SEC103/004",
"ruleIndex": 0,
"message": {
"id": "Default",
"arguments": [
"SEC103_004.CertificateFile_cer_encoded.cer",
"",
"encoded binary x.509 certificate",
"",
""
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "src/Plugins/Tests.Security/TestData/ReviewPotentiallySensitiveFiles/Inputs/SEC103_004.CertificateFile_cer_encoded.cer",
"uriBaseId": "SRC_ROOT"
}
}
}
],
"fingerprints": {
"ValidationFingerprint/v1": "[thumbprint=391550988FF0B079A0E712728F2EB95D542EF58F]"
}
}
],
"columnKind": "utf16CodeUnits"
}
]
Expand Down
49 changes: 48 additions & 1 deletion ...iewPotentiallySensitiveFiles/ExpectedOutputs/SEC103_004.CertificateFile_der_encoded.sarif
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,61 @@
"product": "Microsoft.TestHost",
"fullName": "testhost 15.0.0.0",
"version": "15.0.0.0",
"semanticVersion": "15.0.0"
"semanticVersion": "15.0.0",
"rules": [
{
"id": "SEC103/004",
"name": "ReviewPotentiallySensitiveFiles/CertificateFile",
"fullDescription": {
"text": "Review potentially sensitive files in versioned engineering content and other locations for security risk."
},
"messageStrings": {
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' because the analysis is not relevant for the following reason: {2}."
},
"Default": {
"text": "'{0}' is {1}{2}{3}{4}."
}
},
"helpUri": "https://github.com/microsoft/sarif-pattern-matcher"
}
]
}
},
"invocations": [
{
"executionSuccessful": true
}
],
"results": [
{
"ruleId": "SEC103/004",
"ruleIndex": 0,
"message": {
"id": "Default",
"arguments": [
"SEC103_004.CertificateFile_der_encoded.cer",
"",
"encoded binary x.509 certificate",
"",
""
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "src/Plugins/Tests.Security/TestData/ReviewPotentiallySensitiveFiles/Inputs/SEC103_004.CertificateFile_der_encoded.cer",
"uriBaseId": "SRC_ROOT"
}
}
}
],
"fingerprints": {
"ValidationFingerprint/v1": "[thumbprint=391550988FF0B079A0E712728F2EB95D542EF58F]"
}
}
],
"columnKind": "utf16CodeUnits"
}
]
Expand Down
49 changes: 48 additions & 1 deletion ...ensitiveFiles/ExpectedOutputs/SEC103_016.PKCS7CryptographicKeyfile_all_certificates.sarif
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,61 @@
"product": "Microsoft.TestHost",
"fullName": "testhost 15.0.0.0",
"version": "15.0.0.0",
"semanticVersion": "15.0.0"
"semanticVersion": "15.0.0",
"rules": [
{
"id": "SEC103/016",
"name": "ReviewPotentiallySensitiveFiles/PKCS7CryptographicKeyfile",
"fullDescription": {
"text": "Review potentially sensitive files in versioned engineering content and other locations for security risk."
},
"messageStrings": {
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' because the analysis is not relevant for the following reason: {2}."
},
"Default": {
"text": "'{0}' is {1}{2}{3}{4}."
}
},
"helpUri": "https://github.com/microsoft/sarif-pattern-matcher"
}
]
}
},
"invocations": [
{
"executionSuccessful": true
}
],
"results": [
{
"ruleId": "SEC103/016",
"ruleIndex": 0,
"message": {
"id": "Default",
"arguments": [
"SEC103_016.PKCS7CryptographicKeyfile_all_certificates.p7b",
"",
"PKCS#7 cryptographic key bundle",
"",
" (which contains private keys)"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "src/Plugins/Tests.Security/TestData/ReviewPotentiallySensitiveFiles/Inputs/SEC103_016.PKCS7CryptographicKeyfile_all_certificates.p7b",
"uriBaseId": "SRC_ROOT"
}
}
}
],
"fingerprints": {
"ValidationFingerprint/v1": "[thumbprint=391550988FF0B079A0E712728F2EB95D542EF58F]"
}
}
],
"columnKind": "utf16CodeUnits"
}
]
Expand Down
49 changes: 48 additions & 1 deletion ...entiallySensitiveFiles/ExpectedOutputs/SEC103_016.PKCS7CryptographicKeyfile_no_keys.sarif
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,61 @@
"product": "Microsoft.TestHost",
"fullName": "testhost 15.0.0.0",
"version": "15.0.0.0",
"semanticVersion": "15.0.0"
"semanticVersion": "15.0.0",
"rules": [
{
"id": "SEC103/016",
"name": "ReviewPotentiallySensitiveFiles/PKCS7CryptographicKeyfile",
"fullDescription": {
"text": "Review potentially sensitive files in versioned engineering content and other locations for security risk."
},
"messageStrings": {
"NotApplicable_InvalidMetadata": {
"text": "'{0}' was not evaluated for check '{1}' because the analysis is not relevant for the following reason: {2}."
},
"Default": {
"text": "'{0}' is {1}{2}{3}{4}."
}
},
"helpUri": "https://github.com/microsoft/sarif-pattern-matcher"
}
]
}
},
"invocations": [
{
"executionSuccessful": true
}
],
"results": [
{
"ruleId": "SEC103/016",
"ruleIndex": 0,
"message": {
"id": "Default",
"arguments": [
"SEC103_016.PKCS7CryptographicKeyfile_no_keys.p7b",
"",
"PKCS#7 cryptographic key bundle",
"",
" (which contains private keys)"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "src/Plugins/Tests.Security/TestData/ReviewPotentiallySensitiveFiles/Inputs/SEC103_016.PKCS7CryptographicKeyfile_no_keys.p7b",
"uriBaseId": "SRC_ROOT"
}
}
}
],
"fingerprints": {
"ValidationFingerprint/v1": "[thumbprint=391550988FF0B079A0E712728F2EB95D542EF58F]"
}
}
],
"columnKind": "utf16CodeUnits"
}
]
Expand Down
2 changes: 1 addition & 1 deletion ...iveFiles/ExpectedOutputs/SEC103_024.MicrosoftSerializedCertificateStoreFile_default.sarif
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@
"id": "Default",
"arguments": [
"SEC103_024.MicrosoftSerializedCertificateStoreFile_default.sst",
"an exposed ",
"a valid ",
"Microsoft Serialized Certificate Store",
"",
" (which contains private keys)"
Expand Down
5 changes: 5 additions & 0 deletions Src/Plugins/ValidationState.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,5 +47,10 @@ public enum ValidationState
/// Pattern is a match and the secret is valid.
/// </summary>
Authorized,

/// <summary>
/// Pattern is a match and the secret is secure.
/// </summary>
Pass,
}
}
Loading