- migrate secrets leak from yara rules to semantic regexes

- add mirror json, pypi package list and ast pattern cache to mirror prefetching

Author: RootLUG

aura/analyzers/pypirc.py

@@ -0,0 +1,49 @@
+import configparser
+
+from .. import config
+from .detections import Detection
+from ..uri_handlers.base import ScanLocation
+from ..utils import Analyzer, fast_checksum
+from ..type_definitions import AnalyzerReturnType
+
+
+@Analyzer.ID("pypirc")
+def analyze(*, location: ScanLocation) -> AnalyzerReturnType:
+    """
+    Scans for exposure of credentials inside the `.pypirc` file
+    """
+    if location.location.name != ".pypirc":
+        return
+
+    pypirc = configparser.ConfigParser()
+    pypirc.read(str(location.location))
+
+    # Filter on these values, some pregenerated configurations use them and we don't want to generate false positives on these
+    user_blacklist = config.CFG.get("pypirc", {}).get("username_blacklist", [])
+    pwd_blacklist = config.CFG.get("pypirc", {}).get("password_blacklist", [])
+
+    for section_name in pypirc.sections():
+        section = pypirc[section_name]
+
+        if "username" in section and "password" in section:
+            username = section.get("username")
+            password = section.get("password")
+
+            if username in user_blacklist or password in pwd_blacklist:
+                continue
+
+            sig = fast_checksum(f"{section_name}#{username}#{password}")
+
+            yield Detection(
+                detection_type="LeakingPyPIrc",
+                message = "Leaking credentials in the `.pypirc` file",
+                signature = f"pypirc#{sig}",
+                location = location.location,
+                score = 100,  # TODO: make the score configurable
+                extra = {
+                    "username": username,
+                    "password": password
+                },
+                tags = {"sensitive_file", "secrets_leak"}
+            )
+

aura/data/rules.yara

@@ -94,38 +94,23 @@ rule PossiblePersistence: persistence
 }
 
 
-rule SecretsLeak: secrets_leak
+/*rule SecretsLeak: secrets_leak
 {
     meta:
         score = 100
     strings:
-        $aws_manager_id = /(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}/
         $aws_secret_key = /aws(.{0,20})?['\"][0-9a-zA-Z\/+]{40}['\"]/ nocase
-        $aws_mws_key = /amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/
-        $facebook_secret_key = /(facebook|fb)(.{0,20})?['\"][0-9a-f]{32}['\"]/ nocase
-        $facebook_client_id = /(facebook|fb)(.{0,20})?['\"][0-9]{13,17}['\"]/ nocase
-        $twitter_secret_key = /twitter(.{0,20})?[0-9a-z]{35,44}/ nocase
-        $twitter_client_id = /twitter(.{0,20})?[0-9a-z]{18,25}/ nocase
         $github = /github(.{0,20})?[0-9a-zA-Z]{35,40}/ nocase
         $linkedin_client_id = /linkedin(.{0,20})?[0-9a-z]{12}/ nocase
         $linkedin_secret_key = /linkedin(.{0,20})?[0-9a-z]{16}/ nocase
         $slack = /xox(b|a|p|r|s)-([0-9a-z]{10,48})?/ nocase
-        $google_api_key = /AIza[0-9A-Za-z\\-_]{35}/
         $google_gcp_account = /"type": "service_account"/
         $heroku_api_key = /heroku(.{0,20})?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/ nocase
-        $mailchimp_api_key = /(mailchimp|mc)(.{0,20})?[0-9a-f]{32}-us[0-9]{1,2}/ nocase
-        $mailgun_api_key = /((mailgun|mg)(.{0,20})?)?key-[0-9a-z]{32}/ nocase
-        $paypal_braintree_access_token = /access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}/
-        $picatic_api_key = /sk_live_[0-9a-z]{32}/
         $sendgrid_api_key = /SG\.[\w_]{16,32}\.[\w_]{16,64}/
         $slack_webhook = /https:\/\/hooks.slack.com\/services\/T[a-zA-Z0-9_]{8}\/B[a-zA-Z0-9_]{8}\/[a-zA-Z0-9_]{24}/
-        $strip_api_key = /stripe(.{0,20})?[sr]k_live_[0-9a-zA-Z]{24}/ nocase
-        $square_access_token = /sq0atp-[0-9A-Za-z\-_]{22}/
-        $square_oauth_secret = /sq0csp-[0-9A-Za-z\\-_]{43}/
-        $twilio_api_key = /twilio(.{0,20})?SK[0-9a-f]{32}/ nocase
     condition:
         any of them
-}
+}*/
 
 
 //TO-DO: https://github.com/SublimeCodeIntel/CodeIntel/blob/master/codeintel/which.py#L101

aura/data/signatures.yaml

@@ -622,3 +622,127 @@ strings: &default_strings
     pattern: "^sudo .*$"
     message: "Executing sudo command"
     score: 20
+
+  # Regexes for detecting leaking api tokens, secrets, etc...
+  # Source of some regexes used: https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04B-3_Meli_paper.pdf
+  - id: twitter_access_token
+    type: regex
+    pattern: "^[1-9][0-9]+-[0-9a-zA-Z]{40}$"
+    message: "Twitter access token"
+    score: 100
+    tags:
+      - secrets_leak
+
+  - id: facebook_access_token
+    type: regex
+    pattern: "^EAACEdEose0cBA[0-9A-Za-z]+$"
+    message: "Facebook access token"
+    score: 100
+    tags:
+      - secrets_leak
+
+  - id: google_api_key
+    type: regex
+    pattern: "^AIza[-0-9A-Za-z_]{35}$"
+    message: "Google API key"
+    score: 100
+    tags:
+      - secrets_leak
+
+  - id: google_oauth_id
+    type: regex
+    pattern: "^[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com$"
+    message: "Google OAuth ID"
+    score: 100
+    tags:
+      - secrets_leak
+
+  - id: picatic_api_key
+    type: regex
+    pattern: "^sk_live_[0-9a-z]{32}$"
+    message: "Picatic API key"
+    score: 100
+    tags:
+      - secrets_leak
+
+  - id: stripe_standard_key
+    type: regex
+    pattern: "^sk_live_[0-9a-zA-Z]{24}$"
+    message: "Stripe standard key"
+    score: 100
+    tags:
+      - secrets_leak
+
+  - id: stripe_restricted_key
+    type: regex
+    pattern: "^rk_live_[0-9a-zA-Z]{24}$"
+    message: "Stripe restricted key"
+    score: 100
+    tags:
+      - secrets_leak
+
+  - id: square_access_token
+    type: regex
+    pattern: "^sq0atp-[-0-9A-Za-z_]{22}$"
+    message: "Square access token"
+    score: 100
+    tags:
+      - secrets_leak
+
+  - id: square_oauth_secret
+    type: regex
+    pattern: "^sq0csp-[-0-9A-Za-z_]{43}$"
+    message: "Square OAuth secret"
+    score: 100
+    tags:
+      - secrets_leak
+
+  - id: paypal_braintree
+    type: regex
+    pattern: "^access_token\\$production\\$[0-9a-z]{16}\\$[0-9a-f]{32}$"
+    message: "PayPal braintree access token"
+    score: 100
+    tags:
+      - secrets_leak
+
+  - id: amazon_mws_auth_token
+    type: regex
+    pattern: "^amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"
+    message: "Amazon MWS auth token"
+    score: 100
+    tags:
+      - secrets_leak
+
+  - id: twilio_api_key
+    type: regex
+    pattern: "^SK[0-9a-fA-F]{32}$"
+    message: "Twilio API key"
+    score: 100
+    tags:
+      - secrets_leak
+
+  - id: mailgun_api_key
+    type: regex
+    pattern: "^key-[0-9a-zA-Z]{32}$"
+    message: "Mailgun API key"
+    score: 100
+    tags:
+      - secrets_leak
+
+  - id: mailchimp_api_key
+    type: regex
+    pattern: "^[0-9a-f]{32}-us[0-9]{1,2}$"
+    message: "MailChimp API key"
+    score: 100
+    tags:
+      - secrets_leak
+
+  - id: amazon_aws_key
+    type: regex
+    pattern: "^(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[0-9A-Z]{16}$"
+    message: "Amazon AWS key"
+    score: 100
+    tags:
+      - secrets_leak
+
+

aura/mirror.py

@@ -25,8 +25,9 @@ def get_mirror_path(cls) -> typing.Optional[Path]:
 
         return cls._mirror_path
 
-    def list_packages(self) -> typing.Generator[Path, None, None]:
-        yield from (self.get_mirror_path() / "json").iterdir()
+    @classmethod
+    def list_packages(cls) -> typing.Generator[Path, None, None]:
+        yield from (cls.get_mirror_path() / "json").iterdir()
 
     def get_json(self, package_name) -> dict:
         assert package_name

aura/prefetch.py

@@ -2,7 +2,11 @@
 import logging
 from typing import Iterable, TextIO
 
+import tqdm
+
 from . import github
+from . import mirror
+from . import cache
 from .worker_executor import non_blocking, AsyncQueue
 from .exceptions import NoSuchPackage
 from .uri_handlers.base import URIHandler
@@ -34,6 +38,18 @@ async def fetch_package(uri_queue, github_prefetcher):
 
 
 def prefetch_mirror(uris: Iterable[str], workers=10):
+    logger.info("Caching AST patterns")
+    cache.ASTPatternCache.proxy()
+
+    logger.info("Caching list of packages on pypi")
+    cache.PyPIPackageList.proxy()
+
+    logger.info("Prefetching package JSON information")
+    lm = mirror.LocalMirror()
+    pkgs = tuple(lm.list_packages())
+    for x in tqdm.tqdm(pkgs, leave=False):
+        lm.get_json(x)
+
     loop = asyncio.get_event_loop()
 
     pf = github.GitHubPrefetcher()