Update sqlserver redaction, deduplication, and URI redaction (truffle…

…security#1369) * Update sqlserver redaction, deduplication, and URI redaction * don't use pointer
sainsburys-tech · Jun 9, 2023 · ca19472 · ca19472
1 parent c28c70b
commit ca19472
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 6 deletions.
diff --git a/pkg/detectors/detectors.go b/pkg/detectors/detectors.go
@@ -2,6 +2,7 @@ package detectors
 
 import (
 	"context"
+	"net/url"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -153,3 +154,8 @@ func MustGetBenchmarkData() map[string][]byte {
 		"big":    big,
 	}
 }
+
+func RedactURL(u url.URL) string {
+	u.User = url.UserPassword(u.User.Username(), "********")
+	return strings.TrimSpace(strings.Replace(u.String(), "%2A", "*", -1))
+}
diff --git a/pkg/detectors/sqlserver/sqlserver.go b/pkg/detectors/sqlserver/sqlserver.go
@@ -31,22 +31,24 @@ func (s Scanner) Keywords() []string {
 func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
 	matches := pattern.FindAllStringSubmatch(string(data), -1)
 	for _, match := range matches {
-		params, _, err := msdsn.Parse(match[1])
+		paramsUnsafe, _, err := msdsn.Parse(match[1])
 		if err != nil {
 			continue
 		}
 
-		if params.Password == "" {
+		if paramsUnsafe.Password == "" {
 			continue
 		}
 
 		detected := detectors.Result{
 			DetectorType: detectorspb.DetectorType_SQLServer,
-			Raw:          []byte(params.Password),
+			Raw:          []byte(paramsUnsafe.Password),
+			RawV2:        []byte(paramsUnsafe.URL().String()),
+			Redacted:     detectors.RedactURL(*paramsUnsafe.URL()),
 		}
 
 		if verify {
-			verified, err := ping(params)
+			verified, err := ping(paramsUnsafe)
 			if err != nil {
 			} else {
 				detected.Verified = verified

diff --git a/pkg/detectors/sqlserver/sqlserver_test.go b/pkg/detectors/sqlserver/sqlserver_test.go
@@ -45,6 +45,7 @@ func TestSQLServer_FromChunk(t *testing.T) {
 			want: []detectors.Result{
 				{
 					DetectorType: detectorspb.DetectorType_SQLServer,
+					Redacted:     "sqlserver://sa:********@localhost?database=Demo&disableRetry=false",
 					Verified:     true,
 				},
 			},
@@ -66,6 +67,7 @@ func TestSQLServer_FromChunk(t *testing.T) {
 			want: []detectors.Result{
 				{
 					DetectorType: detectorspb.DetectorType_SQLServer,
+					Redacted:     "sqlserver://sa:********@localhost?disableRetry=false",
 					Verified:     false,
 				},
 			},
@@ -103,6 +105,7 @@ func TestSQLServer_FromChunk(t *testing.T) {
 			want: []detectors.Result{
 				{
 					DetectorType: detectorspb.DetectorType_SQLServer,
+					Redacted:     "sqlserver://username:********@server_name?database=testdb&disableRetry=false",
 					Verified:     true,
 				},
 			},

diff --git a/pkg/detectors/uri/uri.go b/pkg/detectors/uri/uri.go
@@ -69,13 +69,12 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 		rawURLStr := rawURL.String()
 		// Removing the path causes possible deduplication issues if some paths have basic auth and some do not.
 		rawURL.Path = ""
-		redact := strings.TrimSpace(strings.Replace(rawURL.String(), password, "********", -1))
 
 		s := detectors.Result{
 			DetectorType: detectorspb.DetectorType_URI,
 			Raw:          []byte(rawURL.String()),
 			RawV2:        []byte(rawURLStr),
-			Redacted:     redact,
+			Redacted:     detectors.RedactURL(*rawURL),
 		}
 
 		if verify {