Authentication Tuple
#
Description#
GeneralThe Authentication Tuple
detector aims at catching any pair of username and password that is part of a tuple assignment in code .
This type of assignment is most commonly found in Python code and looks like: auth = ("username", "password")
.
#
SpecificationsThe two components of the couple that the detector catches are referred to as username
and password
.
With this detector, each element must follow a specific set of rules to be considered as sensitive, and therefore valid.
For both matches:
- Must be part of a tuple assignment, namely of the form
{assigned_variable} {assignment_token} ("{username}", "{password}")
, where{assigned_variable}
must containauth
orlogin
. - Both matches should not be equal.
username:
- The username must not be part of a custom banlist maintained by GitGuardian containing very common irrelevant values for usernames.
password:
- The password must not be part of a custom banlist maintained by GitGuardian containing very common irrelevant values for passwords.
- The password must have a minimum Shanon entropy of 2, reflecting a minimum level of complexity.
#
Revoke the secretThis detector catches generic credentials, therefore GitGuardian cannot infer the concerned service. To properly revoke the credentials:
- Find out what service is impacted.
- Refer to the corresponding documentation to know how to revoke and rotate the credentials.
#
ExamplesExamples that WILL be caught
- text: | auth_tuple = ("totolao", "mY_s3cr3t_p@ssw0rd") username: totolao password: mY_s3cr3t_p@ssw0rd
- text: | login = ("totolao", "mY_s3cr3t_p@ssw0rd") username: totolao password: mY_s3cr3t_p@ssw0rd
- text: | login = ("totolao", "sHrT") username: totolao password: sHrT
- text: | auth=("bsaruceobkoraebisroaecbu89", "p@ssw0rd") username: bsaruceobkoraebisroaecbu89 password: p@ssw0rd
Username password
#
Details for High Recall: False
Validity Check: False
Minimum Number of Matches: 2
Occurrences found for one million commits: 20
Prefixed: False
- type: ContentWhitelistPreValidatorpatterns: - auth - login
- type: ValueSimilarityPostValidator max_similarity: 1.0 similarity: difflib- type: CommonValueBanlistPostValidator- type: HeuristicPostValidator filters: - heuristic_path- type: MatchesPostValidator names: ["username"] post_validators: - type: CommonUsernameBanlistPostValidator - type: ValueBanlistPostValidator patterns: - "wronguser" - 'repo\.json' - "first_name" - "user_name" - "utf-8" - "Content-Type" - 'django\.contrib' - "success" - 'authentication\.' - "examplepub"- type: MatchesPostValidator names: ["password"] post_validators: - type: CommonPasswordBanlistPostValidator - type: EntropyPostValidator entropy: 2 - type: ValueBanlistPostValidator patterns: - "wrongpass" - 'django\.contrib' - "email" - "description" - 'application\/json' - 'authentication\.'