Skip to main content

Authentication Tuple

Description#

General#

The Authentication Tuple detector aims at catching any pair of username and password that is part of a tuple assignment in code . This type of assignment is most commonly found in Python code and looks like: auth = ("username", "password").

Specifications#

The two components of the couple that the detector catches are referred to as username and password. With this detector, each element must follow a specific set of rules to be considered as sensitive, and therefore valid.

For both matches:

  • Must be part of a tuple assignment, namely of the form {assigned_variable} {assignment_token} ("{username}", "{password}"), where {assigned_variable} must contain auth or login.
  • Both matches should not be equal.

username:

  • The username must not be part of a custom banlist maintained by GitGuardian containing very common irrelevant values for usernames.

password:

  • The password must not be part of a custom banlist maintained by GitGuardian containing very common irrelevant values for passwords.
  • The password must have a minimum Shanon entropy of 2, reflecting a minimum level of complexity.

Revoke the secret#

This detector catches generic credentials, therefore GitGuardian cannot infer the concerned service. To properly revoke the credentials:

  1. Find out what service is impacted.
  2. Refer to the corresponding documentation to know how to revoke and rotate the credentials.

Examples#

Examples that WILL be caught

- text: |    auth_tuple = ("totolao", "mY_s3cr3t_p@ssw0rd")  username: totolao  password: mY_s3cr3t_p@ssw0rd
- text: |    login = ("totolao", "mY_s3cr3t_p@ssw0rd")  username: totolao  password: mY_s3cr3t_p@ssw0rd
- text: |    login = ("totolao", "sHrT")  username: totolao  password: sHrT
- text: |    auth=("bsaruceobkoraebisroaecbu89", "p@ssw0rd")  username: bsaruceobkoraebisroaecbu89  password: p@ssw0rd

Details for Username password#

  • High Recall: False

  • Validity Check: False

  • Minimum Number of Matches: 2

  • Occurrences found for one million commits: 20

  • Prefixed: False

  • PreValidators:

- type: ContentWhitelistPreValidatorpatterns:  - auth  - login
- type: ValueSimilarityPostValidator  max_similarity: 1.0  similarity: difflib- type: CommonValueBanlistPostValidator- type: HeuristicPostValidator  filters:    - heuristic_path- type: MatchesPostValidator  names: ["username"]  post_validators:    - type: CommonUsernameBanlistPostValidator    - type: ValueBanlistPostValidator      patterns:        - "wronguser"        - 'repo\.json'        - "first_name"        - "user_name"        - "utf-8"        - "Content-Type"        - 'django\.contrib'        - "success"        - 'authentication\.'        - "examplepub"- type: MatchesPostValidator  names: ["password"]  post_validators:    - type: CommonPasswordBanlistPostValidator    - type: EntropyPostValidator      entropy: 2    - type: ValueBanlistPostValidator      patterns:        - "wrongpass"        - 'django\.contrib'        - "email"        - "description"        - 'application\/json'        - 'authentication\.'