Generic database assignment
Description#
General#
The generic database assigment detector aims at catching any quadruple host, port, username, and password that are database credentials for which we couldn't infer the database type.
This statement is pretty wide, therefore to avoid raising many false alerts, GitGuardian has come up with a range of validation steps and specifications to refine the perimeter we are looking at.
Specifications#
The four components of the quadruple that the detector catches are referred as host, port, username, and password. The detector keeps only the combination of matched element that form a quadruple which are the closest matches inside the document. Another version of this detector exists for cases where the port is attached to the host name.
For this detector, each element must follow a specific set of rules to be considered as sensitive and therefore valid:
For all:
- The document must contain the string
dbordatabase(see whitelist hereunder). - Must be an assigned value except for the port, namely of the form
{assigned_variable} {assignment_token} {value}, where{value}is eitherhost,username, orpassword. The port can be either an assigned value or present in thehost(for examplemy_host:some_port).
host
- The document must contain the string
host(see whitelist hereunder). - Caught hosts should be sensitive ones as well as their corresponding
{assigned_variable}. Therefore, a set of common hosts are banned such aslocalhost, test/example hosts, or dummy IPs such as1.2.3.4and host assigned variables such asproxy(see banlist hereunder).
port
- The document must contain the string
port(see whitelist hereunder). - Caught ports should be sensitive ones as well as their corresponding
{assigned_variable}. Therefore, a set of common ports are banned such as8080and port assigned variables such assupport(see banlist hereunder).
username
- The document must contain the string
user(see whitelist hereunder). - Caught usernames should be sensitive ones as well as their corresponding
{assigned_variable}. Therefore, a set of common usernames are banned such asdb_userand username assigned variables such asuser-agent(see banlist hereunder).
password
- The document must contain the string
pwdorpass(see whitelist hereunder). - Caught passwords should be sensitive ones as well as their corresponding
{assigned_variable}. Therefore, a set of common password are banned such as encrypted or hashed ones and password assigned variables such asgetpass(see banlist hereunder).
Revoke the secret#
This detector catches generic database credentials, hence GitGuardian cannot infer the type of database concerned. To properly revoke the secret :
- Understand what type of database is concerned.
- Refer to the corresponding database documentation to know how to revoke and rotate the credentials.
Example#
Examples that WILL be caught
- text: > DB CONTEXT host=mongo.com port=5434 username=root password=m42ploz2wd host: mongo.com port: "5434" username: root password: m42ploz2wd
- text: > db_host=mongo.com db_port=5434 db_username=root db_password=m42ploz2wd host: mongo.com port: "5434" username: root password: m42ploz2wd
- text: > dbhost=real.database.com dbport=5434 dbuser=pilal dbpass=yourock93 host: real.database.com port: "5434" username: pilal password: yourock93
- text: > DB CONTEXT host=my.mongo.com:27017 username=root password=m42ploz2wd host: my.mongo.com port: "27017" username: root password: m42ploz2wd
- text: > dbhost=my.mongo.com:27017 dbuser=root dbpwd=m42ploz2wd host: my.mongo.com port: "27017" username: root password: m42ploz2wdExamples that WILL NOT be caught
- Host name is not a sensitive one.
- text: > db_host=localhost # host not sensitive db_port=5434 db_username=root db_password=m42ploz2wd- The IP is not sensitive.
- text: > DB CONTEXT host=mongo.com port=1.1.1.1 # dummy IP username=root password=m42ploz2wd- The username is not a sensitive one.
- text: > dbhost=real.database.com dbport=5434 dbuser=db_user # wrong username dbpass=yourock93- The password is hashed.
- text: > dbhost=my.mongo.com:27017 dbuser=root dbpwd=sha256_mypassword-hashed # hashed passwordDetails for Generic database assignment#
High Recall: False
Validity Check: False
Minimum Number of Matches: 3
Occurrences found for one million commits: 150
Prefixed: False
- type: FilenameBanlistPreValidator- type: ContentWhitelistPreValidator patterns: ["db", "database"]- type: ContentWhitelistPreValidator patterns: ["pwd", "pass"]- type: ContentWhitelistPreValidator patterns: - host- type: ContentWhitelistPreValidator patterns: - user- type: ContentWhitelistPreValidator patterns: - porthost: - type: CommonValueBanlistPostValidator - type: CommonHostBanlistPostValidator - type: ValueBanlistPostValidator patterns: - 'smtp\.' - localhost - 'this\.' - 'example\.com$' - 'mail\.' - 'self\.' - '\.java' - 'local\.' - 'process\.env' - "config" - "test" - '\.hostname' - 'host\.' - '\.host$' - '\.env' - 'env\.' - "settings" - "string" - "default" - 'args\.' - '^com\.' - "error" - "request" - '(\d{1,3}).\1.\1.\1' # Rejects dummy IPs like 1.1.1.1 - '\.ip$' - "grafana" - "^api.weixin" - "foobar" - 'x{1,3}\.x{1,3}\.x{1,3}\.x{1,3}' - type: AssignmentBanlistPostValidator patterns: - "allowed_hosts" - '\.localhost' - "^localhost$" - "trusted[_.-]?host" - "http" - "proxy" - "redis" - "mongo" - "m[sy]sql" - "postgres" - "ftp" - "smtp" - "zookeeper" - "ldap" - "mail"
password: - type: CommonValueBanlistPostValidator - type: CommonPasswordBanlistPostValidator - type: ValueBanlistPostValidator patterns: - "encrypted" - "false" - "true" - "self" - "__vault__" - "test1234" - "abcd1234" - "nil" - "hidden" - "string" - '(\d)\1{4,}' #repeating digit 5 times or more - "get_env" - '\.env' - "env[.(]" - "^test$" - 'args\.' - "error" - "request" - '\.pem$' - "^buf$" - "pg[_.-]?pass" - 'fs\.read' - "required" - "^masked$" - "^hashed$" - "^secured" - "removed$" - "^None" - "^The$" - '^\.\.\.$' - 'models\.' - "sha256" - "md5" - "^some-?pass$" - '^getpass\.' - "password" - "^array$" - "crypted" - "credential" - "^_?pwd,?$" - "^null,?$" - "^isnull" - "username" - "^user$" - "^host[,=]" - "dbhost" - "config" - "noreply" - '\*\*\*\*' - "optional" - "database" - type: HeuristicPostValidator filters: - file_path - file_name - type: AssignmentBanlistPostValidator patterns: - "proxy" - "redis" - "mongo" - "m[sy]sql" - "postgres" - "ftp" - "smtp" - "zookeeper" - "ldap" - "mail"
username: - type: CommonValueBanlistPostValidator - type: CommonUsernameBanlistPostValidator - type: ValueBanlistPostValidator patterns: - "db_user" - "self" - "true" - "false" - "__vault__" - '^[\*x]+$' - "^null$" - "userinfo" - "test" - "nil" - "string" - "^str$" - 'args\.' - "error" - "request" - "pg[_.-]?user" - 'fs\.read' - "^masked$" - "^blank$" - "^flask_user$" - "^someone$" - "^some-?user$" - "^return$" - "^grafana$" - "^err$" - "^choose$" - "^pwd$" - type: AssignmentBanlistPostValidator patterns: - "user[_-]?agent" - "proxy" - "redis" - "mongo" - "m[sy]sql" - "postgres" - "ftp" - "smtp" - "zookeeper" - "ldap" - "mail"
port: - type: ValueBanlistPostValidator patterns: - "^25$" - "^465$" - "^587$" - "^80$" - "^8080$" - "^443$" - "^2[012]$" - "^389$" - type: AssignmentBanlistPostValidator patterns: - "imap" - "report" - "support" - 'args\.' - "http" - "proxy" - "redis" - "mongo" - "m[sy]sql" - "postgres" - "ftp" - "smtp" - "zookeeper" - "ldap" - "mail"