Authentication Tuple

Description

General

The Authentication Tuple detector aims at catching any pair of username and password that is part of a tuple assignment in code . This type of assignment is most commonly found in Python code and looks like: auth = ("username", "password").

Specifications

The two components of the couple that the detector catches are referred to as username and password. With this detector, each element must follow a specific set of rules to be considered as sensitive, and therefore valid.

For both matches:

Must be part of a tuple assignment, namely of the form {assigned_variable} {assignment_token} ("{username}", "{password}"), where {assigned_variable} must contain auth or login.
Both matches should not be equal.

username:

The username must not be part of a custom banlist maintained by GitGuardian containing very common irrelevant values for usernames.

password:

The password must not be part of a custom banlist maintained by GitGuardian containing very common irrelevant values for passwords.
The password must have a minimum Shanon entropy of 2, reflecting a minimum level of complexity.

Revoke the secret

This detector catches generic credentials, therefore GitGuardian cannot infer the concerned service. To properly revoke the credentials:

Find out what service is impacted.
Refer to the corresponding documentation to know how to revoke and rotate the credentials.

Examples

Examples that WILL be caught

- text: |
    auth_tuple = ("totolao", "mY_s3cr3t_p@ssw0rd")
  username: totolao
  password: mY_s3cr3t_p@ssw0rd

- text: |
    login = ("totolao", "mY_s3cr3t_p@ssw0rd")
  username: totolao
  password: mY_s3cr3t_p@ssw0rd

- text: |
    login = ("totolao", "sHrT")
  username: totolao
  password: sHrT

- text: |
    auth=("bsaruceobkoraebisroaecbu89", "p@ssw0rd")
  username: bsaruceobkoraebisroaecbu89
  password: p@ssw0rd

Details for `Username password`

High Recall: False
Validity Check: False
Minimum Number of Matches: 2
Occurrences found for one million commits: 20
Prefixed: False
PreValidators:

- type: ContentWhitelistPreValidator
patterns:
  - auth
  - login

PostValidators

- type: ValueSimilarityPostValidator
  max_similarity: 1.0
  similarity: difflib
- type: CommonValueBanlistPostValidator
- type: HeuristicPostValidator
  filters:
    - heuristic_path
- type: MatchesPostValidator
  names: ['username']
  post_validators:
    - type: CommonUsernameBanlistPostValidator
    - type: ValueBanlistPostValidator
      patterns:
        - 'wronguser'
        - 'repo\.json'
        - 'first_name'
        - 'user_name'
        - 'utf-8'
        - 'Content-Type'
        - 'django\.contrib'
        - 'success'
        - 'authentication\.'
        - 'examplepub'
- type: MatchesPostValidator
  names: ['password']
  post_validators:
    - type: CommonPasswordBanlistPostValidator
    - type: EntropyPostValidator
      entropy: 2
    - type: ValueBanlistPostValidator
      patterns:
        - 'wrongpass'
        - 'django\.contrib'
        - 'email'
        - 'description'
        - 'application\/json'
        - 'authentication\.'