Curl Username Password

Description

General

This detector is equivalent to the Username Password detector except that it aims at catching only credentials passed to the curl command (via the -u or --user flag).

Specifications

For this detector, each element must follow a specific set of rules to be considered as sensitive and therefore valid:

For both matches:

• The username and password must not be the same.

password:

• Set of rules to filter irrelevant passwords such as password (see banlist hereunder).

Revoke the secret

This detector catches generic credentials, hence GitGuardian cannot infer the concerned service. To properly revoke the credentials :

1. Understand what service is impacted.
2. Refer to the corresponding documentation to know how to revoke and rotate the credentials.

Examples

Examples that WILL be caught

- text: |
    curl -u admin:S3cr3tP@ssw0rd https://api.example.com/data
  username: admin
  password: S3cr3tP@ssw0rd

- text: |
    curl --user deploy:ghx84kLp!nZ https://registry.example.com/v2/
  username: deploy
  password: ghx84kLp!nZ

Examples that WILL NOT be caught

• The password is an environment variable.

- text: |
    curl -u admin:$MY_PASSWORD https://api.example.com/data

• The password is a common value.

- text: |
    curl -u user:password https://api.example.com/data

Details for Curl Username Password

• High Recall: False

• Validity Check: False

• Minimum Number of Matches: 2

• Occurrences found for one million commits: 15.17

• Prefixed: False

• PreValidators:

- type: ContentWhitelistPreValidator
  patterns:
    - curl

• PostValidators

password:
  - type: CommonPasswordBanlistPostValidator
  - type: ValueBanlistPostValidator
    patterns:
      - ^\$[a-zA-Z0-9_]+$
      - ^your
      - ^test