From 9f1468c79df2cf13c66041692ca7f044a27a874b Mon Sep 17 00:00:00 2001 From: Dylan Katz Date: Thu, 14 Nov 2019 16:28:47 -0800 Subject: [PATCH 1/4] Updated some secrets, flagged secrets as informative or risk --- .bash_profile | 12 +-- .bashrc | 6 +- .ftpconfig | 2 +- .leaky-meta/README.md | 2 + .../benchmarking}/DETECT-SECRETS.md | 0 .../benchmarking}/TRUFFLEHOG.md | 0 .leaky-meta/secrets.csv | 85 +++++++++++++++++++ .npmrc | 3 + .vscode/sftp.json | 3 +- cloud/.credentials | 4 +- cloud/.s3cfg | 6 +- cloud/.tugboat | 6 +- config | 4 + filezilla/filezilla.xml | 9 +- filezilla/recentservers.xml | 6 ++ hub | 4 +- web/django/settings.py | 1 + web/js/salesforce.js | 1 + web/var/www/.env | 12 ++- web/var/www/public_html/config.php | 4 + web/var/www/public_html/wp-config.php | 12 +++ 21 files changed, 157 insertions(+), 25 deletions(-) create mode 100644 .leaky-meta/README.md rename {benchmarking => .leaky-meta/benchmarking}/DETECT-SECRETS.md (100%) rename {benchmarking => .leaky-meta/benchmarking}/TRUFFLEHOG.md (100%) create mode 100644 .leaky-meta/secrets.csv diff --git a/.bash_profile b/.bash_profile index 0df4575..b209823 100644 --- a/.bash_profile +++ b/.bash_profile @@ -8,19 +8,19 @@ if [ -f ~/.git-completion.bash ]; then . ~/.git-completion.bash fi -export AWS_ACCESS_KEY_ID=yLryKGwcGc3ez9G8YAnjeYMQOc +export AWS_ACCESS_KEY_ID=yLryKGwcGc3ez9G8YAnjeYMQOc # Informative, can't be used w/o the secret key export AWS_SECRET_ACCESS_KEY=nAH2VzKrMrRjySLlt8HCdFU3tM2TUuUZgh39NX -export AWS_DEFAULT_REGION='us-west-1' +export AWS_DEFAULT_REGION='us-west-1' # Broad enough that it doesn't create risk by itself. export AWS_REGION=$AWS_DEFAULT_REGION export S3_REGION=$AWS_DEFAULT_REGION export S3_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID export S3_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY -export S3_BUCKET=dummy_bucket-90i8985p -export RDS_HOST='fake-rds.jfduhij34u80.us-west-1.rds.amazonaws.com' +export S3_BUCKET=dummy_bucket-90i8985p # Informative, could contain sensitive info, but not necessarily. +export RDS_HOST='fake-rds.jfduhij34u80.us-west-1.rds.amazonaws.com' # Informative, unlikely to be abused w/o password or key export RDS_PASSWORD='dummy-pass' export HEROKU_API_KEY='sampleHerokuKey' export HOMEBREW_GITHUB_API_TOKEN='51e61afee2c2667123fc9ed160a0a20b330c8f74' export SLACK_API_TOKEN='xoxp-858723095049-581481478633-908968721956-f16b85d1f73ef37c02323bf3fd537ea5' export MLAB_PASS='password123' -export MLAB_URL='ds908452.mlab.com:25928' -export MLAB_DB='dum-231-h92' \ No newline at end of file +export MLAB_URL='ds908452.mlab.com:25928' # Informative, needs pass +export MLAB_DB='dum-231-h92' # Informative, requires access to server or SQLi \ No newline at end of file diff --git a/.bashrc b/.bashrc index 621d859..06a1e91 100644 --- a/.bashrc +++ b/.bashrc @@ -101,9 +101,9 @@ fi if [ -f /etc/bash_completion ] && ! shopt -oq posix; then . /etc/bash_completion fi -export GMAIL_USERNAME="example@gmail.com" +export GMAIL_USERNAME="example@gmail.com" # Informative, can't be used by itself export GMAIL_PASSWORD="Pass!12345" export MAILCHIMP_API_KEY="38c47f19e349153fa963bb3b3212fe8e-us11" -export MAILCHIMP_LIST_ID="606b868828" -export OWNER_EMAIL="example@gmail.com" +export MAILCHIMP_LIST_ID="606b868828" # Not positive, but pretty sure this isn't exploitable by itself. Open an issue if it is! +export OWNER_EMAIL="example@gmail.com" # Informative, can't be used by itself export JEKYLL_GITHUB_TOKEN="c77e01c1e89682e4d4b94a059a7fd2b37ab326ed" diff --git a/.ftpconfig b/.ftpconfig index 2e0b87e..1e676e9 100644 --- a/.ftpconfig +++ b/.ftpconfig @@ -9,7 +9,7 @@ "local": "", "agent": "", "privatekey": "", - "passphrase": "", + "passphrase": "swordfish", "hosthash": "", "ignorehost": true, "connTimeout": 10000, diff --git a/.leaky-meta/README.md b/.leaky-meta/README.md new file mode 100644 index 0000000..d0ed05c --- /dev/null +++ b/.leaky-meta/README.md @@ -0,0 +1,2 @@ +## .leaky-meta +This folder is for scripts/tools designed to assist with the management of this repo. It won't contain actual secrets/patterns (hopefully!) \ No newline at end of file diff --git a/benchmarking/DETECT-SECRETS.md b/.leaky-meta/benchmarking/DETECT-SECRETS.md similarity index 100% rename from benchmarking/DETECT-SECRETS.md rename to .leaky-meta/benchmarking/DETECT-SECRETS.md diff --git a/benchmarking/TRUFFLEHOG.md b/.leaky-meta/benchmarking/TRUFFLEHOG.md similarity index 100% rename from benchmarking/TRUFFLEHOG.md rename to .leaky-meta/benchmarking/TRUFFLEHOG.md diff --git a/.leaky-meta/secrets.csv b/.leaky-meta/secrets.csv new file mode 100644 index 0000000..8886c8f --- /dev/null +++ b/.leaky-meta/secrets.csv @@ -0,0 +1,85 @@ +######################################################################################################### +# We break secrets into two categories, "risk" and "informative". +# Lines that are "risk" presents an actual risk, "informative" discloses potentially sensitive or useful information. +# The CSV counts any line containing risk as "Risk", and lines with Informatives as "Informative". +# Lines with both risk and informative are treated as a single line of risk to simplify counting. +# Lines with multiple risks or informatives are still counted as 1. +######################################################################################################### +# name,num_risk,num_informative +.bash_profile,6,5 +.bashrc,3,3 + +# Here the users and urls are informative, the auth is risk. +.docker/.dockercfg,2,4 +# Same as above +.docker/config.json,2,4 + +# For all 4 firefox profiles: +# Risk: encryptedUsername, encryptedPassword +# Informative: hostname, timeCreated, timeLastUsed, timePasswordChanged, timesUsed +.mozilla/firefox/logins.json,8,20 +.ssh/id_rsa,1,0 +.ssh/id_rsa.pub,0,1 +cloud/.credentials,2,2 +cloud/.s3cfg,1,2 +cloud/.tugboat,1,2 +cloud/heroku.json,1,1 +db/dump.sql,10,0 +db/mongoid.yml,1,0 +etc/shadow,1,0 +filezilla/recentservers.xml,3,3 +filezilla/filezilla.xml,2,1 +high-entropy-misc.txt,0,2 +misc-keys/cert-key.pem,1,0 + +# Putty has both public and private keys +misc-keys/putty-example.ppk,1,1 +proftpdpasswd,1,0 +web/ruby/config/master.key,1,0 +web/ruby/secrets.yml,3,0 +web/var/www/.env,6,4 +.npmrc,2,1 +web/var/www/public_html/wp-config.php,9,3 +web/var/www/public_html/.htpasswd,1,0 +.git-credentials,1,0 + +# Risk: userPassword, sshPassphrase, sshUserPassword +# Informative: serverHost, sshHost, sshUserName, userName +db/robomongo.json,3,4 +web/js/salesforce.js,1,0 +.netrc,2,0 +hub,1,1 +config,1,3 +db/.pgpass,1,0 +ventrilo_srv.ini,2,0 +web/var/www/public_html/config.php,1,3 +db/dbeaver-data-sources.xml,1,0 + +# Risk: password +# Informative: hostname, username +.esmtprc,2,1 +web/django/settings.py,1,0 + +# Risk: password +# Informative: host, username, remotePath +deployment-config.json,3,1 + +# Risk: password, passphrase (for private key) +# Informative: host, user, remote +.ftpconfig,3,2 + +# Risk: password +# Informative: hostname, username +.remote-sync.json,1,2 + +# Risk: password +# Informative: host, remotePath, username +.vscode/sftp.json,1,3 + +# Risk: password +# Informative: host, remote_path, user +sftp-config.json,1,3 + +# Risk: fileTransfer password +# Informative: webServer name+url +.idea/WebServers.xml,1,1 \ No newline at end of file diff --git a/.npmrc b/.npmrc index 2492b55..b918491 100644 --- a/.npmrc +++ b/.npmrc @@ -1,6 +1,9 @@ registry="https://registry.npmjs.org/" always-auth=true package-lock=false +# Informative email=dummy@example.com +# Risk _auth = YWRtaW46YWRtaW4= +# Risk //registry.npmjs.org/:_authToken=26dfe8d8-889b-4380-92ff-9c3c6ea5d930 diff --git a/.vscode/sftp.json b/.vscode/sftp.json index 07d7b64..87fbec9 100644 --- a/.vscode/sftp.json +++ b/.vscode/sftp.json @@ -2,5 +2,6 @@ "protocol": "sftp", "host": "example.com", "remotePath": "/var/www", - "username": "root" + "username": "root", + "password": "swordfish!23" } \ No newline at end of file diff --git a/cloud/.credentials b/cloud/.credentials index 0de799b..b8fae37 100644 --- a/cloud/.credentials +++ b/cloud/.credentials @@ -1,7 +1,7 @@ # AWS Credentials file [default] -aws_access_key_id = yLryKGwcGc3ez9G8YAnjeYMQOc +aws_access_key_id = yLryKGwcGc3ez9G8YAnjeYMQOc # Informative, can't be used alone aws_secret_access_key = nAH2VzKrMrRjySLlt8HCdFU3tM2TUuUZgh39NX [second-profile] -aws_access_key_id = yLryKGwcGc3ez9G8YAnjeYMQOc +aws_access_key_id = yLryKGwcGc3ez9G8YAnjeYMQOc # Informative, can't be used alone aws_secret_access_key = nAH2VzKrMrRjySLlt8HCdFU3tM2TUuUZgh39NX diff --git a/cloud/.s3cfg b/cloud/.s3cfg index 83443a7..dde3065 100644 --- a/cloud/.s3cfg +++ b/cloud/.s3cfg @@ -1,6 +1,6 @@ -secret_key = yLryKGwcGc3ez9G8YAnjeYMQOc -access_key = nAH2VzKrMrRjySLlt8HCdFU3tM2TUuUZgh39NX +secret_key = yLryKGwcGc3ez9G8YAnjeYMQOc # Sensitive +access_key = nAH2VzKrMrRjySLlt8HCdFU3tM2TUuUZgh39NX # Informative host_base = s3.us-west-1.amazonaws.com -host_bucket = dummy_bucket-9u3258hj.s3.us-west-1.amazonaws.com +host_bucket = dummy_bucket-9u3258hj.s3.us-west-1.amazonaws.com # Informative signature_v2 = False use_https = False \ No newline at end of file diff --git a/cloud/.tugboat b/cloud/.tugboat index 14ceb90..cdd8531 100644 --- a/cloud/.tugboat +++ b/cloud/.tugboat @@ -1,9 +1,9 @@ --- authentication: - client_key: 383c8164d4bdd95d8b1bfbf4f540d754 - api_key: 3b6311afca5bd8aac647b316704e9c6d + client_key: 383c8164d4bdd95d8b1bfbf4f540d754 # Informative + api_key: 3b6311afca5bd8aac647b316704e9c6d # Sensitive. ssh: - ssh_user: admin + ssh_user: admin # Informative ssh_key_path: "~/.ssh/deploy.pem" ssh_port: '22' defaults: diff --git a/config b/config index 7599cb2..90e26b8 100644 --- a/config +++ b/config @@ -1,6 +1,10 @@ # IRC config +# Informative IRC_HOST=irc.example.com +# Informative IRC_NAME="realname" IRC_PORT=6697 +# Informative IRC_NICK=nick +# Risk IRC_PASS=irc_pass \ No newline at end of file diff --git a/filezilla/filezilla.xml b/filezilla/filezilla.xml index 9d272c1..4f36030 100644 --- a/filezilla/filezilla.xml +++ b/filezilla/filezilla.xml @@ -2,12 +2,15 @@ - localhost + + example.com 21 0 0 - anonymous - anonymous + + root + + ExamplePas123 example.com 4 0 diff --git a/filezilla/recentservers.xml b/filezilla/recentservers.xml index 6041599..d6ccee8 100644 --- a/filezilla/recentservers.xml +++ b/filezilla/recentservers.xml @@ -2,11 +2,14 @@ + localhost 21 0 0 + root + NjllNWU5ZWMwZDU0MmU5Y2QwOTY4MWM5YzZhMDdkYWVmNjg3OWE3MDMzM2Q4MWJmCg== 1 0 @@ -16,11 +19,14 @@ 0 + localhost 22 1 0 + root + NjllNWU5ZWMwZDU0MmU5Y2QwOTY4MWM5YzZhMDdkYWVmNjg3OWE3MDMzM2Q4MWJmCg== 1 0 diff --git a/hub b/hub index 6124eb3..8348f45 100644 --- a/hub +++ b/hub @@ -1,4 +1,4 @@ --- github.com: -- user: user - oauth_token: oauth_token \ No newline at end of file +- user: ocotcat + oauth_token: "7f9cc25de23d1a255720b0ae4551f4044d600f46" diff --git a/web/django/settings.py b/web/django/settings.py index fb4e3fe..7003863 100644 --- a/web/django/settings.py +++ b/web/django/settings.py @@ -20,6 +20,7 @@ # See https://docs.djangoproject.com/en/1.10/howto/deployment/checklist/ # SECURITY WARNING: keep the secret key used in production secret! +# Risk SECRET_KEY = 'zh!=!gq(w^_t[sBR29954x)HI+$ehwss*xYNQeu([xcWMhdzzr' # SECURITY WARNING: don't run with debug turned on in production! diff --git a/web/js/salesforce.js b/web/js/salesforce.js index 878a931..d90ebf8 100644 --- a/web/js/salesforce.js +++ b/web/js/salesforce.js @@ -3,6 +3,7 @@ let jsforce = require('jsforce'); function sfQuery(queryString, success, error){ let conn = new jsforce.Connection(); + // Security Risk! conn.login('username@example.com', 'salesforcepassword', function(err, res) { if (err) { error(err); diff --git a/web/var/www/.env b/web/var/www/.env index 5d21543..dd48411 100644 --- a/web/var/www/.env +++ b/web/var/www/.env @@ -1,24 +1,34 @@ # Laravel .env file. Can contain some SUPER sensitive stuff. APP_ENV=local APP_DEBUG=true +# Risk APP_KEY=base64:4StV8PVvCLC6gkJXgGdkYdlWW0suqjb2sj0QvDHx3Hsn + # Informative DB_HOST=localhost +# Informative DB_DATABASE=main +# Informative DB_USERNAME=root +# Risk DB_PASSWORD=admin123 CACHE_DRIVER=file SESSION_DRIVER=file QUEUE_DRIVER=sync +#Informative REDIS_HOST=localhost -REDIS_PASSWORD=null +# Risk +REDIS_PASSWORD=RedisPass1! REDIS_PORT=6379 MAIL_DRIVER=smtp +# Informative MAIL_HOST=smtp.gmail.com MAIL_PORT=587 +# Informative MAIL_USERNAME=user@example.com +# Risk MAIL_PASSWORD=Mailpass1234! MAIL_ENCRYPTION=tls \ No newline at end of file diff --git a/web/var/www/public_html/config.php b/web/var/www/public_html/config.php index 0332909..5dc9902 100644 --- a/web/var/www/public_html/config.php +++ b/web/var/www/public_html/config.php @@ -1,9 +1,13 @@ \ No newline at end of file diff --git a/web/var/www/public_html/wp-config.php b/web/var/www/public_html/wp-config.php index cbee1c1..c4938ce 100644 --- a/web/var/www/public_html/wp-config.php +++ b/web/var/www/public_html/wp-config.php @@ -12,9 +12,13 @@ /* MySQL settings */ +# Informative define( 'DB_NAME', 'main' ); +# Informative define( 'DB_USER', 'admin' ); +# Risk define( 'DB_PASSWORD', 'admin' ); +# Informative define( 'DB_HOST', 'localhost' ); define( 'DB_CHARSET', 'utf8mb4' ); @@ -25,13 +29,21 @@ /* Authentication Unique Keys and Salts. */ /* https://api.wordpress.org/secret-key/1.1/salt/ */ +# Risk define('AUTH_KEY', 'MW1pxMctoyA(>M%0Vl 2(#o0|2$cB+K|.G$hB~4`Juw@]:(5;oVUl<Y9.5Ch0-3cq|=vbus[IeF(OJ9yZ|SQ#:iG;NSa+GJmj _1Ed(cVZ7r#+JMlA,S'); +# Risk define('LOGGED_IN_KEY', 'Q$:B]zZjN-AdT<>h7V1.vm+k^|}2wVZf]Xw#QEZ[-pSohv+Kj0W-Z|:|g$-+E8:8'); +# Risk define('NONCE_KEY', '}Fi>>0a{> akEdJ1K3c}([(:x;K[)ZQ3F3cttcpd EFORd.%R|*|rdRs#-L-&)P1'); +# Risk define('AUTH_SALT', 'j@cGIZJfObpPU);AZgYH5,ubbSlUp|ZnLZNlq|;tkFe5xc(=_0[LKbF71T.EE ~9'); +# Risk define('SECURE_AUTH_SALT', 'Ed&1cr+{3T$a+{[8LP~i5-[|Z`x-V>;Di_C/E~UnSg{n[h#{D[-t>yIUZ8YqSu3t'); +# Risk define('LOGGED_IN_SALT', 'of@~yp:v@SK;Y}hzUo4=bz9WmX&vEw5TO dD$<2djGcE+Qz,Sb9i:{+U<#eM-RmE'); +# Risk define('NONCE_SALT', ':9URM*n56|I|Rf$|ud0cFJ+Lq&j9^-!{%%pW. ,Z='); From 892c117c120c6acf802f5c703eaaf372317e5dfe Mon Sep 17 00:00:00 2001 From: Dylan Katz Date: Thu, 14 Nov 2019 18:25:15 -0800 Subject: [PATCH 2/4] Added automatic benchmarking and updated results --- .leaky-meta/README.md | 7 +- .leaky-meta/benchmark.py | 143 +++++++++++++++++++++ .leaky-meta/benchmark.sh | 0 .leaky-meta/benchmarking/DETECT-SECRETS.md | 99 +++++++------- .leaky-meta/benchmarking/TRUFFLEHOG.md | 99 +++++++------- .leaky-meta/install-test-tools.sh | 7 + .leaky-meta/trufflehog_exclude_paths.txt | 1 + README.md | 2 +- 8 files changed, 258 insertions(+), 100 deletions(-) create mode 100644 .leaky-meta/benchmark.py create mode 100644 .leaky-meta/benchmark.sh create mode 100644 .leaky-meta/install-test-tools.sh create mode 100644 .leaky-meta/trufflehog_exclude_paths.txt diff --git a/.leaky-meta/README.md b/.leaky-meta/README.md index d0ed05c..0da0781 100644 --- a/.leaky-meta/README.md +++ b/.leaky-meta/README.md @@ -1,2 +1,7 @@ ## .leaky-meta -This folder is for scripts/tools designed to assist with the management of this repo. It won't contain actual secrets/patterns (hopefully!) \ No newline at end of file +This folder is for scripts/tools designed to assist with the management of this repo. It won't contain actual secrets/patterns (hopefully!) + +## Running benchmarks +To run these benchmarks, use `benchmark.sh`. Currently generates reports for these engines: +* TruffleHog +* Detect-secrets \ No newline at end of file diff --git a/.leaky-meta/benchmark.py b/.leaky-meta/benchmark.py new file mode 100644 index 0000000..3b21dc5 --- /dev/null +++ b/.leaky-meta/benchmark.py @@ -0,0 +1,143 @@ +# For py2 compat +from __future__ import division +import os +import csv +import json +import subprocess +from io import StringIO +from subprocess import PIPE + +def get_secret_counts(): + ''' + A generator for secrets in default files. + :returns: filepath, risk_count, informative_count + ''' + raw_csv = None + with open('secrets.csv') as f: + raw_csv = [l for l in f.readlines() + if len(l.strip()) != 0 and not l.startswith('#')] + # Parse array to CSV + csv_reader = csv.reader(raw_csv, delimiter=',') + for row in csv_reader: + # Yield str, int, int. + yield [row[0], int(row[1]), int(row[2])] + +def get_command_stdout(cmd, cwd='..'): + os.path.abspath(cwd) + p = subprocess.Popen(cmd, stdout=PIPE, stderr=PIPE, cwd=cwd) + stdout, stderr = p.communicate() + return stdout.decode('utf-8'), stderr.decode('utf-8') if stderr else None + +def get_secret_count_detectsecrets(): + finds = {} + cmd = ['detect-secrets', 'scan'] + stdout, _ = get_command_stdout(cmd) + results = json.loads(stdout).get('results') + for key in results.keys(): + finds[key] = len(results.get(key)) + + return cmd, finds + +def get_secret_count_trufflehog(): + finds = {} + trufflehog_cmd = ['trufflehog', '--json', '--regex', '.'] + stdout, _ = get_command_stdout(trufflehog_cmd) + for line in stdout.split('\n'): + if len(line) == 0: + # Skip empty lines + continue + obj = json.loads(line) + finds[obj.get('path')] = len(obj.get('stringsFound')) + + return trufflehog_cmd, finds + +def build_markdown_rows(secrets_function, expected_counts): + dat = {} + cmd, secrets = secrets_function() + for row in expected_counts: + name = row[0] + expected = row[1] + row[2] + if not name in secrets: + dat[name] = {"name": name, "found": 0, "expected": expected, "false_positives" :0 } + continue + + found = secrets[name] + # If found > expected, we have false positives. This will be negative or zero of there's no false positives. + false_positives = found - expected + # This will be zero or positive. + false_positives = max(false_positives, 0) + dat[name] = {"name": name, "found": found, "expected": expected, "false_positives" :false_positives } + return cmd, dat + +def build_table_header(filename_cols): + template = "File Name{}| Found/Total | False Positives |\n{}|----------------|-----------------|\n" + # 9 = len("File Name") + return template.format(" " * (filename_cols - 9), "-" * filename_cols) + +def build_md_table(secrets_function): + # {name}{padding}| {found}/{total} |{false positives} + print_template = "{}{}| {}/{} | {}\n" + + expected_counts = [x for x in get_secret_counts()] + # Get the max length of a filename, so we can put a column seperator after it + sep_col = max([len(val[0]) for val in expected_counts]) + 2 + out = build_table_header(sep_col) + total_files = len(expected_counts) + + cmd_used, md_rows = build_markdown_rows(secrets_function, expected_counts) + md_rows = sorted(md_rows.items(), key=lambda val: -val[1]['found']) + total_finds = 0 + total_expected = 0 + total_false_positives = 0 + files_covered = 0 + for dat in md_rows: + obj = dat[1] + name = obj.get('name') + found = obj.get('found') + expected = obj.get('expected') + false_positives = obj.get('false_positives') + + # Determine right padding for name column + right_padding = sep_col - len(name) + right_padding_str = (" " * right_padding) + + # For metrics we exclude false positives. + total_finds += found - false_positives + total_expected += expected + total_false_positives += false_positives + if found != 0: + files_covered += 1 + + out += print_template.format(name, right_padding_str, found, expected, false_positives) + return cmd_used, total_files, files_covered, total_finds, total_expected, total_false_positives, out + +def build_md(secrets_function, tool_url): + header_fmt = 'Tool: {} ' \ + '\nCommand Used: `{}` ' \ + '\nFiles covered: {}/{} ({}% coverage) ' \ + '\nTotal finds: {}/{} ' \ + '\nFalse Positives: {} ' \ + '\n\n{}' + + cmd, total_files, files_covered, total_finds, \ + total_expected, false_positives, table = build_md_table(secrets_function) + # Convert cmd to a string + cmd = ' '.join(cmd) + + # Get a % coverage value + file_coverage = (files_covered / total_files) * 100 + # Sanity! + file_coverage = round(file_coverage, 2) + out = header_fmt.format(tool_url, cmd, + files_covered, total_files, file_coverage, + total_finds, total_expected, false_positives, table) + return out + +if __name__ == "__main__": + detect_secrets = build_md(get_secret_count_detectsecrets, "https://github.com/Yelp/detect-secrets") + truffle_hog = build_md(get_secret_count_trufflehog, "https://github.com/dxa4481/truffleHog") + with open('benchmarking' + os.path.sep + "TRUFFLEHOG.md", 'w+') as f: + f.write(truffle_hog) + with open('benchmarking' + os.path.sep + "DETECT-SECRETS.md", 'w+') as f: + f.write(detect_secrets) + \ No newline at end of file diff --git a/.leaky-meta/benchmark.sh b/.leaky-meta/benchmark.sh new file mode 100644 index 0000000..e69de29 diff --git a/.leaky-meta/benchmarking/DETECT-SECRETS.md b/.leaky-meta/benchmarking/DETECT-SECRETS.md index 7706baa..103846f 100644 --- a/.leaky-meta/benchmarking/DETECT-SECRETS.md +++ b/.leaky-meta/benchmarking/DETECT-SECRETS.md @@ -1,51 +1,52 @@ -Tool: https://github.com/Yelp/detect-secrets +Tool: https://github.com/Yelp/detect-secrets Command Used: `detect-secrets scan` -Total finds: 16/44 -False Positives: 0 +Files covered: 23/44 (52.27% coverage) +Total finds: 41/179 +False Positives: 0 -File Name | Found? (0 = no, 1 = yes) | -------------------------------------------------|---------------------------| -.bash_profile | 1 -.bashrc | 1 -.docker/.dockercfg | 1 -.docker/config.json | 1 -.mozilla/firefox/logins.json | 1 -.ssh/id_rsa | 1 -cloud/.credentials | 1 -cloud/.s3cfg | 1 -cloud/.tugboat | 1 -cloud/heroku.json | 1 -db/mongoid.yml | 1 -high-entropy-misc.txt | 1 -misc-keys/cert-key.pem | 1 -misc-keys/putty-example.ppk | 1 -web/ruby/secrets.yml | 1 -web/var/www/.env | 1 -.ssh/id_rsa.pub | 0 -proftpdpasswd | 0 -web/ruby/config/master.key | 0 -filezilla/recentservers.xml | 0 -etc/shadow | 0 -db/dump.sql | 0 -.npmrc | 0 -web/var/www/public_html/wp-config.php | 0 -web/var/www/public_html/.htpasswd | 0 -.git-credentials | 0 -db/robomongo.json | 0 -web/js/salesforce.js | 0 -.netrc | 0 -hub | 0 -filezilla/filezilla.xml | 0 -config | 0 -db/.pgpass | 0 -ventrilo_srv.ini | 0 -web/var/www/public_html/config.php | 0 -db/dbeaver-data-sources.xml | 0 -.esmtprc | 0 -web/django/settings.py | 0 -deployment-config.json | 0 -.ftpconfig | 0 -.remote-sync.json | 0 -.vscode/sftp.json | 0 -sftp-config.json | 0 -.idea/WebServers.xml | 0 \ No newline at end of file +File Name | Found/Total | False Positives | +---------------------------------------|----------------|-----------------| +.mozilla/firefox/logins.json | 6/28 | 0 +.bash_profile | 4/11 | 0 +.bashrc | 3/6 | 0 +web/var/www/.env | 3/10 | 0 +web/ruby/secrets.yml | 3/3 | 0 +cloud/.credentials | 2/4 | 0 +cloud/heroku.json | 2/2 | 0 +high-entropy-misc.txt | 2/2 | 0 +ventrilo_srv.ini | 2/2 | 0 +.ssh/id_rsa | 1/1 | 0 +db/mongoid.yml | 1/1 | 0 +misc-keys/cert-key.pem | 1/1 | 0 +cloud/.tugboat | 1/3 | 0 +.vscode/sftp.json | 1/4 | 0 +hub | 1/2 | 0 +.docker/config.json | 1/6 | 0 +sftp-config.json | 1/4 | 0 +.idea/WebServers.xml | 1/2 | 0 +misc-keys/putty-example.ppk | 1/2 | 0 +.docker/.dockercfg | 1/6 | 0 +web/var/www/public_html/config.php | 1/4 | 0 +.remote-sync.json | 1/3 | 0 +deployment-config.json | 1/4 | 0 +db/.pgpass | 0/1 | 0 +web/var/www/public_html/.htpasswd | 0/1 | 0 +.netrc | 0/2 | 0 +db/dump.sql | 0/10 | 0 +proftpdpasswd | 0/1 | 0 +etc/shadow | 0/1 | 0 +.ssh/id_rsa.pub | 0/1 | 0 +.npmrc | 0/3 | 0 +web/var/www/public_html/wp-config.php | 0/12 | 0 +web/django/settings.py | 0/1 | 0 +.ftpconfig | 0/5 | 0 +.git-credentials | 0/1 | 0 +filezilla/filezilla.xml | 0/3 | 0 +.esmtprc | 0/3 | 0 +db/dbeaver-data-sources.xml | 0/1 | 0 +web/ruby/config/master.key | 0/1 | 0 +cloud/.s3cfg | 0/3 | 0 +config | 0/4 | 0 +web/js/salesforce.js | 0/1 | 0 +filezilla/recentservers.xml | 0/6 | 0 +db/robomongo.json | 0/7 | 0 diff --git a/.leaky-meta/benchmarking/TRUFFLEHOG.md b/.leaky-meta/benchmarking/TRUFFLEHOG.md index 5c680fd..501e1b1 100644 --- a/.leaky-meta/benchmarking/TRUFFLEHOG.md +++ b/.leaky-meta/benchmarking/TRUFFLEHOG.md @@ -1,51 +1,52 @@ Tool: https://github.com/dxa4481/truffleHog -Command Used: `trufflehog --regex https://github.com/Plazmaz/leaky-repo.git` -Total finds: 22/44 -False Positives: 0 +Command Used: `trufflehog --json --regex .` +Files covered: 23/44 (52.27% coverage) +Total finds: 40/179 +False Positives: 43 -File Name | Found? (0 = no, 1 = yes) | -------------------------------------------------|---------------------------| -.bash_profile | 1 -.bashrc | 1 -.docker/.dockercfg | 1 -.docker/config.json | 1 -.mozilla/firefox/logins.json | 1 -.ssh/id_rsa | 1 -.ssh/id_rsa.pub | 1 -cloud/.credentials | 1 -cloud/.s3cfg | 1 -cloud/.tugboat | 1 -cloud/heroku.json | 1 -db/dump.sql | 1 -db/mongoid.yml | 1 -etc/shadow | 1 -filezilla/recentservers.xml | 1 -high-entropy-misc.txt | 1 -misc-keys/cert-key.pem | 1 -misc-keys/putty-example.ppk | 1 -proftpdpasswd | 1 -web/ruby/config/master.key | 1 -web/ruby/secrets.yml | 1 -web/var/www/.env | 1 -.npmrc | 0 -web/var/www/public_html/wp-config.php | 0 -web/var/www/public_html/.htpasswd | 0 -.git-credentials | 0 -db/robomongo.json | 0 -web/js/salesforce.js | 0 -.netrc | 0 -hub | 0 -filezilla/filezilla.xml | 0 -config | 0 -db/.pgpass | 0 -ventrilo_srv.ini | 0 -web/var/www/public_html/config.php | 0 -db/dbeaver-data-sources.xml | 0 -.esmtprc | 0 -web/django/settings.py | 0 -deployment-config.json | 0 -.ftpconfig | 0 -.remote-sync.json | 0 -.vscode/sftp.json | 0 -sftp-config.json | 0 -.idea/WebServers.xml | 0 \ No newline at end of file +File Name | Found/Total | False Positives | +---------------------------------------|----------------|-----------------| +misc-keys/cert-key.pem | 25/1 | 24 +misc-keys/putty-example.ppk | 21/2 | 19 +db/dump.sql | 8/10 | 0 +web/ruby/secrets.yml | 3/3 | 0 +cloud/.credentials | 2/4 | 0 +cloud/.tugboat | 2/3 | 0 +high-entropy-misc.txt | 2/2 | 0 +.docker/config.json | 2/6 | 0 +.mozilla/firefox/logins.json | 2/28 | 0 +.docker/.dockercfg | 2/6 | 0 +filezilla/recentservers.xml | 2/6 | 0 +.bashrc | 1/6 | 0 +.ssh/id_rsa | 1/1 | 0 +web/var/www/.env | 1/10 | 0 +db/mongoid.yml | 1/1 | 0 +proftpdpasswd | 1/1 | 0 +etc/shadow | 1/1 | 0 +cloud/heroku.json | 1/2 | 0 +hub | 1/2 | 0 +.ssh/id_rsa.pub | 1/1 | 0 +web/ruby/config/master.key | 1/1 | 0 +cloud/.s3cfg | 1/3 | 0 +.bash_profile | 1/11 | 0 +db/.pgpass | 0/1 | 0 +web/var/www/public_html/.htpasswd | 0/1 | 0 +.netrc | 0/2 | 0 +.vscode/sftp.json | 0/4 | 0 +.npmrc | 0/3 | 0 +web/var/www/public_html/wp-config.php | 0/12 | 0 +web/django/settings.py | 0/1 | 0 +.ftpconfig | 0/5 | 0 +.git-credentials | 0/1 | 0 +filezilla/filezilla.xml | 0/3 | 0 +sftp-config.json | 0/4 | 0 +.esmtprc | 0/3 | 0 +db/dbeaver-data-sources.xml | 0/1 | 0 +.idea/WebServers.xml | 0/2 | 0 +config | 0/4 | 0 +web/js/salesforce.js | 0/1 | 0 +web/var/www/public_html/config.php | 0/4 | 0 +ventrilo_srv.ini | 0/2 | 0 +db/robomongo.json | 0/7 | 0 +.remote-sync.json | 0/3 | 0 +deployment-config.json | 0/4 | 0 diff --git a/.leaky-meta/install-test-tools.sh b/.leaky-meta/install-test-tools.sh new file mode 100644 index 0000000..db42362 --- /dev/null +++ b/.leaky-meta/install-test-tools.sh @@ -0,0 +1,7 @@ +#!/bin/bash +if if ! type "pip" > /dev/null; then + echo "Pip and Python are required for installing detect-secrets and truffleHog, but pip was not found!" + exit 1 +fi + +pip install detect-secrets truffleHog \ No newline at end of file diff --git a/.leaky-meta/trufflehog_exclude_paths.txt b/.leaky-meta/trufflehog_exclude_paths.txt new file mode 100644 index 0000000..9354e1b --- /dev/null +++ b/.leaky-meta/trufflehog_exclude_paths.txt @@ -0,0 +1 @@ +.leaky-meta/ \ No newline at end of file diff --git a/README.md b/README.md index 0f16440..95822ef 100644 --- a/README.md +++ b/README.md @@ -68,7 +68,7 @@ sftp-config.json | Created by SFTP for Sublime Text, conta high-entropy-misc.txt | Misc high entropy strings (HES1 is plain, HES2 is base64) # Results -You can see how tools stack up in [Benchmarking](https://github.com/Plazmaz/leaky-repo/tree/master/benchmarking) +You can see how tools stack up in [Benchmarking](https://github.com/Plazmaz/leaky-repo/tree/master/.leaky-meta/benchmarking) # Contact Got a question? Found something worth adding? [File an issue](https://github.com/Plazmaz/leaky-repo/issues) From 3c80b180b9187cee6056ebe1eaa6446a7f16955a Mon Sep 17 00:00:00 2001 From: Dylan Katz Date: Thu, 14 Nov 2019 18:26:01 -0800 Subject: [PATCH 3/4] Added Gitrob Results Resolves #2 --- .leaky-meta/benchmarking/GITROB.md | 53 ++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .leaky-meta/benchmarking/GITROB.md diff --git a/.leaky-meta/benchmarking/GITROB.md b/.leaky-meta/benchmarking/GITROB.md new file mode 100644 index 0000000..0edc121 --- /dev/null +++ b/.leaky-meta/benchmarking/GITROB.md @@ -0,0 +1,53 @@ + +Tool: https://github.com/michenriksen/gitrob +Command Used: `gitrob (web interface)` +Files covered: 2/44 (4.54% coverage) +Total finds: 3/179 +False Positives: 0 + +File Name | Found/Total | False Positives | +---------------------------------------|----------------|-----------------| +misc-keys/cert-key.pem | 1/1 | 0 +.npmrc | 2/3 | 0 +.mozilla/firefox/logins.json | 0/28 | 0 +.bash_profile | 0/11 | 0 +.bashrc | 0/6 | 0 +web/var/www/.env | 0/10 | 0 +web/ruby/secrets.yml | 0/3 | 0 +cloud/.credentials | 0/4 | 0 +cloud/heroku.json | 0/2 | 0 +high-entropy-misc.txt | 0/2 | 0 +ventrilo_srv.ini | 0/2 | 0 +.ssh/id_rsa | 0/1 | 0 +db/mongoid.yml | 0/1 | 0 +cloud/.tugboat | 0/3 | 0 +.vscode/sftp.json | 0/4 | 0 +hub | 0/2 | 0 +.docker/config.json | 0/6 | 0 +sftp-config.json | 0/4 | 0 +.idea/WebServers.xml | 0/2 | 0 +misc-keys/putty-example.ppk | 0/2 | 0 +.docker/.dockercfg | 0/6 | 0 +web/var/www/public_html/config.php | 0/4 | 0 +.remote-sync.json | 0/3 | 0 +deployment-config.json | 0/4 | 0 +db/.pgpass | 0/1 | 0 +web/var/www/public_html/.htpasswd | 0/1 | 0 +.netrc | 0/2 | 0 +db/dump.sql | 0/10 | 0 +proftpdpasswd | 0/1 | 0 +etc/shadow | 0/1 | 0 +.ssh/id_rsa.pub | 0/1 | 0 +web/var/www/public_html/wp-config.php | 0/12 | 0 +web/django/settings.py | 0/1 | 0 +.ftpconfig | 0/5 | 0 +.git-credentials | 0/1 | 0 +filezilla/filezilla.xml | 0/3 | 0 +.esmtprc | 0/3 | 0 +db/dbeaver-data-sources.xml | 0/1 | 0 +web/ruby/config/master.key | 0/1 | 0 +cloud/.s3cfg | 0/3 | 0 +config | 0/4 | 0 +web/js/salesforce.js | 0/1 | 0 +filezilla/recentservers.xml | 0/6 | 0 +db/robomongo.json | 0/7 | 0 From ee7c23f258c870b435ddc59628dd55b3df99baf8 Mon Sep 17 00:00:00 2001 From: Dylan Katz Date: Thu, 14 Nov 2019 18:32:19 -0800 Subject: [PATCH 4/4] Added changelog --- .leaky-meta/CHANGELOG.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .leaky-meta/CHANGELOG.md diff --git a/.leaky-meta/CHANGELOG.md b/.leaky-meta/CHANGELOG.md new file mode 100644 index 0000000..83782c7 --- /dev/null +++ b/.leaky-meta/CHANGELOG.md @@ -0,0 +1,17 @@ +# Changelog +## 1.1.0 +System/logic changes: +* Added system for automatically generating benchmarks +* Added results for gitrob +* Moved benchmarking, metadata, and source code into `.leaky-meta` folder +* Added CSV with data about secrets +* Categorized secrets into Risk and Informative. +* Added results from Gitrob, provided by [@evilpacket](https://github.com/evilpacket) + +Changes to secrets: +* Added password to `sftp.json` secret +* Added pass to `filezilla/filezilla.xml` (was anonymous login) +* Added realistic value to `hub` file (was just "oauth_token") +* Set redis pass in `web/var/www/.env` +## 1.0.0 +* Initial release version