apicheck icon indicating copy to clipboard operation
apicheck copied to clipboard

Published 20 hours ago verified publisher icon BBVA

-r and --rules-file options for sensitive-data detector are not accepting correctly the custom rule file

Open Brain2life opened this issue 3 years ago • 3 comments

Issue: When trying to pass the custom ruleset to sensitive-data detector with either -r or --rules-file options it throws an error: [!!] 'list' object has no attribute 'update'

Reproduce error:

  1. Passed the following command:
    acurl https://mockbin.org/bin/60dfe0f7-8f4e-4063-a940-7162d1ec3cc1 | sensitive-data -r rules.yaml
  2. Mockbin with password header set at: https://mockbin.org/bin/60dfe0f7-8f4e-4063-a940-7162d1ec3cc1/view#apiembed
  3. Custom rule set (was taken from core): - id: core-001 description: Find 'password' keyword in flow data regex: '([pP][aA][sS][sS][wW][oO][rR][dD])' severity: Medium # Allowed values: Low, Medium, High searchIn: All # Allowed values: Response, Request, Headers, All
  4. File name is rules.yaml

Notes: Found that function load hardcoded 'rules.yaml' file name at: https://github.com/BBVA/apicheck/blob/master/tools/sensitive-data/sensitive_data/main.py#L79

Maybe that is the reason for error?

Tried to change the rule filename and id name in rule file. Result is same.

Brain2life avatar Aug 29 '21 10:08 Brain2life

Hi, can you share your rules.yaml ?

CesarGallego avatar Sep 09 '21 12:09 CesarGallego

Hi @CesarGallego. So I've rechecked it again. I used the following steps:

  1. For testing purposes I created mockbin https://mockbin.org/bin/411b4709-7021-4e09-993e-2adc3de2ed2f/view where I specified two custom headers: myHeader:password and username:admin. These headers are sent back in the response header to the client.
  2. I use custom rule file named "rules.yaml"
  3. In rules.yaml I use the following code: - id: rule-001 description: Find 'admin' keyword in flow data regex: 'admin' severity: Medium # Allowed values: Low, Medium, High searchIn: All # Allowed values: Response, Request, Headers, All As you can see I'm trying to test custom rule by finding admin keyword in response data.
  4. After running the following command: - acurl https://mockbin.org/bin/411b4709-7021-4e09-993e-2adc3de2ed2f | sensitive-data -r rules.yaml I got the following error: [!!] 'list' object has no attribute 'update'

I'm using this tool in Gitlab pipelines. Find details in the image below.

error

Thank you.

Brain2life avatar Sep 19 '21 11:09 Brain2life

Hi Brain all fields on rule are mandatory. You need al least the following on your rule:

  • id: rule-001 description: "Find 'admin' keyword in flow data" severity: 'Medium' searchIn: 'All' regex: 'admin'

There is also a little bug, will be updated on main tools ASAP.

Thanks for your help.

CesarGallego avatar Sep 20 '21 11:09 CesarGallego