tartufo icon indicating copy to clipboard operation
tartufo copied to clipboard

Published 20 hours ago verified publisher icon godaddy

"Password in URL" regex ignores matches where username is longer than 20 characters OR password is longer than 20 characters OR url is longer than 100 characters

Open nkaraliova-godaddy opened this issue 2 years ago • 0 comments

🐛 Bug Report

While migrating repositories to GHEC, I had encountered examples where tartufo scan missed credentials that should have been reported as "Password in URL" issue type. Upon closer examination, it appears that "Password in URL" regex is currently failing to report matches where username string length exceeds 20 characters OR password string length exceeds 20 characters OR url string length exceeds 100 characters.

To Reproduce

To test, add one of the following examples to the test repo and run tartufo scan against it: Examples: https://usernamewithmorethan20chars:[email protected]/ https://user:[email protected]/ https://user:[email protected]/that/exceeds/100/characters/in/length/

Expected Behavior

The examples above should be getting reported in Tartufo scan results as the following issue type: Reason: Regular Expression Match Detail: Password in URL

Code Example

The faulty regex is defined here: https://github.com/godaddy/tartufo/blob/main/tartufo/data/default_regexes.json#L29

Environment

Tested with tartufo version 3.1.2

Suggested fix: #376

nkaraliova-godaddy avatar Aug 04 '22 22:08 nkaraliova-godaddy