DB2 Verification (Yelp#196)

* DB2 Verification

Supports git-defenders/detect-secrets-discuss#190

* Tests

* Fixing tests...

* Fixing tests

* Fix db2 on mac

* Fixing tests

* Consistent formatting

* Fix tests

* No more pypy

* comments in makefile

* Added ibm_db to setup.py

* Requires gcc

* Don't purge until after easy_install

* Don't delete gcc

Author: justineyster

.travis.yml

@@ -33,8 +33,8 @@ matrix:
         - env: TOXENV=py37
           python: 3.7
           dist: xenial  # required for Python >= 3.7 (travis-ci/travis-ci#9069)
-        - env: TOXENV=pypy
-          python: pypy
+        # - env: TOXENV=pypy
+        #   python: pypy
 install:
     - pip install tox
 script: make test && docker build -t $DOCKER_IMAGE:$DOCKER_IMAGE_TAG --no-cache .

Dockerfile

@@ -4,6 +4,8 @@ RUN apk add --no-cache jq git curl bash openssl
 RUN mkdir -p /code
 COPY . /usr/src/app
 WORKDIR /usr/src/app
+RUN apk add --no-cache --virtual .build-deps gcc musl-dev
+RUN pip install cython
 RUN easy_install /usr/src/app
 WORKDIR /code
 ENTRYPOINT [ "/usr/src/app/run-scan.sh" ]

Makefile

@@ -1,3 +1,5 @@
+PROJECT_DIR := $(shell pwd)
+
 .PHONY: minimal
 minimal: setup
 
@@ -22,3 +24,13 @@ clean:
 super-clean: clean
 	rm -rf .tox
 	rm -rf venv
+
+.PHONY: fix-db2-mac
+fix-db2-mac:
+	# comment out lines for any interpreters that aren't installed on your machine
+	install_name_tool -change libdb2.dylib $(PROJECT_DIR)/.tox/py27/lib/python2.7/site-packages/clidriver/lib/libdb2.dylib $(PROJECT_DIR)/.tox/py27/lib/python2.7/site-packages/ibm_db.so
+	install_name_tool -change libbd2.dylib $(PROJECT_DIR)/.tox/py35/lib/python3.5/site-packages/clidriver/lib/libdb2.dylib $(PROJECT_DIR)/.tox/py35/lib/python3.5/site-packages/ibm_db.cpython-35m-darwin.so
+	install_name_tool -change libbd2.dylib $(PROJECT_DIR)/.tox/py36/lib/python3.6/site-packages/clidriver/lib/libdb2.dylib $(PROJECT_DIR)/.tox/py36/lib/python3.6/site-packages/ibm_db.cpython-36m-darwin.so
+	install_name_tool -change libdb2.dylib $(PROJECT_DIR)/.tox/py37/lib/python3.7/site-packages/clidriver/lib/libdb2.dylib $(PROJECT_DIR)/.tox/py37/lib/python3.7/site-packages/ibm_db.cpython-37m-darwin.so
+	install_name_tool -change libdb2.dylib $(PROJECT_DIR)/.tox/pypy/site-packages/clidriver/lib/libdb2.dylib $(PROJECT_DIR)/.tox/pypy/site-packages/ibm_db.pypy-41.so
+	install_name_tool -change libdb2.dylib $(PROJECT_DIR)/.tox/pypy3/site-packages/clidriver/lib/libdb2.dylib $(PROJECT_DIR)/.tox/pypy3/site-packages/ibm_db.pypy3-71-darwin.so

detect_secrets/plugins/db2.py

@@ -1,6 +1,11 @@
+from __future__ import absolute_import
+
 import re
 
+import ibm_db
+
 from .base import RegexBasedDetector
+from detect_secrets.core.constants import VerifiedResult
 
 
 class DB2Detector(RegexBasedDetector):
@@ -30,3 +35,99 @@ class DB2Detector(RegexBasedDetector):
             ), flags=re.IGNORECASE,
         ),
     )
+
+    username_keyword_regex = r'(?:user|user(?:_|-|)name|uid|user(?:_|-|)id)'
+    username_regex = r'([a-zA-Z0-9_]+)'
+
+    database_keyword_regex = r'(?:database|db|database(?:_|-|)name|db(?:_|-|)name)'
+    database_regex = r'([a-zA-Z0-9_-]+)'
+
+    port_keyword_regex = r'(?:port|port(?:_|-|)number)'
+    port_regex = r'([0-9]{1,5})'
+
+    hostname_keyword_regex = (
+        r'(?:host|host(?:_|-|)name|host(?:_|-|)address|'
+        r'host(?:_|-|)ip|host(?:_|-|)ip(?:_|-|)address)'
+    )
+    hostname_regex = (
+        r'((?:(?:[a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)'
+        r'*(?:.\[A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]))'
+    )
+
+    def verify(self, token, content, potential_secret=None):
+
+        username_matches = get_other_factor(
+            content, self.username_keyword_regex,
+            self.username_regex,
+        )
+        database_matches = get_other_factor(
+            content, self.database_keyword_regex,
+            self.database_regex,
+        )
+        port_matches = get_other_factor(
+            content, self.port_keyword_regex,
+            self.port_regex,
+        )
+        hostname_matches = get_other_factor(
+            content, self.hostname_keyword_regex,
+            self.hostname_regex,
+        )
+
+        if not username_matches or not database_matches or not port_matches or not hostname_matches:
+            return VerifiedResult.UNVERIFIED
+
+        for username in username_matches:  # pragma: no cover
+            for database in database_matches:  # pragma: no cover
+                for port in port_matches:  # pragma: no cover
+                    for hostname in hostname_matches:  # pragma: no cover
+                        try:
+                            conn_str = 'database={database};hostname={hostname};port={port};' + \
+                                       'protocol=tcpip;uid={username};pwd={token}'
+                            conn_str = conn_str.format(
+                                database=database,
+                                hostname=hostname,
+                                port=port,
+                                username=username,
+                                token=token,
+                            )
+                            ibm_db_conn = ibm_db.connect(conn_str, '', '')
+                            if ibm_db_conn:
+                                potential_secret.other_factors['database'] = database
+                                potential_secret.other_factors['hostname'] = hostname
+                                potential_secret.other_factors['port'] = port
+                                potential_secret.other_factors['username'] = username
+                                return VerifiedResult.VERIFIED_TRUE
+                            else:
+                                return VerifiedResult.VERIFIED_FALSE
+                        except Exception:
+                            return VerifiedResult.UNVERIFIED
+
+        return VerifiedResult.VERIFIED_FALSE
+
+
+def get_other_factor(content, factor_keyword_regex, factor_regex):
+    begin = r'(?:(?<=\W)|(?<=^))'
+    opt_quote = r'(?:"|\'|)'
+    opt_db = r'(?:db2|dashdb|db|)'
+    opt_dash_undrscr = r'(?:_|-|)'
+    opt_space = r'(?: *)'
+    assignment = r'(?:=|:|:=|=>|::)'
+    regex = re.compile(
+        r'{begin}{opt_quote}{opt_db}{opt_dash_undrscr}{factor_keyword}{opt_quote}{opt_space}'
+        '{assignment}{opt_space}{opt_quote}{factor}{opt_quote}'.format(
+            begin=begin,
+            opt_quote=opt_quote,
+            opt_db=opt_db,
+            opt_dash_undrscr=opt_dash_undrscr,
+            factor_keyword=factor_keyword_regex,
+            opt_space=opt_space,
+            assignment=assignment,
+            factor=factor_regex,
+        ), flags=re.IGNORECASE,
+    )
+
+    return [
+        match
+        for line in content.splitlines()
+        for match in regex.findall(line)
+    ]

requirements-dev.txt

@@ -10,3 +10,4 @@ tox-pip-extensions
 tox>=3.8
 unidiff
 responses
+ibm_db

setup.py

@@ -18,6 +18,7 @@
     install_requires=[
         'pyyaml',
         'requests',
+        'ibm_db',
     ],
     extras_require={
         ':python_version=="2.7"': [

tests/plugins/common/db2_test.py

@@ -0,0 +1,161 @@
+from __future__ import absolute_import
+
+import textwrap
+
+import pytest
+from mock import MagicMock
+from mock import patch
+
+from detect_secrets.core.constants import VerifiedResult
+from detect_secrets.core.potential_secret import PotentialSecret
+from detect_secrets.plugins.db2 import DB2Detector
+from detect_secrets.plugins.db2 import get_other_factor
+
+
+DB2_USER = 'fake_user'
+DB2_PASSWORD = 'fake_password'
+DB2_PORT = '1234'
+DB2_HOSTNAME = 'fake.host.name'
+DB2_DATABASE = 'fake_database'
+DB2_CONN_STRING = 'database={DB2_DATABASE};hostname={DB2_HOSTNAME};port={DB2_PORT};' + \
+                  'protocol=tcpip;uid={DB2_USER};pwd={DB2_PASSWORD}'
+DB2_CONN_STRING = DB2_CONN_STRING.format(
+    DB2_DATABASE=DB2_DATABASE,
+    DB2_HOSTNAME=DB2_HOSTNAME,
+    DB2_PORT=DB2_PORT,
+    DB2_USER=DB2_USER,
+    DB2_PASSWORD=DB2_PASSWORD,
+)
+
+
+class TestGHDetector(object):
+
+    @pytest.mark.parametrize(
+        'payload, should_flag',
+        [
+            (
+                'database=test;hostname=host.test.com;'
+                'port=1;protocol=tcpip;uid=testid;pwd=secret', True,
+            ),
+            ('dbpwd=$omespeci@!ch@r$', True),
+            ('db2_password = "astring"', True),
+            ('"password": "Iusedb2!"', True),
+            ('password =    "ilikespaces"', True),
+            ('pwd::anothersyntax!', True),
+            ('DB2_PASSWORD = "@#!%#"', True),
+            ('dashdb-password = "pass"', True),
+            ('dashdb_host = notapassword', False),
+            ('someotherpassword = "doesnt start right"', False),
+        ],
+    )
+    def test_analyze_string(self, payload, should_flag):
+        logic = DB2Detector()
+
+        output = logic.analyze_string(payload, 1, 'mock_filename')
+        assert len(output) == int(should_flag)
+
+    @patch('detect_secrets.plugins.db2.ibm_db.connect')
+    def test_verify_invalid_secret(self, mock_db2_connect):
+        mock_db2_connect.return_value = None
+
+        potential_secret = PotentialSecret('test db2', 'test filename', DB2_PASSWORD)
+        assert DB2Detector().verify(
+            DB2_PASSWORD,
+            '''user={},
+               password={},
+               database={},
+               host={},
+               port={}'''.format(DB2_USER, DB2_PASSWORD, DB2_DATABASE, DB2_HOSTNAME, DB2_PORT),
+            potential_secret,
+        ) == VerifiedResult.VERIFIED_FALSE
+
+        mock_db2_connect.assert_called_with(DB2_CONN_STRING, '', '')
+
+    @patch('detect_secrets.plugins.db2.ibm_db.connect')
+    def test_verify_valid_secret(self, mock_db2_connect):
+        mock_db2_connect.return_value = MagicMock()
+
+        potential_secret = PotentialSecret('test db2', 'test filename', DB2_PASSWORD)
+        assert DB2Detector().verify(
+            DB2_PASSWORD,
+            '''user={},
+               password={},
+               database={},
+               host={},
+               port={}'''.format(DB2_USER, DB2_PASSWORD, DB2_DATABASE, DB2_HOSTNAME, DB2_PORT),
+            potential_secret,
+        ) == VerifiedResult.VERIFIED_TRUE
+
+        mock_db2_connect.assert_called_with(DB2_CONN_STRING, '', '')
+
+    @patch('detect_secrets.plugins.db2.ibm_db.connect')
+    def test_verify_unverified_secret(self, mock_db2_connect):
+        mock_db2_connect.side_effect = Exception('oops')
+
+        potential_secret = PotentialSecret('test db2', 'test filename', DB2_PASSWORD)
+        assert DB2Detector().verify(
+            DB2_PASSWORD,
+            '''user={},
+               password={},
+               database={},
+               host={},
+               port={}'''.format(DB2_USER, DB2_PASSWORD, DB2_DATABASE, DB2_HOSTNAME, DB2_PORT),
+            potential_secret,
+        ) == VerifiedResult.UNVERIFIED
+
+        mock_db2_connect.assert_called_with(DB2_CONN_STRING, '', '')
+
+    def test_verify_no_other_factors(self):
+        assert DB2Detector().verify(
+            DB2_PASSWORD,
+            'password={}'.format(DB2_PASSWORD),
+        ) == VerifiedResult.UNVERIFIED
+
+
+@pytest.mark.parametrize(
+    'content, factor_keyword_regex, factor_regex, expected_output',
+    (
+        (
+            textwrap.dedent("""
+                user = {}
+            """)[1:-1].format(
+                DB2_USER,
+            ),
+            DB2Detector().username_keyword_regex,
+            DB2Detector().username_regex,
+            [DB2_USER],
+        ),
+        (
+            textwrap.dedent("""
+                port = {}
+            """)[1:-1].format(
+                DB2_PORT,
+            ),
+            DB2Detector().port_keyword_regex,
+            DB2Detector().port_regex,
+            [DB2_PORT],
+        ),
+        (
+            textwrap.dedent("""
+                database = {}
+            """)[1:-1].format(
+                DB2_DATABASE,
+            ),
+            DB2Detector().database_keyword_regex,
+            DB2Detector().database_regex,
+            [DB2_DATABASE],
+        ),
+        (
+            textwrap.dedent("""
+                host = {}
+            """)[1:-1].format(
+                DB2_HOSTNAME,
+            ),
+            DB2Detector().hostname_keyword_regex,
+            DB2Detector().hostname_regex,
+            [DB2_HOSTNAME],
+        ),
+    ),
+)
+def test_get_other_factor(content, factor_keyword_regex, factor_regex, expected_output):
+    assert get_other_factor(content, factor_keyword_regex, factor_regex) == expected_output