v1.1.0 (#3)

v1.1.0

.bash_profile

@@ -8,19 +8,19 @@ if [ -f ~/.git-completion.bash ]; then
   . ~/.git-completion.bash
 fi
 
-export AWS_ACCESS_KEY_ID=yLryKGwcGc3ez9G8YAnjeYMQOc
+export AWS_ACCESS_KEY_ID=yLryKGwcGc3ez9G8YAnjeYMQOc # Informative, can't be used w/o the secret key
 export AWS_SECRET_ACCESS_KEY=nAH2VzKrMrRjySLlt8HCdFU3tM2TUuUZgh39NX
-export AWS_DEFAULT_REGION='us-west-1'
+export AWS_DEFAULT_REGION='us-west-1' # Broad enough that it doesn't create risk by itself.
 export AWS_REGION=$AWS_DEFAULT_REGION
 export S3_REGION=$AWS_DEFAULT_REGION
 export S3_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
 export S3_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
-export S3_BUCKET=dummy_bucket-90i8985p
-export RDS_HOST='fake-rds.jfduhij34u80.us-west-1.rds.amazonaws.com'
+export S3_BUCKET=dummy_bucket-90i8985p # Informative, could contain sensitive info, but not necessarily.
+export RDS_HOST='fake-rds.jfduhij34u80.us-west-1.rds.amazonaws.com' # Informative, unlikely to be abused w/o password or key
 export RDS_PASSWORD='dummy-pass'
 export HEROKU_API_KEY='sampleHerokuKey'
 export HOMEBREW_GITHUB_API_TOKEN='51e61afee2c2667123fc9ed160a0a20b330c8f74'
 export SLACK_API_TOKEN='xoxp-858723095049-581481478633-908968721956-f16b85d1f73ef37c02323bf3fd537ea5'
 export MLAB_PASS='password123'
-export MLAB_URL='ds908452.mlab.com:25928'
-export MLAB_DB='dum-231-h92'
+export MLAB_URL='ds908452.mlab.com:25928' # Informative, needs pass
+export MLAB_DB='dum-231-h92' # Informative, requires access to server or SQLi

.bashrc

@@ -101,9 +101,9 @@ fi
 if [ -f /etc/bash_completion ] && ! shopt -oq posix; then
     . /etc/bash_completion
 fi
-export GMAIL_USERNAME="[email protected]"
+export GMAIL_USERNAME="[email protected]" # Informative, can't be used by itself
 export GMAIL_PASSWORD="Pass!12345"
 export MAILCHIMP_API_KEY="38c47f19e349153fa963bb3b3212fe8e-us11"
-export MAILCHIMP_LIST_ID="606b868828"
-export OWNER_EMAIL="[email protected]"
+export MAILCHIMP_LIST_ID="606b868828" # Not positive, but pretty sure this isn't exploitable by itself. Open an issue if it is!
+export OWNER_EMAIL="[email protected]" # Informative, can't be used by itself
 export JEKYLL_GITHUB_TOKEN="c77e01c1e89682e4d4b94a059a7fd2b37ab326ed"

.ftpconfig

@@ -9,7 +9,7 @@
     "local": "",
     "agent": "",
     "privatekey": "",
-    "passphrase": "",
+    "passphrase": "swordfish",
     "hosthash": "",
     "ignorehost": true,
     "connTimeout": 10000,

.leaky-meta/CHANGELOG.md

@@ -0,0 +1,17 @@
+# Changelog
+## 1.1.0
+System/logic changes:  
+* Added system for automatically generating benchmarks
+* Added results for gitrob
+* Moved benchmarking, metadata, and source code into `.leaky-meta` folder
+* Added CSV with data about secrets
+* Categorized secrets into Risk and Informative.
+* Added results from Gitrob, provided by [@evilpacket](https://github.com/evilpacket)
+
+Changes to secrets:  
+* Added password to `sftp.json` secret
+* Added pass to `filezilla/filezilla.xml` (was anonymous login)
+* Added realistic value to `hub` file (was just "oauth_token")
+* Set redis pass in `web/var/www/.env`
+## 1.0.0
+* Initial release version

.leaky-meta/README.md

@@ -0,0 +1,7 @@
+## .leaky-meta
+This folder is for scripts/tools designed to assist with the management of this repo. It won't contain actual secrets/patterns (hopefully!)
+
+## Running benchmarks
+To run these benchmarks, use `benchmark.sh`. Currently generates reports for these engines:  
+* TruffleHog
+* Detect-secrets  

.leaky-meta/benchmark.py

@@ -0,0 +1,143 @@
+# For py2 compat
+from __future__ import division
+import os
+import csv
+import json
+import subprocess
+from io import StringIO
+from subprocess import PIPE
+
+def get_secret_counts():
+    '''
+    A generator for secrets in default files.
+    :returns: filepath, risk_count, informative_count
+    '''
+    raw_csv = None
+    with open('secrets.csv') as f:
+        raw_csv = [l for l in f.readlines() 
+                            if len(l.strip()) != 0 and not l.startswith('#')]
+    # Parse array to CSV
+    csv_reader = csv.reader(raw_csv, delimiter=',')
+    for row in csv_reader:
+        # Yield str, int, int.
+        yield [row[0], int(row[1]), int(row[2])]
+
+def get_command_stdout(cmd, cwd='..'):
+    os.path.abspath(cwd)
+    p = subprocess.Popen(cmd, stdout=PIPE, stderr=PIPE, cwd=cwd)
+    stdout, stderr = p.communicate()
+    return stdout.decode('utf-8'), stderr.decode('utf-8') if stderr else None
+
+def get_secret_count_detectsecrets():
+    finds = {}
+    cmd = ['detect-secrets', 'scan']
+    stdout, _ = get_command_stdout(cmd)
+    results = json.loads(stdout).get('results')
+    for key in results.keys():
+        finds[key] = len(results.get(key))
+
+    return cmd, finds
+
+def get_secret_count_trufflehog():
+    finds = {}
+    trufflehog_cmd = ['trufflehog', '--json', '--regex', '.']
+    stdout, _ = get_command_stdout(trufflehog_cmd)
+    for line in stdout.split('\n'):
+        if len(line) == 0:
+            # Skip empty lines
+            continue
+        obj = json.loads(line)
+        finds[obj.get('path')] = len(obj.get('stringsFound'))
+
+    return trufflehog_cmd, finds
+
+def build_markdown_rows(secrets_function, expected_counts):
+    dat = {}
+    cmd, secrets = secrets_function()
+    for row in expected_counts:
+        name = row[0]
+        expected = row[1] + row[2]
+        if not name in secrets:
+            dat[name] = {"name": name, "found": 0, "expected": expected, "false_positives" :0 }
+            continue
+
+        found = secrets[name]
+        # If found > expected, we have false positives. This will be negative or zero of there's no false positives.
+        false_positives = found - expected
+        # This will be zero or positive.
+        false_positives = max(false_positives, 0)
+        dat[name] = {"name": name, "found": found, "expected": expected, "false_positives" :false_positives }
+    return cmd, dat
+
+def build_table_header(filename_cols):
+    template = "File Name{}|  Found/Total   | False Positives |\n{}|----------------|-----------------|\n"
+    # 9 = len("File Name")
+    return template.format(" " * (filename_cols - 9), "-" * filename_cols)
+
+def build_md_table(secrets_function):
+    # {name}{padding}| {found}/{total} |{false positives}
+    print_template = "{}{}| {}/{} | {}\n"
+
+    expected_counts = [x for x in get_secret_counts()]
+    # Get the max length of a filename, so we can put a column seperator after it
+    sep_col = max([len(val[0]) for val in expected_counts]) + 2
+    out = build_table_header(sep_col)
+    total_files = len(expected_counts)
+
+    cmd_used, md_rows = build_markdown_rows(secrets_function, expected_counts)
+    md_rows = sorted(md_rows.items(), key=lambda val: -val[1]['found'])
+    total_finds = 0
+    total_expected = 0
+    total_false_positives = 0
+    files_covered = 0
+    for dat in md_rows:
+        obj = dat[1]
+        name = obj.get('name')
+        found = obj.get('found')
+        expected = obj.get('expected')
+        false_positives = obj.get('false_positives')
+
+        # Determine right padding for name column
+        right_padding = sep_col - len(name)
+        right_padding_str = (" " * right_padding)
+
+        # For metrics we exclude false positives.
+        total_finds += found - false_positives
+        total_expected += expected
+        total_false_positives += false_positives
+        if found != 0:
+            files_covered += 1
+
+        out += print_template.format(name, right_padding_str, found, expected, false_positives)
+    return cmd_used, total_files, files_covered, total_finds, total_expected, total_false_positives, out
+
+def build_md(secrets_function, tool_url):
+    header_fmt = 'Tool: {}  ' \
+                 '\nCommand Used: `{}`  ' \
+                 '\nFiles covered: {}/{} ({}% coverage)  ' \
+                 '\nTotal finds: {}/{}  ' \
+                 '\nFalse Positives: {}  ' \
+                 '\n\n{}'
+
+    cmd, total_files, files_covered, total_finds, \
+     total_expected, false_positives, table = build_md_table(secrets_function)
+    # Convert cmd to a string
+    cmd = ' '.join(cmd)
+
+    # Get a % coverage value
+    file_coverage = (files_covered / total_files) * 100
+    # Sanity!
+    file_coverage = round(file_coverage, 2)
+    out = header_fmt.format(tool_url, cmd,
+                           files_covered, total_files, file_coverage,
+                           total_finds, total_expected, false_positives, table)
+    return out
+
+if __name__ == "__main__":
+    detect_secrets = build_md(get_secret_count_detectsecrets, "https://github.com/Yelp/detect-secrets")
+    truffle_hog = build_md(get_secret_count_trufflehog, "https://github.com/dxa4481/truffleHog")
+    with open('benchmarking' + os.path.sep + "TRUFFLEHOG.md", 'w+') as f:
+        f.write(truffle_hog)
+    with open('benchmarking' + os.path.sep + "DETECT-SECRETS.md", 'w+') as f:
+        f.write(detect_secrets)
+

.leaky-meta/benchmarking/DETECT-SECRETS.md

@@ -0,0 +1,52 @@
+Tool: https://github.com/Yelp/detect-secrets  
+Command Used: `detect-secrets scan`  
+Files covered: 23/44 (52.27% coverage)  
+Total finds: 41/179  
+False Positives: 0  
+
+File Name                              |  Found/Total   | False Positives |
+---------------------------------------|----------------|-----------------|
+.mozilla/firefox/logins.json           | 6/28 | 0
+.bash_profile                          | 4/11 | 0
+.bashrc                                | 3/6 | 0
+web/var/www/.env                       | 3/10 | 0
+web/ruby/secrets.yml                   | 3/3 | 0
+cloud/.credentials                     | 2/4 | 0
+cloud/heroku.json                      | 2/2 | 0
+high-entropy-misc.txt                  | 2/2 | 0
+ventrilo_srv.ini                       | 2/2 | 0
+.ssh/id_rsa                            | 1/1 | 0
+db/mongoid.yml                         | 1/1 | 0
+misc-keys/cert-key.pem                 | 1/1 | 0
+cloud/.tugboat                         | 1/3 | 0
+.vscode/sftp.json                      | 1/4 | 0
+hub                                    | 1/2 | 0
+.docker/config.json                    | 1/6 | 0
+sftp-config.json                       | 1/4 | 0
+.idea/WebServers.xml                   | 1/2 | 0
+misc-keys/putty-example.ppk            | 1/2 | 0
+.docker/.dockercfg                     | 1/6 | 0
+web/var/www/public_html/config.php     | 1/4 | 0
+.remote-sync.json                      | 1/3 | 0
+deployment-config.json                 | 1/4 | 0
+db/.pgpass                             | 0/1 | 0
+web/var/www/public_html/.htpasswd      | 0/1 | 0
+.netrc                                 | 0/2 | 0
+db/dump.sql                            | 0/10 | 0
+proftpdpasswd                          | 0/1 | 0
+etc/shadow                             | 0/1 | 0
+.ssh/id_rsa.pub                        | 0/1 | 0
+.npmrc                                 | 0/3 | 0
+web/var/www/public_html/wp-config.php  | 0/12 | 0
+web/django/settings.py                 | 0/1 | 0
+.ftpconfig                             | 0/5 | 0
+.git-credentials                       | 0/1 | 0
+filezilla/filezilla.xml                | 0/3 | 0
+.esmtprc                               | 0/3 | 0
+db/dbeaver-data-sources.xml            | 0/1 | 0
+web/ruby/config/master.key             | 0/1 | 0
+cloud/.s3cfg                           | 0/3 | 0
+config                                 | 0/4 | 0
+web/js/salesforce.js                   | 0/1 | 0
+filezilla/recentservers.xml            | 0/6 | 0
+db/robomongo.json                      | 0/7 | 0

.leaky-meta/benchmarking/GITROB.md

@@ -0,0 +1,53 @@
+
+Tool: https://github.com/michenriksen/gitrob  
+Command Used: `gitrob (web interface)`  
+Files covered: 2/44 (4.54% coverage)  
+Total finds: 3/179  
+False Positives: 0  
+
+File Name                              |  Found/Total   | False Positives |
+---------------------------------------|----------------|-----------------|
+misc-keys/cert-key.pem                 | 1/1 | 0
+.npmrc                                 | 2/3 | 0
+.mozilla/firefox/logins.json           | 0/28 | 0
+.bash_profile                          | 0/11 | 0
+.bashrc                                | 0/6 | 0
+web/var/www/.env                       | 0/10 | 0
+web/ruby/secrets.yml                   | 0/3 | 0
+cloud/.credentials                     | 0/4 | 0
+cloud/heroku.json                      | 0/2 | 0
+high-entropy-misc.txt                  | 0/2 | 0
+ventrilo_srv.ini                       | 0/2 | 0
+.ssh/id_rsa                            | 0/1 | 0
+db/mongoid.yml                         | 0/1 | 0
+cloud/.tugboat                         | 0/3 | 0
+.vscode/sftp.json                      | 0/4 | 0
+hub                                    | 0/2 | 0
+.docker/config.json                    | 0/6 | 0
+sftp-config.json                       | 0/4 | 0
+.idea/WebServers.xml                   | 0/2 | 0
+misc-keys/putty-example.ppk            | 0/2 | 0
+.docker/.dockercfg                     | 0/6 | 0
+web/var/www/public_html/config.php     | 0/4 | 0
+.remote-sync.json                      | 0/3 | 0
+deployment-config.json                 | 0/4 | 0
+db/.pgpass                             | 0/1 | 0
+web/var/www/public_html/.htpasswd      | 0/1 | 0
+.netrc                                 | 0/2 | 0
+db/dump.sql                            | 0/10 | 0
+proftpdpasswd                          | 0/1 | 0
+etc/shadow                             | 0/1 | 0
+.ssh/id_rsa.pub                        | 0/1 | 0
+web/var/www/public_html/wp-config.php  | 0/12 | 0
+web/django/settings.py                 | 0/1 | 0
+.ftpconfig                             | 0/5 | 0
+.git-credentials                       | 0/1 | 0
+filezilla/filezilla.xml                | 0/3 | 0
+.esmtprc                               | 0/3 | 0
+db/dbeaver-data-sources.xml            | 0/1 | 0
+web/ruby/config/master.key             | 0/1 | 0
+cloud/.s3cfg                           | 0/3 | 0
+config                                 | 0/4 | 0
+web/js/salesforce.js                   | 0/1 | 0
+filezilla/recentservers.xml            | 0/6 | 0
+db/robomongo.json                      | 0/7 | 0

.leaky-meta/benchmarking/TRUFFLEHOG.md

@@ -0,0 +1,52 @@
+Tool: https://github.com/dxa4481/truffleHog  
+Command Used: `trufflehog --json --regex .`  
+Files covered: 23/44 (52.27% coverage)  
+Total finds: 40/179  
+False Positives: 43  
+
+File Name                              |  Found/Total   | False Positives |
+---------------------------------------|----------------|-----------------|
+misc-keys/cert-key.pem                 | 25/1 | 24
+misc-keys/putty-example.ppk            | 21/2 | 19
+db/dump.sql                            | 8/10 | 0
+web/ruby/secrets.yml                   | 3/3 | 0
+cloud/.credentials                     | 2/4 | 0
+cloud/.tugboat                         | 2/3 | 0
+high-entropy-misc.txt                  | 2/2 | 0
+.docker/config.json                    | 2/6 | 0
+.mozilla/firefox/logins.json           | 2/28 | 0
+.docker/.dockercfg                     | 2/6 | 0
+filezilla/recentservers.xml            | 2/6 | 0
+.bashrc                                | 1/6 | 0
+.ssh/id_rsa                            | 1/1 | 0
+web/var/www/.env                       | 1/10 | 0
+db/mongoid.yml                         | 1/1 | 0
+proftpdpasswd                          | 1/1 | 0
+etc/shadow                             | 1/1 | 0
+cloud/heroku.json                      | 1/2 | 0
+hub                                    | 1/2 | 0
+.ssh/id_rsa.pub                        | 1/1 | 0
+web/ruby/config/master.key             | 1/1 | 0
+cloud/.s3cfg                           | 1/3 | 0
+.bash_profile                          | 1/11 | 0
+db/.pgpass                             | 0/1 | 0
+web/var/www/public_html/.htpasswd      | 0/1 | 0
+.netrc                                 | 0/2 | 0
+.vscode/sftp.json                      | 0/4 | 0
+.npmrc                                 | 0/3 | 0
+web/var/www/public_html/wp-config.php  | 0/12 | 0
+web/django/settings.py                 | 0/1 | 0
+.ftpconfig                             | 0/5 | 0
+.git-credentials                       | 0/1 | 0
+filezilla/filezilla.xml                | 0/3 | 0
+sftp-config.json                       | 0/4 | 0
+.esmtprc                               | 0/3 | 0
+db/dbeaver-data-sources.xml            | 0/1 | 0
+.idea/WebServers.xml                   | 0/2 | 0
+config                                 | 0/4 | 0
+web/js/salesforce.js                   | 0/1 | 0
+web/var/www/public_html/config.php     | 0/4 | 0
+ventrilo_srv.ini                       | 0/2 | 0
+db/robomongo.json                      | 0/7 | 0
+.remote-sync.json                      | 0/3 | 0
+deployment-config.json                 | 0/4 | 0

.leaky-meta/install-test-tools.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+if if ! type "pip" > /dev/null; then
+    echo "Pip and Python are required for installing detect-secrets and truffleHog, but pip was not found!"
+    exit 1
+fi
+
+pip install detect-secrets truffleHog