fix: corrected verification endpoint & validation logic for bombbomb #3462
Conversation
sahil9001
changed the title
Signed-off-by: Sahil Silare <[email protected]>
pkg/common/patterns.go
Outdated
| @@ -8,6 +8,7 @@ import ( | |||
| ) | |||
|
|
|||
| const EmailPattern = `\b(?:[a-z0-9!#$%&'*+/=?^_\x60{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_\x60{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])\b` | |||
| const JWTPattern = `\b[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\b` | |||
There was a problem hiding this comment.
@sahil9001 this is too loose. Take a look at this for a reference https://github.com/gitleaks/gitleaks/blob/43fae355e6fe4d99d2a7b240a224b85e2903aeb4/config/gitleaks.toml#L2311 or even
trufflehog/pkg/detectors/formio/formio.go
Line 23 in 6a367ab
There was a problem hiding this comment.
No, it changes with each refresh, apparently there is a jti field which changes each time which eventually changes the first part each time as well.
There was a problem hiding this comment.
@sahil9001 JWT are base64 encoded so that means there will be a common prefix for all JWT, base64('{"')=ey. Take a look at https://www.ibm.com/docs/en/cics-ts/6.x?topic=cics-json-web-token-jwt.
There was a problem hiding this comment.
@zricethezav , thanks, I read more about it, I found out that —
- The
typpart is common for all JWT tokens. algandjtichanges due to which we can only constraint the JWT common prefix uptoey.
Please take a look, I have made the change.
Signed-off-by: Sahil Silare <[email protected]>
Signed-off-by: Sahil Silare <[email protected]>
Description:
Fixes #3461 , tests:
Checklist:
make test-community)?make lintthis requires golangci-lint)?