Scans for exposure of credentials inside the `.pypirc` file
(*, location: ScanLocation)
| 9 | |
| 10 | @Analyzer.ID("pypirc") |
| 11 | def analyze(*, location: ScanLocation) -> AnalyzerReturnType: |
| 12 | """ |
| 13 | Scans for exposure of credentials inside the `.pypirc` file |
| 14 | """ |
| 15 | if location.location.name != ".pypirc": |
| 16 | return |
| 17 | try: |
| 18 | pypirc = configparser.ConfigParser() |
| 19 | pypirc.read(str(location.location)) |
| 20 | except configparser.ParsingError: |
| 21 | # TODO: generate a detection |
| 22 | return |
| 23 | |
| 24 | # Filter on these values, some pregenerated configurations use them and we don't want to generate false positives on these |
| 25 | user_blacklist = config.CFG.get("pypirc", {}).get("username_blacklist", []) |
| 26 | pwd_blacklist = config.CFG.get("pypirc", {}).get("password_blacklist", []) |
| 27 | |
| 28 | for section_name in pypirc.sections(): |
| 29 | section = pypirc[section_name] |
| 30 | |
| 31 | if "username" in section and "password" in section: |
| 32 | username = section.get("username") |
| 33 | password = section.get("password") |
| 34 | |
| 35 | if username in user_blacklist or password in pwd_blacklist: |
| 36 | continue |
| 37 | elif not (password and username): # Filter blank values |
| 38 | continue |
| 39 | |
| 40 | sig = fast_checksum(f"{section_name}#{username}#{password}") |
| 41 | |
| 42 | yield Detection( |
| 43 | detection_type="LeakingPyPIrc", |
| 44 | message = "Leaking credentials in the `.pypirc` file", |
| 45 | signature = f"pypirc#{sig}", |
| 46 | location = location.location, |
| 47 | score = 100, # TODO: make the score configurable |
| 48 | extra = { |
| 49 | "section": section_name, |
| 50 | "username": username, |
| 51 | "password": password |
| 52 | }, |
| 53 | tags = {"sensitive_file", "secrets_leak", "pypirc"} |
| 54 | ) |
| 55 |
nothing calls this directly
no test coverage detected