Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

-r and --rules-file options for sensitive-data detector are not accepting correctly the custom rule file #52

Open
Brain2life opened this issue Aug 29, 2021 · 3 comments
Open

-r and --rules-file options for sensitive-data detector are not accepting correctly the custom rule file #52

Brain2life opened this issue Aug 29, 2021 · 3 comments

Comments

@Brain2life
Copy link

Brain2life commented Aug 29, 2021
edited
Loading

Issue:
When trying to pass the custom ruleset to sensitive-data detector with either -r or --rules-file options it throws an error:
[!!] 'list' object has no attribute 'update'

Reproduce error:

  1. Passed the following command:
    acurl https://mockbin.org/bin/60dfe0f7-8f4e-4063-a940-7162d1ec3cc1 | sensitive-data -r rules.yaml
  2. Mockbin with password header set at: https://mockbin.org/bin/60dfe0f7-8f4e-4063-a940-7162d1ec3cc1/view#apiembed
  3. Custom rule set (was taken from core):
    - id: core-001 description: Find 'password' keyword in flow data regex: '([pP][aA][sS][sS][wW][oO][rR][dD])' severity: Medium # Allowed values: Low, Medium, High searchIn: All # Allowed values: Response, Request, Headers, All
  4. File name is rules.yaml

Notes:
Found that function load hardcoded 'rules.yaml' file name at: https://github.com/BBVA/apicheck/blob/master/tools/sensitive-data/sensitive_data/__main__.py#L79

Maybe that is the reason for error?

Tried to change the rule filename and id name in rule file. Result is same.
@CesarGallego
Copy link
Contributor

Hi, can you share your rules.yaml ?

@Brain2life
Copy link
Author

Brain2life commented Sep 19, 2021
edited
Loading

Hi @CesarGallego. So I've rechecked it again. I used the following steps:

  1. For testing purposes I created mockbin https://mockbin.org/bin/411b4709-7021-4e09-993e-2adc3de2ed2f/view where I specified two custom headers: myHeader:password and username:admin. These headers are sent back in the response header to the client.
  2. I use custom rule file named "rules.yaml"
  3. In rules.yaml I use the following code:
    - id: rule-001
    description: Find 'admin' keyword in flow data
    regex: 'admin'
    severity: Medium # Allowed values: Low, Medium, High
    searchIn: All # Allowed values: Response, Request, Headers, All
    As you can see I'm trying to test custom rule by finding admin keyword in response data.
  4. After running the following command:
    - acurl https://mockbin.org/bin/411b4709-7021-4e09-993e-2adc3de2ed2f | sensitive-data -r rules.yaml
    I got the following error:
    [!!] 'list' object has no attribute 'update'

I'm using this tool in Gitlab pipelines. Find details in the image below.

error

Thank you.

@CesarGallego
Copy link
Contributor

Hi Brain all fields on rule are mandatory. You need al least the following on your rule:

  • id: rule-001
    description: "Find 'admin' keyword in flow data"
    severity: 'Medium'
    searchIn: 'All'
    regex: 'admin'

There is also a little bug, will be updated on main tools ASAP.

Thanks for your help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@CesarGallego @Brain2life