Merge branch 'main' into fix/github-issue-3575

trufflesecurity · Jan 15, 2025 · 921417d · 921417d
2 parents 90064b6 + 3370e4f
commit 921417d
Show file tree

Hide file tree

Showing 7 changed files with 35 additions and 88 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -34,7 +34,7 @@ jobs:
           mkdir -p tmp/test-results
       - name: Test
         run: |
-          CGO_ENABLED=1 gotestsum --junitfile tmp/test-results/test.xml --raw-command -- go test -json -tags=sources $(go list ./... | grep -v /vendor/ | grep -v pkg/detectors | grep -v pkg/analyzer/analyzers)
+          CGO_ENABLED=1 gotestsum --junitfile tmp/test-results/test.xml --raw-command -- go test -json -tags=sources $(go list ./... | grep -v /vendor/ | grep -v pkg/analyzer/analyzers)
         if: ${{ success() || failure() }} # always run this step, even if there were previous errors
       - name: Upload test results to BuildPulse for flaky test detection
         if: ${{ !cancelled() }} # Run this step even when the tests fail. Skip if the workflow is cancelled.

diff --git a/go.mod b/go.mod
@@ -11,6 +11,11 @@ replace github.com/snowflakedb/gosnowflake => github.com/trufflesecurity/gosnowf
 // Coinbase archived this library and it has some vulnerable dependencies so we've forked.
 replace github.com/coinbase/waas-client-library-go => github.com/trufflesecurity/waas-client-library-go v1.0.9
 
+// Replace directive needed due to ambiguous import of opentelemetry stats package
+// which exists in both main gRPC module and standalone module during transition period.
+// Can be removed once dependent packages consistently use the standalone module.
+replace google.golang.org/grpc/stats/opentelemetry => google.golang.org/grpc/stats/opentelemetry v0.0.0-20240907200651-3ffb98b2c93a
+
 require (
 	cloud.google.com/go/secretmanager v1.14.2
 	cloud.google.com/go/storage v1.48.0

diff --git a/go.sum b/go.sum
diff --git a/pkg/analyzer/analyzers/client.go b/pkg/analyzer/analyzers/client.go
@@ -28,6 +28,7 @@ func CreateLogFileName(baseName string) string {
 	return logFileName
 }
 
+// This returns a client that is restricted and filters out unsafe requests returning a success status code.
 func NewAnalyzeClient(cfg *config.Config) *http.Client {
 	client := &http.Client{
 		Transport: AnalyzerRoundTripper{parent: http.DefaultTransport},
@@ -43,6 +44,22 @@ func NewAnalyzeClient(cfg *config.Config) *http.Client {
 	}
 }
 
+// This returns a client that is unrestricted and does not filter out unsafe requests returning a success status code.
+func NewAnalyzeClientUnrestricted(cfg *config.Config) *http.Client {
+	client := &http.Client{
+		Transport: http.DefaultTransport,
+	}
+	if cfg == nil || !cfg.LoggingEnabled {
+		return client
+	}
+	return &http.Client{
+		Transport: LoggingRoundTripper{
+			parent:  client.Transport,
+			logFile: cfg.LogFile,
+		},
+	}
+}
+
 type LoggingRoundTripper struct {
 	parent http.RoundTripper
 	// TODO: io.Writer

diff --git a/pkg/analyzer/analyzers/opsgenie/opsgenie.go b/pkg/analyzer/analyzers/opsgenie/opsgenie.go
@@ -132,7 +132,7 @@ func (h *HttpStatusTest) RunTest(cfg *config.Config, headers map[string]string)
 	}
 
 	// Create new HTTP request
-	client := analyzers.NewAnalyzeClient(cfg)
+	client := analyzers.NewAnalyzeClientUnrestricted(cfg)
 	req, err := http.NewRequest(h.Method, h.Endpoint, data)
 	if err != nil {
 		return false, err

diff --git a/pkg/common/patterns.go b/pkg/common/patterns.go
@@ -7,7 +7,7 @@ import (
 	"strings"
 )
 
-const EmailPattern = `\b((?:[a-z0-9!#$%&'*+/=?^_\x60{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_\x60{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\]))\b`
+const EmailPattern = `\b((?i)(?:[a-z0-9!#$%&'*+/=?^_\x60{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_\x60{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\]))\b`
 const SubDomainPattern = `\b([A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?)\b`
 const UUIDPattern = `\b([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\b`
 const UUIDPatternUpperCase = `\b([0-9A-Z]{8}-[0-9A-Z]{4}-[0-9A-Z]{4}-[0-9A-Z]{4}-[0-9A-Z]{12})\b`

diff --git a/pkg/common/patterns_test.go b/pkg/common/patterns_test.go
@@ -31,11 +31,13 @@ func TestEmailRegexCheck(t *testing.T) {
 		dot email          = [email protected]
 		special char email = [email protected]
 		support email      = [email protected]
+		insenstive email   = [email protected]
+		insenstive domain  = [email protected]
+		mix email          = [email protected]
 
 		// negative cases
 		not an email       = abc.123@z
 		looks like email   = test@user <- no domain
-		email but not      = [email protected] <- capital letters not supported for domain
 		random text        = here's some information about local-user@edu user
 	`
 
@@ -45,6 +47,7 @@ func TestEmailRegexCheck(t *testing.T) {
 		"[email protected]", "[email protected]", "[email protected]",
 		"[email protected]", "[email protected]", "[email protected]",
 		"[email protected]", "[email protected]", "[email protected]",
+		"[email protected]", "[email protected]", "[email protected]",
 	}
 
 	emailRegex := regexp.MustCompile(EmailPattern)