carwash 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +13 -0
- data/.rspec +2 -0
- data/.ruby-version +1 -0
- data/.travis.yml +5 -0
- data/Gemfile +4 -0
- data/LICENSE +21 -0
- data/README.md +52 -0
- data/Rakefile +6 -0
- data/bin/console +14 -0
- data/bin/setup +8 -0
- data/carwash.gemspec +26 -0
- data/lib/carwash.rb +10 -0
- data/lib/carwash/scrubber.rb +117 -0
- data/lib/carwash/uri_password_discoverer.rb +11 -0
- data/lib/carwash/value_discoverer.rb +33 -0
- data/lib/carwash/version.rb +3 -0
- data/lib/carwash/xml_value_discoverer.rb +17 -0
- metadata +103 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: e6576ac51de59d7fdccb1fcb5c591cf9e38680f9
|
4
|
+
data.tar.gz: 6988e960d2d76d58ab9732f86b837676a8778d0a
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: f5b1ebf5ba0738aabf8fdf39645732998834da2ffae9ae3840c38bc039f1f2ee3a2eac7208310f96124a00f0275e291d13af0d9ef7e24bcaa63cb13a859dd817
|
7
|
+
data.tar.gz: 0d9c5db4ea69d11b676fe710d6f314861f451bfe875fb0b3c654ba2949800c951e04264256ead8ae2f78692af9823e740d91b72b74b48dce4dbf83315e51d2a3
|
data/.gitignore
ADDED
data/.rspec
ADDED
data/.ruby-version
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
ruby-2.3.4
|
data/.travis.yml
ADDED
data/Gemfile
ADDED
data/LICENSE
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
MIT License
|
2
|
+
|
3
|
+
Copyright (c) 2017 Nathan Clark
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
7
|
+
in the Software without restriction, including without limitation the rights
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
10
|
+
furnished to do so, subject to the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
13
|
+
copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
21
|
+
SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,52 @@
|
|
1
|
+
# Carwash
|
2
|
+
|
3
|
+
Log sanitizer. Obscures passwords and other potentially sensitive values in log
|
4
|
+
entries.
|
5
|
+
|
6
|
+
## Features
|
7
|
+
|
8
|
+
* Learns potentially sensitive values by looking for keys like "PASSWORD" and
|
9
|
+
"TOKEN", then obscures them wherever they subsequently occur.
|
10
|
+
* Seeds the list of sensitive values from environment variables and Rails'
|
11
|
+
`secrets.yml`.
|
12
|
+
* Additional sensitive keys and values can be added as needed, if you have
|
13
|
+
a known source of secured config values that could potentially end up
|
14
|
+
(accidentally) showing up in logs.
|
15
|
+
|
16
|
+
## Installation
|
17
|
+
|
18
|
+
Add this line to your application's Gemfile:
|
19
|
+
|
20
|
+
```ruby
|
21
|
+
gem 'carwash'
|
22
|
+
```
|
23
|
+
|
24
|
+
And then execute:
|
25
|
+
|
26
|
+
$ bundle
|
27
|
+
|
28
|
+
Or install it yourself as:
|
29
|
+
|
30
|
+
$ gem install carwash
|
31
|
+
|
32
|
+
## Usage
|
33
|
+
|
34
|
+
```ruby
|
35
|
+
scrubber = Carwash::Scrubber.new
|
36
|
+
|
37
|
+
scrubber.add_sensitive_key("CERT")
|
38
|
+
scrubber.add_sensitive_value("P@ssw0rd")
|
39
|
+
scrubber.add_sensitive_value("mysecret")
|
40
|
+
|
41
|
+
log_lines.each do |line|
|
42
|
+
puts scrubber.scrub(line)
|
43
|
+
end
|
44
|
+
```
|
45
|
+
|
46
|
+
Or to scrub an entire input stream line by line and print it to stdout:
|
47
|
+
|
48
|
+
```
|
49
|
+
scrubber.scrub_stream(input_stream, STDOUT)
|
50
|
+
```
|
51
|
+
|
52
|
+
See `Carwash::Scrubber` for the rest of the API.
|
data/Rakefile
ADDED
data/bin/console
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require "bundler/setup"
|
4
|
+
require "carwash"
|
5
|
+
|
6
|
+
# You can add fixtures and/or initialization code here to make experimenting
|
7
|
+
# with your gem easier. You can also use a different console, if you like.
|
8
|
+
|
9
|
+
# (If you use this, don't forget to add pry to your Gemfile!)
|
10
|
+
# require "pry"
|
11
|
+
# Pry.start
|
12
|
+
|
13
|
+
require "irb"
|
14
|
+
IRB.start(__FILE__)
|
data/bin/setup
ADDED
data/carwash.gemspec
ADDED
@@ -0,0 +1,26 @@
|
|
1
|
+
# coding: utf-8
|
2
|
+
lib = File.expand_path('../lib', __FILE__)
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
|
+
require 'carwash/version'
|
5
|
+
|
6
|
+
Gem::Specification.new do |spec|
|
7
|
+
spec.name = "carwash"
|
8
|
+
spec.version = Carwash::VERSION
|
9
|
+
spec.authors = ["Nathan Clark"]
|
10
|
+
spec.email = ["nathan.clark@tokenshift.com"]
|
11
|
+
spec.license = "MIT"
|
12
|
+
|
13
|
+
spec.summary = %q{Scrubs potentially sensitive values from log entries.}
|
14
|
+
spec.homepage = "http://github.com/tokenshift/ruby_carwash"
|
15
|
+
|
16
|
+
spec.files = `git ls-files -z`.split("\x0").reject do |f|
|
17
|
+
f.match(%r{^(test|spec|features)/})
|
18
|
+
end
|
19
|
+
spec.bindir = "exe"
|
20
|
+
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
21
|
+
spec.require_paths = ["lib"]
|
22
|
+
|
23
|
+
spec.add_development_dependency "bundler", "~> 1.14"
|
24
|
+
spec.add_development_dependency "rake", "~> 10.0"
|
25
|
+
spec.add_development_dependency "rspec", "~> 3.0"
|
26
|
+
end
|
data/lib/carwash.rb
ADDED
@@ -0,0 +1,117 @@
|
|
1
|
+
require "set"
|
2
|
+
|
3
|
+
# Keeps track of values known/suspected to be sensitive (passwords, etc) and
|
4
|
+
# obscures them in lines of text.
|
5
|
+
class Carwash::Scrubber
|
6
|
+
DEFAULT_OBSCURE_WITH = "********"
|
7
|
+
DEFAULT_SENSITIVE_KEYS = %w[key password secret token]
|
8
|
+
|
9
|
+
attr_accessor :obscure_with
|
10
|
+
attr_reader :sensitive_keys
|
11
|
+
|
12
|
+
def initialize(sensitive_keys: DEFAULT_SENSITIVE_KEYS,
|
13
|
+
obscure_with: DEFAULT_OBSCURE_WITH,
|
14
|
+
check_for_rails: true,
|
15
|
+
check_env_vars: true)
|
16
|
+
@obscure_with = obscure_with
|
17
|
+
|
18
|
+
@sensitive_keys = Set.new(sensitive_keys.map(&:to_s).map(&:downcase))
|
19
|
+
@sensitive_vals = Set.new
|
20
|
+
|
21
|
+
if check_for_rails && defined? Rails
|
22
|
+
@sensitive_keys += Rails.configuration.filter_parameters.map(&:to_s).map(&:downcase).compact
|
23
|
+
@sensitive_keys += Rails.application.secrets.keys.map(&:to_s).map(&:downcase).compact
|
24
|
+
@sensitive_vals += Rails.application.secrets.values.map(&:to_s).map(&:downcase).compact
|
25
|
+
end
|
26
|
+
|
27
|
+
if check_env_vars
|
28
|
+
ENV.each do |env_key, env_val|
|
29
|
+
@sensitive_keys.each do |key|
|
30
|
+
if env_key =~ %r{[_-]?#{key}}i
|
31
|
+
@sensitive_vals.add env_val.downcase
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
37
|
+
|
38
|
+
# Adds a string to the list of known sensitive values. Useful for adding
|
39
|
+
# passwords/keys that are known at startup time, without relying on value
|
40
|
+
# discovery.
|
41
|
+
def add_sensitive_value(value)
|
42
|
+
@sensitive_vals.add(value.to_s.downcase)
|
43
|
+
end
|
44
|
+
|
45
|
+
# Adds a string to the list of sensitive keys, to be used when learning new
|
46
|
+
# values to be obscured.
|
47
|
+
def add_sensitive_key(key)
|
48
|
+
@sensitive_keys.add(key.to_s.downcase)
|
49
|
+
end
|
50
|
+
|
51
|
+
# Look for sensitive keys in a line of text and "learn" the associated
|
52
|
+
# potentially sensitive values. E.g. if "PASSWORD" is set as a sensitive key,
|
53
|
+
# the line "PASSWORD=super_secret" will add "super_secret" to the list of
|
54
|
+
# known sensitive values.
|
55
|
+
def discover_sensitive_values(line)
|
56
|
+
value_discoverers.each do |discoverer|
|
57
|
+
@sensitive_vals += discoverer.discover(line).map(&:to_s).map(&:downcase)
|
58
|
+
end
|
59
|
+
end
|
60
|
+
|
61
|
+
# Go through a line of text and obscure any potentially sensitive values
|
62
|
+
# detected. Returns the line with replacements made.
|
63
|
+
#
|
64
|
+
# NOTE: Does *not* discover/learn values from the line; use `#scrub` to both
|
65
|
+
# discover and obscure based on the line.
|
66
|
+
def obscure_sensitive_values(line, obscure_with: self.obscure_with)
|
67
|
+
line = line.clone
|
68
|
+
obscure_sensitive_values!(line, obscure_with: obscure_with)
|
69
|
+
line
|
70
|
+
end
|
71
|
+
|
72
|
+
# Go through a line of text and obscure any potentially sensitive values
|
73
|
+
# detected. Makes replacements in place.
|
74
|
+
def obscure_sensitive_values!(line, obscure_with: self.obscure_with)
|
75
|
+
@sensitive_vals.each do |val|
|
76
|
+
line.gsub!(val, obscure_with)
|
77
|
+
end
|
78
|
+
end
|
79
|
+
|
80
|
+
# Scans the line to try and discover potentially sensitive values, then
|
81
|
+
# obscures all sensitive values known. Returns the line with replacements
|
82
|
+
# made.
|
83
|
+
def scrub(line, obscure_with: self.obscure_with)
|
84
|
+
discover_sensitive_values(line)
|
85
|
+
obscure_sensitive_values(line, obscure_with: obscure_with)
|
86
|
+
end
|
87
|
+
|
88
|
+
# Scans the line to try and discover potentially sensitive values, then
|
89
|
+
# obscures all sensitive values known. Makes replacements in place.
|
90
|
+
def scrub!(line, obscure_with: self.obscure_with)
|
91
|
+
discover_sensitive_values(line)
|
92
|
+
obscure_sensitive_values!(line, obscure_with: obscure_with)
|
93
|
+
end
|
94
|
+
|
95
|
+
# Learns from and scrubs each line of an input stream, writing the result to
|
96
|
+
# the given output stream.
|
97
|
+
def scrub_stream(input, output)
|
98
|
+
input.each_line do |line|
|
99
|
+
output.puts(scrub(line))
|
100
|
+
end
|
101
|
+
end
|
102
|
+
|
103
|
+
private
|
104
|
+
|
105
|
+
# Provides a list of value discovers to use when attempting to learn
|
106
|
+
# sensitive values from input text.
|
107
|
+
def value_discoverers
|
108
|
+
Enumerator.new do |y|
|
109
|
+
@sensitive_keys.each do |key|
|
110
|
+
y << Carwash::ValueDiscoverer.new(key)
|
111
|
+
y << Carwash::XmlValueDiscoverer.new(key)
|
112
|
+
end
|
113
|
+
|
114
|
+
y << Carwash::UriPasswordDiscoverer.new
|
115
|
+
end
|
116
|
+
end
|
117
|
+
end
|
@@ -0,0 +1,11 @@
|
|
1
|
+
# Scans for occurrences of a password baked into a URI (e.g. a database
|
2
|
+
# connection string), of the form `scheme://username:PASSWORD@hostname`.
|
3
|
+
class Carwash::UriPasswordDiscoverer
|
4
|
+
URI_PASSWORD_PATTERN= %r{:([0-9a-z_\.\-~%]+?)@}i
|
5
|
+
|
6
|
+
def discover(line)
|
7
|
+
line.scan(URI_PASSWORD_PATTERN).map(&:first).map { |password|
|
8
|
+
CGI::unescape(password)
|
9
|
+
}
|
10
|
+
end
|
11
|
+
end
|
@@ -0,0 +1,33 @@
|
|
1
|
+
# Scans for occurrences of a key in a line of text and returns any associated
|
2
|
+
# values.
|
3
|
+
#
|
4
|
+
# Looks for the following patterns of key-value pairs:
|
5
|
+
# KEY=value
|
6
|
+
# KEY='value'
|
7
|
+
# KEY="value"
|
8
|
+
# KEY value
|
9
|
+
# KEY 'value'
|
10
|
+
# KEY "value"
|
11
|
+
# KEY: value
|
12
|
+
# KEY => value
|
13
|
+
class Carwash::ValueDiscoverer < Struct.new(:key)
|
14
|
+
def discover(line)
|
15
|
+
patterns.flat_map { |pattern|
|
16
|
+
line.scan(pattern).map(&:first)
|
17
|
+
}.reject(&:nil?).reject(&:empty?).map(&:downcase).map { |val|
|
18
|
+
unescape_value(val)
|
19
|
+
}
|
20
|
+
end
|
21
|
+
|
22
|
+
def patterns
|
23
|
+
@patterns ||= [
|
24
|
+
%r{#{key}['"]?\s*(?:=>|=|:|\s+)\s*'((?:\\'|[^'])+)'}i,
|
25
|
+
%r{#{key}['"]?\s*(?:=>|=|:|\s+)\s*"((?:\\"|[^"])+)"}i,
|
26
|
+
%r{#{key}['"]?\s*(?:=>|=|:|\s+)\s*((?:\\\s|\\"|\\'|[^\s'"])+)}i
|
27
|
+
]
|
28
|
+
end
|
29
|
+
|
30
|
+
def unescape_value(value)
|
31
|
+
value.gsub(/\\(.)/) { $1 }
|
32
|
+
end
|
33
|
+
end
|
@@ -0,0 +1,17 @@
|
|
1
|
+
require 'rexml/document'
|
2
|
+
|
3
|
+
# Discovers values in the format <key>value, which may occur in XML/HTML.
|
4
|
+
# XML attribute values are already handled using the basic ValueDiscoverer,
|
5
|
+
# since they match the `key="value"` format that it handles.
|
6
|
+
class Carwash::XmlValueDiscoverer < Struct.new(:key)
|
7
|
+
def discover(line)
|
8
|
+
line.scan(%r{[^/]#{key}>(?:([^<]+)|<!\[CDATA\[(.*?)\]\])}i)
|
9
|
+
.map(&:compact)
|
10
|
+
.flatten(1)
|
11
|
+
.map { |val| unescape_value(val) }
|
12
|
+
end
|
13
|
+
|
14
|
+
def unescape_value(value)
|
15
|
+
REXML::Text::unnormalize(value)
|
16
|
+
end
|
17
|
+
end
|
metadata
ADDED
@@ -0,0 +1,103 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: carwash
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 1.0.0
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Nathan Clark
|
8
|
+
autorequire:
|
9
|
+
bindir: exe
|
10
|
+
cert_chain: []
|
11
|
+
date: 2017-05-30 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
name: bundler
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
16
|
+
requirements:
|
17
|
+
- - "~>"
|
18
|
+
- !ruby/object:Gem::Version
|
19
|
+
version: '1.14'
|
20
|
+
type: :development
|
21
|
+
prerelease: false
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirements:
|
24
|
+
- - "~>"
|
25
|
+
- !ruby/object:Gem::Version
|
26
|
+
version: '1.14'
|
27
|
+
- !ruby/object:Gem::Dependency
|
28
|
+
name: rake
|
29
|
+
requirement: !ruby/object:Gem::Requirement
|
30
|
+
requirements:
|
31
|
+
- - "~>"
|
32
|
+
- !ruby/object:Gem::Version
|
33
|
+
version: '10.0'
|
34
|
+
type: :development
|
35
|
+
prerelease: false
|
36
|
+
version_requirements: !ruby/object:Gem::Requirement
|
37
|
+
requirements:
|
38
|
+
- - "~>"
|
39
|
+
- !ruby/object:Gem::Version
|
40
|
+
version: '10.0'
|
41
|
+
- !ruby/object:Gem::Dependency
|
42
|
+
name: rspec
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
44
|
+
requirements:
|
45
|
+
- - "~>"
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: '3.0'
|
48
|
+
type: :development
|
49
|
+
prerelease: false
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
51
|
+
requirements:
|
52
|
+
- - "~>"
|
53
|
+
- !ruby/object:Gem::Version
|
54
|
+
version: '3.0'
|
55
|
+
description:
|
56
|
+
email:
|
57
|
+
- nathan.clark@tokenshift.com
|
58
|
+
executables: []
|
59
|
+
extensions: []
|
60
|
+
extra_rdoc_files: []
|
61
|
+
files:
|
62
|
+
- ".gitignore"
|
63
|
+
- ".rspec"
|
64
|
+
- ".ruby-version"
|
65
|
+
- ".travis.yml"
|
66
|
+
- Gemfile
|
67
|
+
- LICENSE
|
68
|
+
- README.md
|
69
|
+
- Rakefile
|
70
|
+
- bin/console
|
71
|
+
- bin/setup
|
72
|
+
- carwash.gemspec
|
73
|
+
- lib/carwash.rb
|
74
|
+
- lib/carwash/scrubber.rb
|
75
|
+
- lib/carwash/uri_password_discoverer.rb
|
76
|
+
- lib/carwash/value_discoverer.rb
|
77
|
+
- lib/carwash/version.rb
|
78
|
+
- lib/carwash/xml_value_discoverer.rb
|
79
|
+
homepage: http://github.com/tokenshift/ruby_carwash
|
80
|
+
licenses:
|
81
|
+
- MIT
|
82
|
+
metadata: {}
|
83
|
+
post_install_message:
|
84
|
+
rdoc_options: []
|
85
|
+
require_paths:
|
86
|
+
- lib
|
87
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
88
|
+
requirements:
|
89
|
+
- - ">="
|
90
|
+
- !ruby/object:Gem::Version
|
91
|
+
version: '0'
|
92
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
93
|
+
requirements:
|
94
|
+
- - ">="
|
95
|
+
- !ruby/object:Gem::Version
|
96
|
+
version: '0'
|
97
|
+
requirements: []
|
98
|
+
rubyforge_project:
|
99
|
+
rubygems_version: 2.5.2
|
100
|
+
signing_key:
|
101
|
+
specification_version: 4
|
102
|
+
summary: Scrubs potentially sensitive values from log entries.
|
103
|
+
test_files: []
|