proposal: SqlServer connection string detector #867

mac2000 · 2022-10-26T08:05:59Z

Closes #866

The problem: at moment trufflehog does not see SQL Server connection strings at all 🤷‍♂️

e.g. here is part of Program.cs:

var builder = WebApplication.CreateBuilder(args);

builder.Services
  .AddDbContext<Database>(optionsBuilder => optionsBuilder
    .UseSqlServer("Server=some.domain.com;Initial Catalog=Demo;User ID=sa;Password=PASSWORD_HERE"));

var app = builder.Build();

Proposal: this pull request adds dedicated SQLServer connection string detector to prevent such leaks

How it works

Because connection string itself is a set of case-insensitive key-value pairs delimited by a semicolon with regexp we are looking for something that may be a connection string

To prevent false positives we then try to parse it with msdn.Parse

And if everything fine as a last step we are trying to connect to server with connection string we have found

Also there is an TestSQLServer_pattern with few pattern dedicated tests to see if regexp will match desired strings

dustin-decker

Thank you for the contribution!

mac2000 added 5 commits October 26, 2022 10:50

sqlserver added to detectors.proto

3efcb8b

make protos

7a3ebdc

boilerplate detector generated

56e61e7

wireup

90e1fd8

initial

2302d2e

mac2000 requested a review from a team as a code owner October 26, 2022 08:06

dustin-decker approved these changes Oct 26, 2022

View reviewed changes

dustin-decker merged commit 60464da into trufflesecurity:main Oct 26, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

proposal: SqlServer connection string detector #867

proposal: SqlServer connection string detector #867

mac2000 commented Oct 26, 2022

dustin-decker left a comment

proposal: SqlServer connection string detector #867

proposal: SqlServer connection string detector #867

Conversation

mac2000 commented Oct 26, 2022

dustin-decker left a comment

Choose a reason for hiding this comment