generic.secrets.security.detected-username-and-password-in-uri.detected-username-and-password-in-uri

Community Favorite
profile photo of semgrepsemgrep
Author
42,313
Download Count*
LGPL Commons Clause
License

Username and password in URI detected

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: detected-username-and-password-in-uri
    patterns:
      - pattern: $PROTOCOL://$...USERNAME:$...PASSWORD@$END
      - metavariable-regex:
          metavariable: $...USERNAME
          regex: \A({?)([A-Za-z])([A-Za-z0-9_-]){5,31}(}?)\Z
      - metavariable-regex:
          metavariable: $...PASSWORD
          regex: (?!.*[\s])(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~]){6,32}
      - metavariable-regex:
          metavariable: $PROTOCOL
          regex: (.*http.*)|(.*sql.*)|(.*ftp.*)|(.*smtp.*)
    languages:
      - generic
    message: Username and password in URI detected
    severity: ERROR
    metadata:
      owasp:
        - A07:2021 - Identification and Authentication Failures
      cwe:
        - "CWE-798: Use of Hard-coded Credentials"
      references:
        - https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go
      category: security
      technology:
        - secrets
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      vulnerability_class:
        - Hard-coded Secrets

Examples

detected-username-and-password-in-uri.txt

# ruleid: detected-username-and-password-in-uri
https://username:passworD123*@example.com

# ruleid: detected-username-and-password-in-uri
https://username:**sswor*D12@example.com

# ok: detected-username-and-password-in-uri
https://example.com

# ok: detected-username-and-password-in-uri
https://example.com/path/to/something

# ok: detected-username-and-password-in-uri
https://example.com/path/to/something?pass=word

# ok: detected-username-and-password-in-uri
https://username:************@example.com

# ok: detected-username-and-password-in-uri
https://username:*********@example.com

# ok: detected-username-and-password-in-uri
https://username:••••••••@example.com

# ruleid: detected-username-and-password-in-uri
db_url=mysql+pymysql://sampleuser:Sample%password12@merchantdb/collection

# ruleid: detected-username-and-password-in-uri
zxc=https://makka-chakkaf:chakkA12+@example.com

# ok: detected-username-and-password-in-uri
xvy=https://www.googly@yoyo.com/yomax#

# ok: detected-username-and-password-in-uri
yy=http://google@seeyou.com/mandrek

# ruleid: detected-username-and-password-in-uri
samp=http://username:f12*Password@totalsuccess@megafailure/yourname

# ruleid: detected-username-and-password-in-uri
db_url=mysql+pymysql://sampleuser:samplEpassword12*@merchantdb.com/collection

# ruleid: detected-username-and-password-in-uri
HTTP (ex : `http://user123:Password12^@192.168.0.1:3128/`)

# ruleid: detected-username-and-password-in-uri
HTTPS (ex : `https://user123:passworD0+@192.168.0.1:3128/`)

# ruleid: detected-username-and-password-in-uri
curl -kvsX PUT \"https://user123:passw0rD1&@something.host.test:8088/search/\" -H \"Content-Type: application/xml\"

# ok: detected-username-and-password-in-uri
f"https://user123:{_github_pat(github_secret_name)}@github.com/"

# ok: detected-username-and-password-in-uri
f"https://{get_user_name}:{_github_pat(github_secret_name)}@github.com/"

# ruleid: detected-username-and-password-in-uri
f"https://{get_user_name}:pwdTest123+@github.com/"

# ok: detected-username-and-password-in-uri
https://localhost: Example+1@example.com

# ok: detected-username-and-password-in-uri
https://docker.ouroath.com:4443/paranoids/cameo@sha256:35f1ea3d0ae9dc9b058dd8d224f1bb7e053bc58615778f9317c27b73c86dd806

# ok: detected-username-and-password-in-uri
[https://npm.vzbuilders.com/-/icon/@vzmi/navrail-utils/latest](http://npm.vzbuilders.com/-/package/@vzmi/navrail-utils)

    "jest-worker": {
      "version": "28.1.1",
      # ok: detected-username-and-password-in-uri
      "resolved": "https://registry.npmjs.org/jest-worker/-/jest-worker-28.1.1.tgz",
      "integrity": "sha512-Au7slXB08C6h+xbJPp7VIb6U0XX5Kc9uel/WFc6/rcTzGiaVCBRngBExSYuXSLFPULPSYU3cJ3ybS988lNFQhQ==",
      "dev": true,
      "requires": {
        "@types/node": "*",
        "merge-stream": "^2.0.0",
        "supports-color": "^8.0.0"
      },
      "dependencies": {
        "supports-color": {
          "version": "8.1.1",
          # ok: detected-username-and-password-in-uri
          "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-8.1.1.tgz",
          "integrity": "sha512-MpUEN2OodtUzxvKQl72cUF7RQ5EiHsGvSsVG0ia9c5RbWGL2CI4C7EpPS8UTBIplnlzZiNuV56w+FuNxy3ty2Q==",
          "dev": true,
          "requires": {
            "has-flag": "^4.0.0"
          }
        }
      }
    },