keyhog-core 0.5.4

keyhog-core — shared data model and detector specifications for the KeyHog secret scanner
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

# Docs: https://docs.aws.amazon.com/lambda/latest/dg/urls-configuration.html
# Format: Lambda function URL auth token in query string (?token=...)
# Verify: GET request to function URL with token returns 200 if valid
# Prefix: none (requires URL context)

[detector]
id = "aws-lambda-function-url-secret"
name = "AWS Lambda Function URL Secret"
service = "aws"
severity = "critical"
keywords = ["lambda-url", "lambda", "token"]

[[detector.patterns]]
regex = "https://[a-z0-9]{12,}\\.lambda-url\\.[a-z0-9-]+\\.on\\.aws/\\?.*token=([a-zA-Z0-9_-]{20,})"
description = "AWS Lambda function URL with auth token in query string"
group = 1

[[detector.patterns]]
regex = "https://[a-z0-9]{12,}\\.lambda-url\\.[a-z0-9-]+\\.on\\.aws/[a-zA-Z0-9_-]*\\?.*token=([a-zA-Z0-9_-]{20,})"
description = "AWS Lambda function URL with path and auth token"
group = 1

[[detector.patterns]]
regex = "(?:LAMBDA|lambda)[_\\-\\s]*(?:URL|url)[_\\-\\s]*(?:TOKEN|token)[=:\\s\"'\\']+([a-zA-Z0-9_-]{20,})"
description = "AWS Lambda function URL token with context anchor"
group = 1

# Verification removed: every pattern above captures just the token portion
# of the Lambda URL (group 1 = `[a-zA-Z0-9_-]{20,}`), so `{{match}}` is the
# bare token rather than a usable URL. A safe verifier would need a separate
# companion capturing the full `https://...lambda-url.../...?token=` URL,
# but the access pattern is already inert: a leaked token without its
# accompanying function URL can't be exercised. Reporting it as
# `Unverifiable` is the correct outcome here.