tryaudex_core/

leakdetect.rs

use regex::Regex;
use std::sync::LazyLock;

/// Result of scanning a line for credential leaks.
#[derive(Debug, Clone)]
pub struct LeakDetection {
    pub pattern_name: String,
    pub matched_text: String,
}

static PATTERNS: LazyLock<Vec<(&str, Regex)>> = LazyLock::new(|| {
    vec![
        // AWS Access Key ID (starts with AKIA, ASIA, AIDA, AROA)
        (
            "AWS Access Key ID",
            Regex::new(r"(?:^|[^A-Z0-9])(A[KS]IA[0-9A-Z]{16})(?:[^A-Z0-9]|$)").unwrap(),
        ),
        // AWS Secret Access Key (40 chars, base64-ish, preceded by a key-like context)
        (
            "AWS Secret Access Key",
            Regex::new(r"(?i)(?:secret.?access.?key|aws_secret|SECRET_KEY)\s*[=:]\s*([A-Za-z0-9/+=]{40})(?:[^A-Za-z0-9/+=]|$)").unwrap(),
        ),
        // AWS Session Token (starts with FwoGZX or IQoJb3)
        (
            "AWS Session Token",
            Regex::new(r"(?:FwoGZX|IQoJb3)[A-Za-z0-9/+=]{50,}").unwrap(),
        ),
        // GCP OAuth2 access token (ya29.)
        (
            "GCP Access Token",
            Regex::new(r"ya29\.[A-Za-z0-9_-]{50,}").unwrap(),
        ),
        // Azure Bearer Token (eyJ prefix, JWT format)
        (
            "Azure Bearer Token",
            Regex::new(r"eyJ[A-Za-z0-9_-]{20,}\.eyJ[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}")
                .unwrap(),
        ),
        // GitHub personal access tokens (ghp_, gho_, ghs_, ghr_, github_pat_)
        (
            "GitHub Token",
            Regex::new(r"(?:ghp_|gho_|ghs_|ghr_|github_pat_)[A-Za-z0-9_]{36,}").unwrap(),
        ),
        // Vault tokens (hvs. prefix)
        (
            "Vault Token",
            Regex::new(r"hvs\.[A-Za-z0-9_-]{24,}").unwrap(),
        ),
        // Private key headers
        (
            "Private Key",
            Regex::new(r"-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----").unwrap(),
        ),
        // Generic long base64 secrets (likely tokens, >100 chars)
        (
            "Long Base64 Token",
            Regex::new(r"(?:^|[=:]\s*)[A-Za-z0-9+/]{100,}={0,2}(?:\s|$)").unwrap(),
        ),
    ]
});

/// Scan a single line for credential leaks.
/// Returns a list of detected leaks, or empty if clean.
pub fn scan_line(line: &str) -> Vec<LeakDetection> {
    if line.trim().is_empty() {
        return Vec::new();
    }
    // NOTE: We intentionally do NOT skip comment lines (# or //) because
    // real credentials in comments are still a leak risk.

    let mut detections = Vec::new();

    for (name, pattern) in PATTERNS.iter() {
        if let Some(m) = pattern.find(line) {
            let matched = m.as_str();
            // Skip very short matches that are likely false positives
            if matched.len() < 16 {
                continue;
            }
            detections.push(LeakDetection {
                pattern_name: name.to_string(),
                matched_text: redact(matched),
            });
        }
    }

    detections
}

/// Scan multiple lines of output for credential leaks.
pub fn scan_output(output: &str) -> Vec<LeakDetection> {
    output.lines().flat_map(scan_line).collect()
}

/// Redact all detected credential patterns in a string, replacing them
/// with safe placeholders. Use this before writing to audit logs.
pub fn redact_secrets(input: &str) -> String {
    let mut result = input.to_string();
    for (name, pattern) in PATTERNS.iter() {
        // Apply replacements on the current result string (not the original
        // input) to avoid offset corruption when multiple patterns overlap.
        let current = result.clone();
        let mut new_result = String::with_capacity(current.len());
        let mut last_end = 0;

        for m in pattern.find_iter(&current) {
            let matched = m.as_str();
            if matched.len() < 16 {
                continue;
            }
            new_result.push_str(&current[last_end..m.start()]);
            new_result.push_str(&format!("[REDACTED:{}:{}]", name, redact(matched)));
            last_end = m.end();
        }
        new_result.push_str(&current[last_end..]);
        result = new_result;
    }
    result
}

/// Redact a matched credential, showing only first 8 and last 4 chars.
///
/// R6-M35: slice by char count, not bytes. All current credential regexes
/// match ASCII-only patterns, but `redact` is a general helper — passing a
/// short non-ASCII string (e.g. from a future pattern or a fuzzing test)
/// to the old `s.len() <= 16 → &s[..4]` path would panic because the 4th
/// byte can fall inside a multi-byte UTF-8 character.
fn redact(s: &str) -> String {
    let char_count = s.chars().count();
    if char_count <= 16 {
        let head: String = s.chars().take(4).collect();
        format!("{}...", head)
    } else {
        let head: String = s.chars().take(8).collect();
        let tail: String = s.chars().skip(char_count - 4).collect();
        format!("{}...{}", head, tail)
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_detect_aws_access_key() {
        let line = "export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE";
        let leaks = scan_line(line);
        assert!(!leaks.is_empty(), "Should detect AWS access key");
        assert!(leaks
            .iter()
            .any(|l| l.pattern_name.contains("AWS Access Key ID")));
    }

    #[test]
    fn test_detect_aws_session_token() {
        let line = "AWS_SESSION_TOKEN=FwoGZXIvYXdzEBYaDHxkJ3lNJAHvLj4mZiLOAd3FuKnNv0lRZx5example";
        let leaks = scan_line(line);
        assert!(!leaks.is_empty(), "Should detect AWS session token");
    }

    #[test]
    fn test_detect_gcp_token() {
        let line =
            "Authorization: Bearer ya29.a0AfH6SMBx1234567890abcdefghijklmnopqrstuvwxyz1234567890";
        let leaks = scan_line(line);
        assert!(!leaks.is_empty(), "Should detect GCP access token");
        assert!(leaks.iter().any(|l| l.pattern_name.contains("GCP")));
    }

    #[test]
    fn test_detect_azure_jwt() {
        let line = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0.Signature1234567890abcdef";
        let leaks = scan_line(line);
        assert!(!leaks.is_empty(), "Should detect Azure/JWT token");
    }

    #[test]
    fn test_clean_output() {
        let line = "Successfully listed 42 objects in s3://my-bucket";
        let leaks = scan_line(line);
        assert!(
            leaks.is_empty(),
            "Normal output should not trigger detection"
        );
    }

    #[test]
    fn test_detect_in_comments() {
        let line = "# AKIAIOSFODNN7EXAMPLE";
        let leaks = scan_line(line);
        assert!(
            !leaks.is_empty(),
            "Credentials in comments should still be detected"
        );
    }

    #[test]
    fn test_redact() {
        assert_eq!(redact("AKIAIOSFODNN7EXAMPLE"), "AKIAIOSF...MPLE");
        assert_eq!(redact("short"), "shor...");
    }

    #[test]
    fn test_scan_multiline() {
        let output = "line1 ok\nAKIAIOSFODNN7EXAMPLE leaked\nline3 ok";
        let leaks = scan_output(output);
        assert!(!leaks.is_empty());
    }

    #[test]
    fn test_redact_secrets_aws_key() {
        let input = "key=AKIAIOSFODNN7EXAMPLE in output";
        let redacted = redact_secrets(input);
        assert!(!redacted.contains("AKIAIOSFODNN7EXAMPLE"));
        assert!(redacted.contains("[REDACTED:AWS Access Key ID:"));
    }

    #[test]
    fn test_redact_secrets_gcp_token() {
        let input = "token=ya29.a0AfH6SMBx1234567890abcdefghijklmnopqrstuvwxyz1234567890";
        let redacted = redact_secrets(input);
        assert!(!redacted.contains("ya29.a0AfH6SMBx1234567890abcdefghijklmnopqrstuvwxyz1234567890"));
        assert!(redacted.contains("[REDACTED:GCP Access Token:"));
    }

    #[test]
    fn test_redact_secrets_clean_input() {
        let input = "normal log entry with no secrets";
        let redacted = redact_secrets(input);
        assert_eq!(redacted, input);
    }

    #[test]
    fn test_redact_secrets_preserves_structure() {
        let input = r#"{"command":["aws","s3","ls"],"key":"safe-value"}"#;
        let redacted = redact_secrets(input);
        assert_eq!(redacted, input); // No secrets, unchanged
    }
}