1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
package codec
import (
"encoding/hex"
"github.com/stretchr/testify/assert"
"net/url"
"testing"
)
func TestDecode(t *testing.T) {
tests := []struct {
chunk string
expected string
name string
}{
{
name: "only b64 chunk",
chunk: `bG9uZ2VyLWVuY29kZWQtc2VjcmV0LXRlc3Q=`,
expected: `longer-encoded-secret-test`,
},
{
name: "mixed content",
chunk: `token: bG9uZ2VyLWVuY29kZWQtc2VjcmV0LXRlc3Q=`,
expected: `token: longer-encoded-secret-test`,
},
{
name: "no chunk",
chunk: ``,
expected: ``,
},
{
name: "env var (looks like all b64 decodable but has `=` in the middle)",
chunk: `some-encoded-secret=dGVzdC1zZWNyZXQtdmFsdWU=`,
expected: `some-encoded-secret=test-secret-value`,
},
{
name: "has longer b64 inside",
chunk: `some-encoded-secret="bG9uZ2VyLWVuY29kZWQtc2VjcmV0LXRlc3Q="`,
expected: `some-encoded-secret="longer-encoded-secret-test"`,
},
{
name: "many possible i := 0substrings",
chunk: `Many substrings in this slack message could be base64 decoded
but only dGhpcyBlbmNhcHN1bGF0ZWQgc2VjcmV0 should be decoded.`,
expected: `Many substrings in this slack message could be base64 decoded
but only this encapsulated secret should be decoded.`,
},
{
name: "b64-url-safe: only b64 chunk",
chunk: `bG9uZ2VyLWVuY29kZWQtc2VjcmV0LXRlc3Q`,
expected: `longer-encoded-secret-test`,
},
{
name: "b64-url-safe: mixed content",
chunk: `token: bG9uZ2VyLWVuY29kZWQtc2VjcmV0LXRlc3Q`,
expected: `token: longer-encoded-secret-test`,
},
{
name: "b64-url-safe: env var (looks like all b64 decodable but has `=` in the middle)",
chunk: `some-encoded-secret=dGVzdC1zZWNyZXQtdmFsdWU=`,
expected: `some-encoded-secret=test-secret-value`,
},
{
name: "b64-url-safe: has longer b64 inside",
chunk: `some-encoded-secret="bG9uZ2VyLWVuY29kZWQtc2VjcmV0LXRlc3Q"`,
expected: `some-encoded-secret="longer-encoded-secret-test"`,
},
{
name: "b64-url-safe: hyphen url b64",
chunk: `Z2l0bGVha3M-PmZpbmRzLXNlY3JldHM`,
expected: `gitleaks>>finds-secrets`,
},
{
name: "b64-url-safe: underscore url b64",
chunk: `YjY0dXJsc2FmZS10ZXN0LXNlY3JldC11bmRlcnNjb3Jlcz8_`,
expected: `b64urlsafe-test-secret-underscores??`,
},
{
name: "invalid base64 string",
chunk: `a3d3fa7c2bb99e469ba55e5834ce79ee4853a8a3`,
expected: `a3d3fa7c2bb99e469ba55e5834ce79ee4853a8a3`,
},
{
name: "url encoded value",
chunk: `secret%3D%22q%24%21%40%23%24%25%5E%26%2A%28%20asdf%22`,
expected: `secret="q$!@#$%^&*( asdf"`,
},
{
name: "hex encoded value",
chunk: `secret="466973684D617048756E6B79212121363334"`,
expected: `secret="FishMapHunky!!!634"`,
},
}
decoder := NewDecoder()
fullDecode := func(data string) string {
segments := []*EncodedSegment{}
for {
data, segments = decoder.Decode(data, segments)
if len(segments) == 0 {
return data
}
}
}
// Test value decoding
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
assert.Equal(t, tt.expected, fullDecode(tt.chunk))
})
}
// Percent encode the values to test percent decoding
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
encodedChunk := url.PathEscape(tt.chunk)
assert.Equal(t, tt.expected, fullDecode(encodedChunk))
})
}
// Hex encode the values to test hex decoding
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
encodedChunk := hex.EncodeToString([]byte(tt.chunk))
assert.Equal(t, tt.expected, fullDecode(encodedChunk))
})
}
}
|
