Allow Sensitive Line Prefixes

intentionet / netconan

netconan - a Network Configuration Anonymizer

Apache License 2.0

146 stars 12 forks source link

Allow Sensitive Line Prefixes #62

Closed sfraint closed 6 years ago

sfraint commented 6 years ago

Added prefix check for sensitive line regexes. For example, if set community FOO is detected as a sensitive line, then Unrecognized Line: 1: set community FOO ... will also be detected as a sensitive line.

Also, format detection now works correctly for passwords enclosed in quotes.

Fixes #61

This change is

dhalperi commented 6 years ago

Reviewed 3 of 4 files at r1. Review status: 2 of 4 files reviewed at latest revision, all discussions resolved.

netconan/default_pwd_regexes.py, line 63 at r1 (raw file):

    [('((ikev2 )?(local|remote)-authentication pre-shared-key) \K(\S+)(?= ?.*)', 4)],
    [('((\S )*pre-shared-key( remote| local)?( hex| \d)?) \K(\S+)(?= ?.*)', 5)],
    [('((tacacs|radius)-server? (\S+ )*key)( \d)? \K(\S+)(?= ?.*)', 5)],

what is this? maybe a mistaken addition based on a typo I made in original bug report?

netconan/sensitive_item_removal.py, line 33 at r1 (raw file):

('(\S* )*"?

Can we delete everything before K now? (And maybe after the end of the regex, if relevant?)

Comments from Reviewable

dhalperi commented 6 years ago

Reviewed 2 of 2 files at r2. Review status: all files reviewed at latest revision, 2 unresolved discussions.

Comments from Reviewable

dhalperi commented 6 years ago

Review status: all files reviewed at latest revision, 2 unresolved discussions.

Comments from Reviewable

sfraint commented 6 years ago

Review status: all files reviewed at latest revision, 2 unresolved discussions.

netconan/default_pwd_regexes.py, line 63 at r1 (raw file):

Previously, dhalperi (Dan Halperin) wrote…

what is this? maybe a mistaken addition based on a typo I made in original bug report?

Yep, removed.

netconan/sensitive_item_removal.py, line 33 at r1 (raw file):

Previously, dhalperi (Dan Halperin) wrote…

> ``` > ('(\S* )*"? > ``` Can we delete everything before `K` now? (And maybe after the end of the regex, if relevant?)

Looks like with a change to _ALLOWED_REGEX_PREFIX and a change to an existing default password regex we should be able to remove the leading word matches.

I have also removed the broad, trailing regexes matches.

Comments from Reviewable

dhalperi commented 6 years ago

Reviewed 3 of 3 files at r3. Review status: all files reviewed at latest revision, all discussions resolved.

Comments from Reviewable