Harden CHORUS security and messaging stack

pkg/shhh/rule.go

@@ -0,0 +1,130 @@
+package shhh
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"regexp"
+	"sort"
+	"strings"
+)
+
+type compiledRule struct {
+	name        string
+	regex       *regexp.Regexp
+	replacement string
+	severity    Severity
+	tags        []string
+}
+
+type matchRecord struct {
+	value string
+}
+
+func (r *compiledRule) apply(in string) (string, []matchRecord) {
+	indices := r.regex.FindAllStringSubmatchIndex(in, -1)
+	if len(indices) == 0 {
+		return in, nil
+	}
+
+	var builder strings.Builder
+	builder.Grow(len(in))
+
+	matches := make([]matchRecord, 0, len(indices))
+	last := 0
+	for _, loc := range indices {
+		start, end := loc[0], loc[1]
+		builder.WriteString(in[last:start])
+		replaced := r.regex.ExpandString(nil, r.replacement, in, loc)
+		builder.Write(replaced)
+		matches = append(matches, matchRecord{value: in[start:end]})
+		last = end
+	}
+	builder.WriteString(in[last:])
+
+	return builder.String(), matches
+}
+
+func buildDefaultRuleConfigs(placeholder string) []RuleConfig {
+	if placeholder == "" {
+		placeholder = "[REDACTED]"
+	}
+	return []RuleConfig{
+		{
+			Name:                "bearer-token",
+			Pattern:             `(?i)(authorization\s*:\s*bearer\s+)([A-Za-z0-9\-._~+/]+=*)`,
+			ReplacementTemplate: "$1" + placeholder,
+			Severity:            SeverityMedium,
+			Tags:                []string{"token", "http"},
+		},
+		{
+			Name:                "api-key",
+			Pattern:             `(?i)((?:api[_-]?key|token|secret|password)\s*[:=]\s*["']?)([A-Za-z0-9\-._~+/]{8,})(["']?)`,
+			ReplacementTemplate: "$1" + placeholder + "$3",
+			Severity:            SeverityHigh,
+			Tags:                []string{"credentials"},
+		},
+		{
+			Name:                "openai-secret",
+			Pattern:             `(sk-[A-Za-z0-9]{20,})`,
+			ReplacementTemplate: placeholder,
+			Severity:            SeverityHigh,
+			Tags:                []string{"llm", "api"},
+		},
+		{
+			Name:                "oauth-refresh-token",
+			Pattern:             `(?i)(refresh_token"?\s*[:=]\s*["']?)([A-Za-z0-9\-._~+/]{8,})(["']?)`,
+			ReplacementTemplate: "$1" + placeholder + "$3",
+			Severity:            SeverityMedium,
+			Tags:                []string{"oauth"},
+		},
+		{
+			Name:                "private-key-block",
+			Pattern:             `(?s)(-----BEGIN [^-]+ PRIVATE KEY-----)[^-]+(-----END [^-]+ PRIVATE KEY-----)`,
+			ReplacementTemplate: "$1\n" + placeholder + "\n$2",
+			Severity:            SeverityHigh,
+			Tags:                []string{"pem", "key"},
+		},
+	}
+}
+
+func compileRules(cfg Config, placeholder string) ([]*compiledRule, error) {
+	configs := make([]RuleConfig, 0)
+	if !cfg.DisableDefaultRules {
+		configs = append(configs, buildDefaultRuleConfigs(placeholder)...)
+	}
+	configs = append(configs, cfg.CustomRules...)
+
+	rules := make([]*compiledRule, 0, len(configs))
+	for _, rc := range configs {
+		if rc.Name == "" || rc.Pattern == "" {
+			continue
+		}
+		replacement := rc.ReplacementTemplate
+		if replacement == "" {
+			replacement = placeholder
+		}
+		re, err := regexp.Compile(rc.Pattern)
+		if err != nil {
+			return nil, err
+		}
+		compiled := &compiledRule{
+			name:        rc.Name,
+			replacement: replacement,
+			regex:       re,
+			severity:    rc.Severity,
+			tags:        append([]string(nil), rc.Tags...),
+		}
+		rules = append(rules, compiled)
+	}
+
+	sort.SliceStable(rules, func(i, j int) bool {
+		return rules[i].name < rules[j].name
+	})
+
+	return rules, nil
+}
+
+func hashSecret(value string) string {
+	sum := sha256.Sum256([]byte(value))
+	return base64.RawStdEncoding.EncodeToString(sum[:])
+}