Maintenance: Add detection of secrets in the codebase.

.gitlab/ci/lint.yml

@@ -128,3 +128,21 @@
     - when: on_success
   script:
     - bundle exec rake zammad:ci:refresh_envs
+
+'lint: secret_detection':
+  extends: .template_lint
+  image:
+    name: "zricethezav/gitleaks:latest"
+    entrypoint: [""]
+  cache: []
+  before_script: []
+  script:
+    # Since we clone with GIT_DEPTH=1, the commit has the entire codebase as a diff.
+    # Otherwise, we'd need to use --no-git to scan the entire codebase, but that is slower
+    #   as it also traverses directories not scanned by git.
+    - gitleaks detect --report-path secret-detection-report.json --verbose
+  after_script: []
+  # # GitLab can show this in a security widget, but that seems to be useless at this point (offers empty file for download).
+  # artifacts:
+  #   reports:
+  #     secret_detection: secret-detection-report.json

.gitleaks.toml

@@ -0,0 +1,18 @@
+title = "Zammad gitleaks Configuration"
+
+[extend]
+useDefault = true
+
+[allowlist]
+description = "global allow list"
+paths = [
+  '''^doc/developer_manual/cookbook/how-to-setup-smime-integration.md''',
+  '''^log/''',
+  '''^spec/fixtures/files/smime/.*\.key''',
+  '''^test/data/saml/zammad-client.json''',
+  '''^test/data/telegram/private/sticker.json''',
+  '''^test/data/vcr_cassettes/''',
+  '''^tmp/''',
+]
+regexTarget = "line"
+regexes = []

app/models/token.rb

@@ -28,7 +28,7 @@ create new persistent token
     }
   )
 
-in case if you use it via an controller, e. g. you can verify via "curl -H "Authorization: Token token=33562a00d7eda2a7c2fb639b91c6bcb8422067b6" http://...
+in case if you use it via an controller, e. g. you can verify via "curl -H "Authorization: Token token=my_token" http://...
 
 returns
 

spec/fixtures/files/import/otrs/customer_user/camel_case_login.json

@@ -327,7 +327,7 @@
   "CustomerCompanyValidID": "1",
   "CustomerCompanyZIP": "test712259",
   "UserCountry": null,
-  "UserPassword": "f8be19af2f25837a31eff9131b0e47a5173290652c04a48b49b86474d48825ee",
+  "UserPassword": "secret_password",
   "ValidID": "1",
   "UserRefreshTime": "0",
   "UserEmail": "QA100@t-Online.de",

spec/fixtures/files/import/otrs/customer_user/capital_email.json

@@ -327,7 +327,7 @@
   "CustomerCompanyValidID": "1",
   "CustomerCompanyZIP": "test712259",
   "UserCountry": null,
-  "UserPassword": "f8be19af2f25837a31eff9131b0e47a5173290652c04a48b49b86474d48825ee",
+  "UserPassword": "secret_password",
   "ValidID": "1",
   "UserRefreshTime": "0",
   "UserEmail": "QA100@t-Online.de",

spec/fixtures/files/import/otrs/customer_user/default.json

@@ -327,7 +327,7 @@
   "CustomerCompanyValidID": "1",
   "CustomerCompanyZIP": "test712259",
   "UserCountry": null,
-  "UserPassword": "f8be19af2f25837a31eff9131b0e47a5173290652c04a48b49b86474d48825ee",
+  "UserPassword": "secret_password",
   "ValidID": "1",
   "UserRefreshTime": "0",
   "UserEmail": "qa100@t-online.de",

spec/fixtures/files/import/otrs/customer_user/no_timestamps.json

@@ -327,7 +327,7 @@
   "CustomerCompanyValidID": "1",
   "CustomerCompanyZIP": "test712259",
   "UserCountry": null,
-  "UserPassword": "f8be19af2f25837a31eff9131b0e47a5173290652c04a48b49b86474d48825ee",
+  "UserPassword": "secret_password",
   "ValidID": "1",
   "UserRefreshTime": "0",
   "UserEmail": "qa100@t-online.de",

spec/lib/core_ext/string_spec.rb

@@ -1386,9 +1386,9 @@ RSpec.describe String do
 
       it 'handles sample input 9' do
         expect(<<~HTML.chomp.html2html_strict).to eq(<<~TEXT.chomp)
-          <div><a href="http://www.example.com/Community/Passwort-Vergessen/?module_fnc=ChangeForgotPassword&amp;pwchangekey=66901c449dda98a098de4b57ccdf0805" title="http://www.example.com/Community/Passwort-Vergessen/?module_fnc%5BextranetHandler%5D=ChangeForgotPassword&amp;pwchangekey=66901c449dda98a098de4b57ccdf0805" rel="nofollow" target="_blank">http://www.example.com/Community/Passwort-Vergessen/?module_fnc%5BextranetHandler%5D=ChangeForgotPassword&amp;pwchangekey=66901c449dda98a098de4b57ccdf0805</a></div>
+          <div><a href="http://www.example.com/Community/Passwort-Vergessen/?module_fnc=ChangeForgotPassword&amp;pwchangekey=secret_key" title="http://www.example.com/Community/Passwort-Vergessen/?module_fnc%5BextranetHandler%5D=ChangeForgotPassword&amp;pwchangekey=secret_key" rel="nofollow" target="_blank">http://www.example.com/Community/Passwort-Vergessen/?module_fnc%5BextranetHandler%5D=ChangeForgotPassword&amp;pwchangekey=secret_key</a></div>
         HTML
-          <div><a href="http://www.example.com/Community/Passwort-Vergessen/?module_fnc=ChangeForgotPassword&amp;pwchangekey=66901c449dda98a098de4b57ccdf0805" title="http://www.example.com/Community/Passwort-Vergessen/?module_fnc%5BextranetHandler%5D=ChangeForgotPassword&amp;pwchangekey=66901c449dda98a098de4b57ccdf0805" rel="nofollow noreferrer noopener" target="_blank">http://www.example.com/Community/Passwort-Vergessen/?module_fnc%5BextranetHandler%5D=ChangeForgotPassword&amp;pwchangekey=66901c449dda98a098de4b57ccdf0805</a></div>
+          <div><a href="http://www.example.com/Community/Passwort-Vergessen/?module_fnc=ChangeForgotPassword&amp;pwchangekey=secret_key" title="http://www.example.com/Community/Passwort-Vergessen/?module_fnc%5BextranetHandler%5D=ChangeForgotPassword&amp;pwchangekey=secret_key" rel="nofollow noreferrer noopener" target="_blank">http://www.example.com/Community/Passwort-Vergessen/?module_fnc%5BextranetHandler%5D=ChangeForgotPassword&amp;pwchangekey=secret_key</a></div>
         TEXT
       end
 

spec/lib/import/otrs/customer_user_spec.rb

@@ -59,7 +59,7 @@ RSpec.describe Import::OTRS::CustomerUser do
         firstname:       'test669673',
         lastname:        'test669673',
         login:           'test669673',
-        password:        'f8be19af2f25837a31eff9131b0e47a5173290652c04a48b49b86474d48825ee',
+        password:        'secret_password',
         phone:           nil,
         fax:             nil,
         mobile:          nil,
@@ -97,7 +97,7 @@ RSpec.describe Import::OTRS::CustomerUser do
         firstname:       'test669673',
         lastname:        'test669673',
         login:           'test669673',
-        password:        'f8be19af2f25837a31eff9131b0e47a5173290652c04a48b49b86474d48825ee',
+        password:        'secret_password',
         phone:           nil,
         fax:             nil,
         mobile:          nil,
@@ -139,7 +139,7 @@ RSpec.describe Import::OTRS::CustomerUser do
         firstname:       'test669673',
         lastname:        'test669673',
         login:           'test669673',
-        password:        'f8be19af2f25837a31eff9131b0e47a5173290652c04a48b49b86474d48825ee',
+        password:        'secret_password',
         phone:           nil,
         fax:             nil,
         mobile:          nil,
@@ -177,7 +177,7 @@ RSpec.describe Import::OTRS::CustomerUser do
         firstname:       'test669673',
         lastname:        'test669673',
         login:           'test669673',
-        password:        'f8be19af2f25837a31eff9131b0e47a5173290652c04a48b49b86474d48825ee',
+        password:        'secret_password',
         phone:           nil,
         fax:             nil,
         mobile:          nil,

spec/lib/sequencer/sequence/import/freshdesk/conversation_spec.rb

@@ -5,7 +5,7 @@ require 'rails_helper'
 RSpec.describe Sequencer::Sequence::Import::Freshdesk::Conversation, sequencer: :sequence do
 
   context 'when importing conversations from Freshdesk' do
-    let(:inline_image_url) { 'https://eucattachment.freshdesk.com/inline/attachment?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6ODAwMTIyMjY4NTMsImRvbWFpbiI6InphbW1hZC5mcmVzaGRlc2suY29tIiwiYWNjb3VudF9pZCI6MTg5MDU2MH0.705lNehzm--aO36CGFg0SW73j0NG3UWcRcN1_DXgtwc' }
+    let(:inline_image_url) { 'https://eucattachment.freshdesk.com/inline/attachment?token=secret_token' }
     let(:resource) do
       {
         'body' => "<div style=\"font-family:-apple-system, BlinkMacSystemFont, Segoe UI, Roboto, Helvetica Neue, Arial, sans-serif; font-size:14px\">\n<div dir=\"ltr\">Let's see if inline images work in a subsequent article:</div>\n<div dir=\"ltr\"><img src=\"#{inline_image_url}\" style=\"width: auto\" class=\"fr-fil fr-dib\" data-id=\"80012226853\"></div>\n</div>", 'body_text' => "Let's see if inline images work in a subsequent article:",
@@ -32,8 +32,8 @@ RSpec.describe Sequencer::Sequence::Import::Freshdesk::Conversation, sequencer:
             'size'           => 11_447,
             'created_at'     => '2021-05-14T12:30:16Z',
             'updated_at'     => '2021-05-14T12:30:19Z',
-            'attachment_url' => 'https://s3.eu-central-1.amazonaws.com/euc-cdn.freshdesk.com/data/helpdesk/attachments/production/80012226885/original/standalone_attachment.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2RG7BSUFP%2F20210514%2Feu-central-1%2Fs3%2Faws4_request&X-Amz-Date=20210514T123300Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=750988d37a6f2f43830bfd19c895517aa051aa13b4ab26a1333369d414fef0be',
-            'thumb_url'      => 'https://s3.eu-central-1.amazonaws.com/euc-cdn.freshdesk.com/data/helpdesk/attachments/production/80012226885/thumb/standalone_attachment.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2RG7BSUFP%2F20210514%2Feu-central-1%2Fs3%2Faws4_request&X-Amz-Date=20210514T123300Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=40b5fe1d7d418bcbd1e639b273a1038c7a73781c16d9881c2f31a11c6bebfdf9'
+            'attachment_url' => 'https://s3.eu-central-1.amazonaws.com/euc-cdn.freshdesk.com/data/helpdesk/attachments/production/80012226885/original/standalone_attachment.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=secret-amz-credential&X-Amz-Date=20210514T123300Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=750988d37a6f2f43830bfd19c895517aa051aa13b4ab26a1333369d414fef0be',
+            'thumb_url'      => 'https://s3.eu-central-1.amazonaws.com/euc-cdn.freshdesk.com/data/helpdesk/attachments/production/80012226885/thumb/standalone_attachment.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=secret-amz-credential&X-Amz-Date=20210514T123300Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=40b5fe1d7d418bcbd1e639b273a1038c7a73781c16d9881c2f31a11c6bebfdf9'
           }
         ],
         'auto_response' => false,
@@ -43,8 +43,8 @@ RSpec.describe Sequencer::Sequence::Import::Freshdesk::Conversation, sequencer:
     end
     let(:used_urls) do
       [
-        'https://eucattachment.freshdesk.com/inline/attachment?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6ODAwMTIyMjY4NTMsImRvbWFpbiI6InphbW1hZC5mcmVzaGRlc2suY29tIiwiYWNjb3VudF9pZCI6MTg5MDU2MH0.705lNehzm--aO36CGFg0SW73j0NG3UWcRcN1_DXgtwc',
-        'https://s3.eu-central-1.amazonaws.com/euc-cdn.freshdesk.com/data/helpdesk/attachments/production/80012226885/original/standalone_attachment.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2RG7BSUFP%2F20210514%2Feu-central-1%2Fs3%2Faws4_request&X-Amz-Date=20210514T123300Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=750988d37a6f2f43830bfd19c895517aa051aa13b4ab26a1333369d414fef0be',
+        'https://eucattachment.freshdesk.com/inline/attachment?token=secret_token',
+        'https://s3.eu-central-1.amazonaws.com/euc-cdn.freshdesk.com/data/helpdesk/attachments/production/80012226885/original/standalone_attachment.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=secret-amz-credential&X-Amz-Date=20210514T123300Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=750988d37a6f2f43830bfd19c895517aa051aa13b4ab26a1333369d414fef0be',
       ]
     end
 
@@ -118,7 +118,7 @@ RSpec.describe Sequencer::Sequence::Import::Freshdesk::Conversation, sequencer:
 
     context 'when handling special inline images' do
       context 'when inline image source contains special urls (e.g. "cid:https://...")' do
-        let(:inline_image_url) { 'cid:https://eucattachment.freshdesk.com/inline/attachment?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6ODAwMTIyMjY4NTMsImRvbWFpbiI6InphbW1hZC5mcmVzaGRlc2suY29tIiwiYWNjb3VudF9pZCI6MTg5MDU2MH0.705lNehzm--aO36CGFg0SW73j0NG3UWcRcN1_DXgtwc' }
+        let(:inline_image_url) { 'cid:https://eucattachment.freshdesk.com/inline/attachment?token=secret_token' }
 
         include_examples 'import article'
       end