Revise Azure Connection String rule to improve signal-to-noise (#257)

The pattern changes here decrease both false positives and false negatives.
This change also adds a description to the rule.

CHANGELOG.md

@@ -20,6 +20,7 @@ Note that the use of semantic versioning applies to the command-line interface a
 
 ### Changes
 - The `Credentials in PsExec` rule has been renamed to `Credentials in PsExec Invocation` ([#251](https://github.com/praetorian-inc/noseyparker/pull/251))
+- The `Azure Connection String` rule has been refined to improve signal-to-noise ([#257](https://github.com/praetorian-inc/noseyparker/pull/257)).
 
 
 ## [v0.23.0](https://github.com/praetorian-inc/noseyparker/releases/v0.23.0) (2025-01-28)

crates/noseyparker-cli/tests/rules/snapshots/test_noseyparker__rules__rules_list_json-2.snap

@@ -399,13 +399,13 @@ expression: stdout
     },
     {
       "id": "np.azure.1",
-      "structural_id": "8d2b8482f72be3b33030ff0f584e4f26bfef2656",
+      "structural_id": "e7e78f0dfbe275a066583eadf3bb16632f740a76",
       "name": "Azure Connection String",
       "syntax": {
         "name": "Azure Connection String",
         "id": "np.azure.1",
-        "pattern": "(?x)\n(?i)\n(?: AccountName | SharedAccessKeyName | SharedSecretIssuer) \\s*=\\s* ([^;]{1,80}) \\s*;\\s*\n.{0,10}\\s*  (?# possible extra stuff, e.g., string concatenation)\n(?: AccountKey | SharedAccessKey | SharedSecretValue) \\s*=\\s* ([^;]{1,100})\n(?: ;|$ )\n",
-        "description": null,
+        "pattern": "(?x)\n(?i)\n(?: AccountName | SharedAccessKeyName | SharedSecretIssuer) \\s*=\\s* ([^${;<\\[.\\s*\"'\\#] [^.;\\n\"'\\#]{2,80}) \\s*;\\s*\n.{0,10}\\s*  (?# possible extra stuff, e.g., string concatenation)\n(?: AccountKey | SharedAccessKey | SharedSecretValue) \\s*=\\s* ([a-zA-Z0-9/+]{20,100}[=]{0,3})\n(?: [^a-zA-Z0-9/+=] | $ )\n",
+        "description": "Credentials in an Azure connection string were found. Depending on assigned privileges, these may allow an attacker read or write access to Azure storage.\n",
         "examples": [
           "# Azure Storage Connection String\nAzureWebJobsStorage=DefaultEndpointsProtocol=https;AccountName=hanatour9833;AccountKey=6jqh42QQjWWBwoPGGR/Jr0PZjhBMZVbHm/gkhEfHvOj8aV6+oI8ed6ZAAwB5a6993WqyQDiuJJB0QpseJwqYxw==;EndpointSuffix=core.windows.net\n",
           "DefaultEndpointsProtocol=http;AccountName=testacc1;\nAccountKey=1gy3lpE7Du1j5ljKiupgKzywSw2isjsa69sfsdfsdsgfsgfdgfdgfd/YThisv/OVVLfIOv9kQ==;\nBlobEndpoint=http://127.0.0.1:8440/testacc1;\nTableEndpoint=http://127.0.0.1:8440/testacc1;\nQueueEndpoint=http://127.0.0.1:8440/testacc1;\n",
@@ -414,7 +414,13 @@ expression: stdout
         ],
         "negative_examples": [
           "InstrumentationKey=00000000-0000-0000-0000-000000000000;EndpointSuffix=ai.contoso.com;",
-          "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://custom.com:111/;LiveEndpoint=https://custom.com:222/;ProfilerEndpoint=https://custom.com:333/;SnapshotEndpoint=https://custom.com:444/;"
+          "InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://custom.com:111/;LiveEndpoint=https://custom.com:222/;ProfilerEndpoint=https://custom.com:333/;SnapshotEndpoint=https://custom.com:444/;",
+          "let accountName = \"\";\nlet accountKey = Buffer.from(\"accountKey\", \"base64\");\n",
+          "let accountName = $accountName;\nlet accountKey = $accountKey;\n",
+          "AccountName=<YOUR_ACCOUNT_NAME>;\nAccountKey=<YOUR_ACCOUNT_KEY>;\n",
+          "AccountName=X;AccountKey=X;\n",
+          "AccountName={2};AccountKey={3};\n",
+          "SharedAccessKeyName=[Shared Access Key Name goes here];SharedAccessKey=[Shared Access key goes here];\n"
         ],
         "references": [
           "https://azure.microsoft.com/en-us/blog/windows-azure-web-sites-how-application-strings-and-connection-strings-work/",

crates/noseyparker/data/default/builtin/rules/azure.yml

@@ -14,10 +14,10 @@ rules:
   pattern: |
     (?x)
     (?i)
-    (?: AccountName | SharedAccessKeyName | SharedSecretIssuer) \s*=\s* ([^;]{1,80}) \s*;\s*
+    (?: AccountName | SharedAccessKeyName | SharedSecretIssuer) \s*=\s* ([^${;<\[.\s*"'\#] [^.;\n"'\#]{2,80}) \s*;\s*
     .{0,10}\s*  (?# possible extra stuff, e.g., string concatenation)
-    (?: AccountKey | SharedAccessKey | SharedSecretValue) \s*=\s* ([^;]{1,100})
-    (?: ;|$ )
+    (?: AccountKey | SharedAccessKey | SharedSecretValue) \s*=\s* ([a-zA-Z0-9/+]{20,100}[=]{0,3})
+    (?: [^a-zA-Z0-9/+=] | $ )
 
   references:
   - https://azure.microsoft.com/en-us/blog/windows-azure-web-sites-how-application-strings-and-connection-strings-work/
@@ -29,6 +29,10 @@ rules:
   - fuzzy
   - secret
 
+  description: >
+    Credentials in an Azure connection string were found.
+    Depending on assigned privileges, these may allow an attacker read or write access to Azure storage.
+
   examples:
   - |
       # Azure Storage Connection String
@@ -54,6 +58,21 @@ rules:
   # https://docs.microsoft.com/en-us/azure/azure-monitor/app/sdk-connection-string
   - 'InstrumentationKey=00000000-0000-0000-0000-000000000000;EndpointSuffix=ai.contoso.com;'
   - 'InstrumentationKey=00000000-0000-0000-0000-000000000000;IngestionEndpoint=https://custom.com:111/;LiveEndpoint=https://custom.com:222/;ProfilerEndpoint=https://custom.com:333/;SnapshotEndpoint=https://custom.com:444/;'
+  - |
+      let accountName = "";
+      let accountKey = Buffer.from("accountKey", "base64");
+  - |
+      let accountName = $accountName;
+      let accountKey = $accountKey;
+  - |
+      AccountName=<YOUR_ACCOUNT_NAME>;
+      AccountKey=<YOUR_ACCOUNT_KEY>;
+  - |
+      AccountName=X;AccountKey=X;
+  - |
+      AccountName={2};AccountKey={3};
+  - |
+      SharedAccessKeyName=[Shared Access Key Name goes here];SharedAccessKey=[Shared Access key goes here];
 
 
 - name: Azure App Configuration Connection String