↪️ Merge pull request #169 from dgzlopes/add-stripe-plugin

Add Stripe detector to plugins
Yelp · May 13, 2019 · 38b559c · 38b559c
2 parents c86214a + 9ae909f
commit 38b559c
Show file tree

Hide file tree

Showing 7 changed files with 82 additions and 0 deletions.
diff --git a/detect_secrets/core/usage.py b/detect_secrets/core/usage.py
@@ -295,6 +295,11 @@ class PluginOptions(object):
             disable_flag_text='--no-artifactory-scan',
             disable_help_text='Disable scanning for Artifactory credentials',
         ),
+        PluginDescriptor(
+            classname='StripeDetector',
+            disable_flag_text='--no-stripe-scan',
+            disable_help_text='Disable scanning for Stripe keys',
+        ),
     ]
 
     def __init__(self, parser):

diff --git a/detect_secrets/plugins/common/initialize.py b/detect_secrets/plugins/common/initialize.py
@@ -13,6 +13,7 @@
 from ..keyword import KeywordDetector                       # noqa: F401
 from ..private_key import PrivateKeyDetector                # noqa: F401
 from ..slack import SlackDetector                           # noqa: F401
+from ..stripe import StripeDetector                         # noqa: F401
 from detect_secrets.core.log import log
 from detect_secrets.core.usage import PluginOptions
 

diff --git a/detect_secrets/plugins/stripe.py b/detect_secrets/plugins/stripe.py
@@ -0,0 +1,18 @@
+"""
+This plugin searches for Stripe keys
+"""
+from __future__ import absolute_import
+
+import re
+
+from .base import RegexBasedDetector
+
+
+class StripeDetector(RegexBasedDetector):
+
+    secret_type = 'Stripe Access Key'
+
+    blacklist = (
+        # stripe standard keys begin with sk_live and restricted with rk_live
+        re.compile(r'(r|s)k_live_[0-9a-zA-Z]{24}'),
+    )
diff --git a/tests/core/usage_test.py b/tests/core/usage_test.py
@@ -40,6 +40,7 @@ def test_consolidates_output_basic(self):
             'AWSKeyDetector': {},
             'SlackDetector': {},
             'ArtifactoryDetector': {},
+            'StripeDetector': {},
         }
         assert not hasattr(args, 'no_private_key_scan')
 

diff --git a/tests/main_test.py b/tests/main_test.py
@@ -96,6 +96,7 @@ def test_scan_string_basic(
                 KeywordDetector        : False
                 PrivateKeyDetector     : False
                 SlackDetector          : False
+                StripeDetector         : False
             """.format(
                 expected_base64_result,
                 expected_hex_result,
@@ -119,6 +120,7 @@ def test_scan_string_cli_overrides_stdin(self):
                 KeywordDetector        : False
                 PrivateKeyDetector     : False
                 SlackDetector          : False
+                StripeDetector         : False
             """)[1:]
 
     def test_scan_with_all_files_flag(self, mock_baseline_initialize):
@@ -257,6 +259,9 @@ def test_old_baseline_ignored_with_update_flag(
                     {
                         "name": "SlackDetector",
                     },
+                    {
+                        "name": "StripeDetector",
+                    },
                 ],
             ),
             (  # remove some plugins from all plugins
@@ -288,6 +293,9 @@ def test_old_baseline_ignored_with_update_flag(
                     {
                         "name": "SlackDetector",
                     },
+                    {
+                        "name": "StripeDetector",
+                    },
                 ],
             ),
             (  # use same plugin list from baseline
@@ -375,6 +383,9 @@ def test_old_baseline_ignored_with_update_flag(
                     {
                         "name": "SlackDetector",
                     },
+                    {
+                        "name": "StripeDetector",
+                    },
                 ],
             ),
             (  # use plugin limit from baseline when using --use-all-plugins and no input limit
@@ -408,6 +419,9 @@ def test_old_baseline_ignored_with_update_flag(
                     {
                         "name": "SlackDetector",
                     },
+                    {
+                        "name": "StripeDetector",
+                    },
                 ],
             ),
         ],

diff --git a/tests/plugins/stripe_key_test.py b/tests/plugins/stripe_key_test.py
@@ -0,0 +1,40 @@
+from __future__ import absolute_import
+from __future__ import unicode_literals
+
+import pytest
+
+from detect_secrets.plugins.stripe import StripeDetector
+from testing.mocks import mock_file_object
+
+
+class TestStripeKeyDetector(object):
+
+    @pytest.mark.parametrize(
+        'file_content,should_flag',
+        [
+            (
+                'sk_live_ReTllpYQYfIZu2Jnf2lAPFjD',
+                True,
+            ),
+            (
+                'rk_live_5TcWfjKmJgpql9hjpRnwRXbT',
+                True,
+            ),
+            (
+                'pk_live_j5krY8XTgIcDaHDb3YrsAfCl',
+                False,
+            ),
+            (
+                'sk_live_',
+                False,
+            ),
+        ],
+    )
+    def test_analyze(self, file_content, should_flag):
+        logic = StripeDetector()
+
+        f = mock_file_object(file_content)
+        output = logic.analyze(f, 'mock_filename')
+        assert len(output) == (1 if should_flag else 0)
+        for potential_secret in output:
+            assert 'mock_filename' == potential_secret.filename
diff --git a/tests/pre_commit_hook_test.py b/tests/pre_commit_hook_test.py
@@ -194,6 +194,9 @@ def test_that_baseline_gets_updated(
                 {
                     'name': 'SlackDetector',
                 },
+                {
+                    'name': 'StripeDetector',
+                },
             ]
 
     def test_writes_new_baseline_if_modified(self):