Handle binary values specially in yaml file parser

This is step (1) in supporting binary in both YAML and non- YAML files. This makes it so that instead of immediately converting the base64-encoded binary into a binary value in python, we just interpret the binary as a normal string, but annotate it as such with the `is_binary` flag. This is needed so that plugins can scan a different value from the value hashed into baselines.
Yelp · Aug 14, 2019 · 65e126c · 65e126c
1 parent 99528d4
commit 65e126c
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 2 deletions.
diff --git a/detect_secrets/plugins/common/yaml_file_parser.py b/detect_secrets/plugins/common/yaml_file_parser.py
@@ -16,7 +16,7 @@ class YamlFileParser(object):
     Therefore, we take a different approach: intercept the parsing of the yaml
     file to identify string values. This assumes:
 
-        1. Secrets are strings
+        1. Secrets are strings or binaries
         2. Secrets are not keys
 
     Then, we calculate the entropy of those string values.
@@ -75,7 +75,7 @@ def _tag_dict_values(self, map_node):
         """
         new_values = []
         for key, value in map_node.value:
-            if not value.tag.endswith(':str'):
+            if not value.tag.endswith(':str') and not value.tag.endswith(':binary'):
                 new_values.append((key, value))
                 continue
 
@@ -92,6 +92,11 @@ def _tag_dict_values(self, map_node):
                         str(value.__line__),
                         'tag:yaml.org,2002:int',
                     ),
+                    self._create_key_value_pair_for_mapping_node_value(
+                        '__is_binary__',
+                        str(value.tag.endswith(':binary')),
+                        'tag:yaml.org,2002:bool',
+                    ),
                 ],
             )
 

diff --git a/tests/plugins/common/yaml_file_parser_test.py b/tests/plugins/common/yaml_file_parser_test.py
@@ -1,6 +1,9 @@
 from __future__ import absolute_import
 from __future__ import unicode_literals
 
+import mock
+import pytest
+
 from detect_secrets.plugins.common.yaml_file_parser import YamlFileParser
 from testing.mocks import mock_file_object
 
@@ -19,3 +22,26 @@ def test_get_ignored_lines(self):
         ignored_lines = YamlFileParser(f).get_ignored_lines()
 
         assert ignored_lines == {2, 3}
+
+    @pytest.mark.parametrize(
+        ['yaml_value', 'expected_value', 'expected_is_binary'],
+        [
+            ('string_value', 'string_value', False),
+            ('!!binary YWJjZGVm', 'YWJjZGVm', True),
+        ],
+    )
+    def test_possible_secret_format(
+        self,
+        yaml_value,
+        expected_value,
+        expected_is_binary,
+    ):
+        content = 'key: {yaml_value}'.format(yaml_value=yaml_value)
+        f = mock_file_object(content)
+
+        result = YamlFileParser(f).json()
+        assert result['key'] == {
+            '__value__': expected_value,
+            '__is_binary__': expected_is_binary,
+            '__line__': mock.ANY,
+        }