-
Notifications
You must be signed in to change notification settings - Fork 464
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This implements support for high-entropy secrets in binary values in yaml files. We encode the binary value into a hex- or base64-encoded string (based on the plugin), and run the normal entropy check. If the string is deemed to be high-entropy, we re encode the string into a yaml binary (using `yaml.dump`) and strip the `!!binary`. This yaml binary is considered the secret, and is put into the baseline as normal. I had to update a test function so that it uses a custom hex high-entropy detector, since `HighEntropyStringsPlugin` is now an abstract class.
- Loading branch information
Victor Zhou
committed
Aug 29, 2019
1 parent
0af82f6
commit e5e0b3c
Showing
7 changed files
with
108 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
# This is yaml.dump('2b00042f7481c7b056c4b410d28f33cf'.encode('utf-8')) | ||
high_entropy_hex_binary_secret: !!binary MmIwMDA0MmY3NDgxYzdiMDU2YzRiNDEwZDI4ZjMzY2Y= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Nit: Maybe rename the returned var to new_secrets_dict, just to make it more obvious we’re essentially throwing away the old one.