🔭[Keyword Plugin] Handle dict['keyword']

By adding an optional `((\'|")])?` to the regexes. This is to catch 'foo' in e.g. `some_dict["secret"] = "foo"`
Yelp · Dec 28, 2018 · ec1e0cd · ec1e0cd
1 parent 4581aa8
commit ec1e0cd
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 25 deletions.
diff --git a/detect_secrets/plugins/keyword.py b/detect_secrets/plugins/keyword.py
@@ -75,13 +75,13 @@
 )
 FOLLOWED_BY_EQUAL_SIGNS_RE = re.compile(
     # e.g. my_password = bar
-    r'({})()(\s*?)=(\s*?)(("|\')?)([^\s]+)(\5)'.format(
+    r'({})((\'|")])?()(\s*?)=(\s*?)(("|\')?)([^\s]+)(\7)'.format(
         r'|'.join(BLACKLIST),
     ),
 )
 FOLLOWED_BY_EQUAL_SIGNS_QUOTES_REQUIRED_RE = re.compile(
     # e.g. my_password = "bar"
-    r'({})()(\s*?)=(\s*?)(("|\'))([^\s]+)(\5)'.format(
+    r'({})((\'|")])?()(\s*?)=(\s*?)(("|\'))([^\s]+)(\7)'.format(
         r'|'.join(BLACKLIST),
     ),
 )
@@ -93,12 +93,12 @@
 )
 BLACKLIST_REGEX_TO_GROUP = {
     FOLLOWED_BY_COLON_RE: 7,
-    FOLLOWED_BY_EQUAL_SIGNS_RE: 7,
+    FOLLOWED_BY_EQUAL_SIGNS_RE: 9,
     FOLLOWED_BY_QUOTES_AND_SEMICOLON_RE: 5,
 }
 PYTHON_BLACKLIST_REGEX_TO_GROUP = {
     FOLLOWED_BY_COLON_QUOTES_REQUIRED_RE: 7,
-    FOLLOWED_BY_EQUAL_SIGNS_QUOTES_REQUIRED_RE: 7,
+    FOLLOWED_BY_EQUAL_SIGNS_QUOTES_REQUIRED_RE: 9,
     FOLLOWED_BY_QUOTES_AND_SEMICOLON_RE: 5,
 }
 
@@ -169,13 +169,13 @@ def secret_generator(self, string, filetype):
 
 def probably_false_positive(lowered_secret, filetype):
     if (
-        'fake' in lowered_secret or
-        'self.' in lowered_secret or
-        lowered_secret in FALSE_POSITIVES or
+        'fake' in lowered_secret
+        or 'self.' in lowered_secret
+        or lowered_secret in FALSE_POSITIVES or
         # If it is a .php file, do not report $variables
         (
-            filetype == FileType.PHP and
-            lowered_secret[0] == '$'
+            filetype == FileType.PHP
+            and lowered_secret[0] == '$'
         )
     ):
         return True

diff --git a/tests/plugins/keyword_test.py b/tests/plugins/keyword_test.py
@@ -22,6 +22,8 @@ class TestKeywordDetector(object):
             'apikey: "ho)pe]nob(ody[finds>-_$#thisone"',
             "apikey:  'ho)pe]nob(ody[finds>-_$#thisone'",
             # FOLLOWED_BY_EQUAL_SIGNS_RE
+            'some_dict["secret"] = "ho)pe]nob(ody[finds>-_$#thisone"',
+            "some_dict['secret'] = ho)pe]nob(ody[finds>-_$#thisone",
             'my_password=ho)pe]nob(ody[finds>-_$#thisone',
             'my_password= ho)pe]nob(ody[finds>-_$#thisone',
             'my_password =ho)pe]nob(ody[finds>-_$#thisone',
@@ -61,6 +63,7 @@ def test_analyze_positives(self, file_content):
             'apikey: "hope]nobody[finds>-_$#thisone"',
             "apikey:  'hope]nobody[finds>-_$#thisone'",
             # FOLLOWED_BY_EQUAL_SIGNS_QUOTES_REQUIRED_RE
+            'some_dict["secret"] = "hope]nobody[finds>-_$#thisone"',
             'the_password= "hope]nobody[finds>-_$#thisone"\n',
             'the_password=\'hope]nobody[finds>-_$#thisone\'\n',
             # FOLLOWED_BY_QUOTES_AND_SEMICOLON_RE
@@ -119,38 +122,39 @@ def test_analyze_negatives(self, file_content):
         assert len(output) == 0
 
     @pytest.mark.parametrize(
-        'file_content',
+        'secret_starting_with_dollar_sign',
         [
             # FOLLOWED_BY_EQUAL_SIGNS_RE
-            '$password = $input;',  # Skip anything starting with $ in php files
+            '$password = $input;',
         ],
     )
-    def test_analyze_php_negatives(self, file_content):
+    def test_analyze_php_negatives(self, secret_starting_with_dollar_sign):
         logic = KeywordDetector()
 
-        f = mock_file_object(file_content)
+        f = mock_file_object(secret_starting_with_dollar_sign)
         output = logic.analyze(f, 'mock_filename.php')
         assert len(output) == 0
 
     @pytest.mark.parametrize(
-        'file_content',
+        'secret_with_no_quote',
         [
             # FOLLOWED_BY_COLON_QUOTES_REQUIRED_RE
-            'apikey: hope]nobody[finds>-_$#thisone',  # No quotes
-            'apikey:hope]nobody[finds>-_$#thisone',  # No quotes
-            'theapikey:hope]nobody[finds>-_$#thisone',  # No quotes
+            'apikey: hope]nobody[finds>-_$#thisone',
+            'apikey:hope]nobody[finds>-_$#thisone',
+            'theapikey:hope]nobody[finds>-_$#thisone',
             # FOLLOWED_BY_EQUAL_SIGNS_QUOTES_REQUIRED_RE
-            'my_password=hope]nobody[finds>-_$#thisone',  # No quotes
-            'my_password= hope]nobody[finds>-_$#thisone',  # No quotes
-            'my_password =hope]nobody[finds>-_$#thisone',  # No quotes
-            'my_password = hope]nobody[finds>-_$#thisone',  # No quotes
-            'my_password =hope]nobody[finds>-_$#thisone',  # No quotes
-            'the_password=hope]nobody[finds>-_$#thisone\n',  # No quotes
+            "some_dict['secret'] = hope]nobody[finds>-_$#thisone",
+            'my_password=hope]nobody[finds>-_$#thisone',
+            'my_password= hope]nobody[finds>-_$#thisone',
+            'my_password =hope]nobody[finds>-_$#thisone',
+            'my_password = hope]nobody[finds>-_$#thisone',
+            'my_password =hope]nobody[finds>-_$#thisone',
+            'the_password=hope]nobody[finds>-_$#thisone\n',
         ],
     )
-    def test_analyze_python_negatives(self, file_content):
+    def test_analyze_python_negatives(self, secret_with_no_quote):
         logic = KeywordDetector()
 
-        f = mock_file_object(file_content)
+        f = mock_file_object(secret_with_no_quote)
         output = logic.analyze(f, 'mock_filename.py')
         assert len(output) == 0