Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[question] How to skip password detection in Java Properties File ? #319

Closed
sylvainmouquet opened this issue Jul 15, 2020 · 5 comments
Closed

[question] How to skip password detection in Java Properties File ? #319

sylvainmouquet opened this issue Jul 15, 2020 · 5 comments
Assignees
@domanchi
Labels
question The issue is a technical question related to the project. triaged The issue has been reviewed but has not been solved yet.

Comments

@sylvainmouquet
Copy link

sylvainmouquet commented Jul 15, 2020
edited
Loading

Hello,

We have tried to allow a secret in a property file but java read the full string "xyz # pragram: allowlist secrets"

password=xyz # pragma: allowlist secret

How to manage it ?

Thanks
Sylvain
@OiCMudkips
Copy link
Contributor

If you are using pre-commit you can use the exclude option to exclude Java properties files. If you are using this tool directly, you can use the --exclude-files flag.

Let us know if this works for you.

@OiCMudkips OiCMudkips added the question The issue is a technical question related to the project. label Jul 21, 2020
@prashpb
Copy link

prashpb commented Jul 29, 2020

The same issue we are facing.
we cannot add exclude files as user may commit actual passwords and the scan will not detect it.
Any solution on how to add whitelist to .properties file will be helpful.

@domanchi
Copy link
Contributor

From https://en.wikipedia.org/wiki/.properties, it looks like the issue with this is that the Java .properties doesn't allow inline comments. This mirrors other config-file like files. For example:

>>> import configparser
>>> parser = configparser.ConfigParser()
>>> parser.read_string("""\
...    [section]
...    password = xyz    # pragma: allowlist secret
... """)

>>> print(parser.items('section')[0])
('password', 'xyz  # pragma: allowlist secret')

The only way we can address this is by adding some form of "skip next line" pragma, like eslint-disable-next-line. Let me see whether I can address this in our new filters system in v1.

@domanchi domanchi self-assigned this Nov 17, 2020
@nickiaconis
Copy link
Contributor

Fwiw I just encountered this same issue in a Dockerfile today. It will be very helpful to have a "skip next line" pragma. Anything I can do to help move this along?

@domanchi
Copy link
Contributor

@nickiaconis : if you wanted to help, you can certainly contribute a PR that bases atop the current pre-v1-adding-verification branch -- this will give you access to the dependency injected context variable (more information here: https://github.com/Yelp/detect-secrets/blob/pre-v1-launch/docs/filters.md#a-word-about-filter-internals

I'd imagine that with this context object, you can create a new filter that checks the line before to see if the flagged secret has been ignored.

@nickiaconis nickiaconis mentioned this issue Nov 19, 2020
Closed
@lorenzodb1 lorenzodb1 added pending The issue still needs to be reviewed by one of the maintainers. triaged The issue has been reviewed but has not been solved yet. and removed pending The issue still needs to be reviewed by one of the maintainers. labels Jun 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@domanchi domanchi

Labels
question The issue is a technical question related to the project. triaged The issue has been reviewed but has not been solved yet.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@sylvainmouquet @nickiaconis @OiCMudkips @domanchi @lorenzodb1 @prashpb