Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hardcoded PHP passwords not found #404

Closed
ghost opened this issue Feb 3, 2021 · 4 comments · Fixed by #567
Closed

Hardcoded PHP passwords not found #404

ghost opened this issue Feb 3, 2021 · 4 comments · Fixed by #567
Labels
enhancement The issue is related to improving a certain aspect of the project. false negatives P2 Important. E.g. a new feature that we want to include in the next release. selected The issue has been selected to be worked on.

Comments

@ghost
Copy link

ghost commented Feb 3, 2021

I did some tests and a number of passwords (e.g. in an array or constant) were not found in a php file:

Array example:

     array (
                                        'host' => self::processHost('database05'),
                                        'database' => 'test',
                                        'user' => 'test',
                                        'password' => 'tzlzhzgpazlvaffudrnkbhlkyawtgzc',
                                ),

Constants:

   const   DB_TEST_PWD = 'jex0`&?c950?\7$ya5',
               DB_PWD = 'plqudzxtlhchccoqfirgmqqzxpyyoik';

I've used the following command: detect-secrets scan > .secrets.baseline

@domanchi
Copy link
Contributor

domanchi commented Feb 3, 2021

@BlueCanary-DM , what version of detect-secrets are you running? Have you tried using detect-secrets scan --string to see what the individual plugins report?

@ghost
Copy link
Author

ghost commented Feb 3, 2021

I'm running version 0.13.1 as I had the issue described here:
Yelp/detect-secrets-server#62

However, using the docker container provided here, which uses the latest version I have the same results.

@adityak80
Copy link

I am facing the same problem with PHP files, the following code is not caught by any of the plugins:

define('DB_GLOBAL_MASTER',
    array(
        'database' => 'GLOBAL_MASTER',
        'host' => 'xxx.xx.203.94',
        'port' => '1433',
        'username' => 'xxxxweb-xxadmin',
        'password' => '***@9mIn',
    )
);

Even 'password' is not flagged by KeywordDetector unless one removes the single quotes around the word password.

@jpdakran jpdakran added pending The issue still needs to be reviewed by one of the maintainers. enhancement The issue is related to improving a certain aspect of the project. labels Jun 15, 2022
@lorenzodb1 lorenzodb1 added false negatives pending The issue still needs to be reviewed by one of the maintainers. and removed pending The issue still needs to be reviewed by one of the maintainers. labels Jun 15, 2022
@jpdakran jpdakran added P2 Important. E.g. a new feature that we want to include in the next release. pending The issue still needs to be reviewed by one of the maintainers. triaged The issue has been reviewed but has not been solved yet. and removed pending The issue still needs to be reviewed by one of the maintainers. labels Jun 15, 2022
@lorenzodb1 lorenzodb1 added selected The issue has been selected to be worked on. and removed triaged The issue has been reviewed but has not been solved yet. labels Jun 15, 2022
@jpdakran jpdakran removed the selected The issue has been selected to be worked on. label Jun 15, 2022
@lorenzodb1 lorenzodb1 added the selected The issue has been selected to be worked on. label Jun 15, 2022
@jpdakran
Copy link
Member

After doing some investigation on this issue. The issue with the array declaration is valid. The => operator is not picked up by the keyword detect. I have added 567 to fix this issue.

With respect to the const secrets noted above. The first secret (DB_TEST_PWD) is detected. The second secret (DB_PWD) indeed is not detected. However this is because it is filtered out by the detect_secrets.filters.gibberish.should_exclude_secret

This investigation was performed on detect-secrets v1.2.0

jpdakran added a commit that referenced this issue Jun 23, 2022
* Add regex for the arrow function assignment operator followed by quotes to keyword plugin

* Revert local dependency changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement The issue is related to improving a certain aspect of the project. false negatives P2 Important. E.g. a new feature that we want to include in the next release. selected The issue has been selected to be worked on.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants