Handle binary values in YAML files #223
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
KevinHock
reviewed
Aug 14, 2019
| @@ -75,7 +75,7 @@ def _tag_dict_values(self, map_node): | |||
| """ | |||
| new_values = [] | |||
| for key, value in map_node.value: | |||
| if not value.tag.endswith(':str'): | |||
| if not value.tag.endswith(':str') and not value.tag.endswith(':binary'): | |||
There was a problem hiding this comment.
super nit: feel free to ignore
i feel like
if not (
value.tag.endswith(':str')
or
value.tag.endswith(':binary')
):is a little prettier ⚡️ 💟
| @@ -92,6 +92,11 @@ def _tag_dict_values(self, map_node): | |||
| str(value.__line__), | |||
| 'tag:yaml.org,2002:int', | |||
| ), | |||
| self._create_key_value_pair_for_mapping_node_value( | |||
| '__is_binary__', | |||
There was a problem hiding this comment.
I realize the other calls of this don't do this, but maybe we can use keyword args to make things clearer, it helps with the other function calls in this file.
OiCMudkips
force-pushed
the
yaml_binary
branch
from
65e126c
to
4107194
Compare
added 3 commits
August 21, 2019 14:24
This is step (1) in supporting binary in both YAML and non- YAML files. This makes it so that instead of immediately converting the base64-encoded binary into a binary value in python, we just interpret the binary as a normal string, but annotate it as such with the `is_binary` flag. This is needed so that plugins can scan a different value from the value hashed into baselines.
This implements support for high-entropy secrets in binary values in yaml files. We encode the binary value into a hex- or base64-encoded string (based on the plugin), and run the normal entropy check. If the string is deemed to be high-entropy, we re encode the string into a yaml binary (using `yaml.dump`) and strip the `!!binary`. This yaml binary is considered the secret, and is put into the baseline as normal. I had to update a test function so that it uses a custom hex high-entropy detector, since `HighEntropyStringsPlugin` is now an abstract class.
To test this you would need to import an unused class into the module so that it's in `globals()`, and have the test know what class that is. Seems messy to me, and not worth what it would be testing.
OiCMudkips
force-pushed
the
yaml_binary
branch
from
4107194
to
869033d
Compare
OiCMudkips
changed the title
|
This is done. The general strategy is:
The complicated-ness of (3) is needed so that we can actually find the secret in the file afterwards using the existing |
|
re: ‘HighEntropyStringsPlugin is now an abstract class’ in commit message, for the explanation of the new class in the test, I’m on my phone but I don’t see that it’s abstract. |
|
Never mind me lol, I see the ABCMeta metaclass. I guess it was an abstract class before this PR and I read the message as this making it abstract. |
KevinHock
approved these changes
Aug 30, 2019
|
KevinHock++ I think the test was able to instantiate an abstract class because we didn’t actually mark any methods as abstract, but once I added some abstract methods, the test started failing so I had to fix it. |
Merged
killuazhu
pushed a commit
to IBM/detect-secrets
that referenced
this pull request
May 28, 2020
killuazhu
pushed a commit
to IBM/detect-secrets
that referenced
this pull request
Jul 9, 2020
killuazhu
pushed a commit
to IBM/detect-secrets
that referenced
this pull request
Sep 17, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
(WIP as of writing)
This is step (1) in supporting binary in both YAML and non-YAML files.
This makes it so that instead of immediately converting the base64-encoded binary into a binary value in python, we just interpret the binary as a normal string, but annotate it as such with the
is_binaryflag.This is needed so that plugins can scan a different value from the value hashed into baselines.
Alternatives:
YamlFileParserand put the desired form into__value____value__and__is_binary__, have fields__scan_value__and__plaintext_value__analyze_binary_content(in addition toanalyze_string_content) which knows how to do the conversion to the "desired format", but that depends on us knowing that the string is a binary as opposed to some other special sauce, so I think theis_binaryinformation is important.Closes #202
The next steps would be to make the high-entropy plugin actually use the
is_binaryinformation to do the conversion and output results correctly.