From 35b829d6e515454f4b026b7034bf92bd9a087491 Mon Sep 17 00:00:00 2001 From: Julian Fonticoba Mouriz Date: Mon, 1 Mar 2021 16:47:20 +0100 Subject: [PATCH 1/2] Bugfix of Yaml exception with simple quotes --- detect_secrets/plugins/keyword.py | 96 +------------------------------ 1 file changed, 2 insertions(+), 94 deletions(-) diff --git a/detect_secrets/plugins/keyword.py b/detect_secrets/plugins/keyword.py index 19840f54e..ceda611ea 100644 --- a/detect_secrets/plugins/keyword.py +++ b/detect_secrets/plugins/keyword.py @@ -50,106 +50,14 @@ 'secret', 'secrete', ) -FALSE_POSITIVES = { - '""', - '""):', - '"\'', - '")', - '"dummy', - '"replace', - '"this', - '#pass', - '#password', - '$(shell', - "'\"", - "''", - "''):", - "')", - "'dummy", - "'replace", - "'this", - '(nsstring', - '-default}', - '::', - '<%=', - '', - '', - '', - '', - '=', - '\\"$(shell', - '\\k.*"', - "\\k.*'", - '`cat', - '`grep', - '`sudo', - 'account_password', - 'api_key', - 'disable', - 'dummy_secret', - 'dummy_value', - 'false', - 'false):', - 'false,', - 'false;', - 'login_password', - 'none', - 'none,', - 'none}', - 'nopasswd', - 'not', - 'not_real_key', - 'null', - 'null,', - 'null.*"', - "null.*'", - 'null;', - 'pass', - 'pass)', - 'password', - 'password)', - 'password))', - 'password,', - 'password},', - 'prompt', - 'redacted', - 'secret', - 'some_key', - 'str', - 'str_to_sign', - 'string', - 'string)', - 'string,', - 'string;', - 'string?', - 'string?)', - 'string}', - 'string}}', - 'test', - 'test-access-key', - 'thisisnottherealsecret', - 'todo', - 'true', - 'true):', - 'true,', - 'true;', - 'undef', - 'undef,', - '{', - '{{', -} # Includes ], ', " as closing CLOSING = r'[]\'"]{0,2}' DENYLIST_REGEX = r'|'.join(DENYLIST) # Non-greedy match -OPTIONAL_WHITESPACE = r'\s*?' +OPTIONAL_WHITESPACE = r'\s*' OPTIONAL_NON_WHITESPACE = r'[^\s]{0,50}?' QUOTE = r'[\'"]' -SECRET = r'[^\s]+' +SECRET = r'[^\r\n]+' SQUARE_BRACKETS = r'(\[\])' FOLLOWED_BY_COLON_EQUAL_SIGNS_REGEX = re.compile( From 10e730ac92603022909f67b2e633bc52796dd716 Mon Sep 17 00:00:00 2001 From: Julian Fonticoba Mouriz Date: Tue, 2 Mar 2021 16:10:59 +0100 Subject: [PATCH 2/2] Add commented FALSE_POSITIVE list until migrate it --- detect_secrets/plugins/keyword.py | 95 +++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) diff --git a/detect_secrets/plugins/keyword.py b/detect_secrets/plugins/keyword.py index ceda611ea..dbf0e0e72 100644 --- a/detect_secrets/plugins/keyword.py +++ b/detect_secrets/plugins/keyword.py @@ -50,6 +50,101 @@ 'secret', 'secrete', ) +''' +Deprecated false positives list. This will be migrated soon. +FALSE_POSITIVES = { + '""', + '""):', + '"\'', + '")', + '"dummy', + '"replace', + '"this', + '#pass', + '#password', + '$(shell', + "'\"", + "''", + "''):", + "')", + "'dummy", + "'replace", + "'this", + '(nsstring', + '-default}', + '::', + '<%=', + '', + '', + '', + '', + '=', + '\\"$(shell', + '\\k.*"', + "\\k.*'", + '`cat', + '`grep', + '`sudo', + 'account_password', + 'api_key', + 'disable', + 'dummy_secret', + 'dummy_value', + 'false', + 'false):', + 'false,', + 'false;', + 'login_password', + 'none', + 'none,', + 'none}', + 'nopasswd', + 'not', + 'not_real_key', + 'null', + 'null,', + 'null.*"', + "null.*'", + 'null;', + 'pass', + 'pass)', + 'password', + 'password)', + 'password))', + 'password,', + 'password},', + 'prompt', + 'redacted', + 'secret', + 'some_key', + 'str', + 'str_to_sign', + 'string', + 'string)', + 'string,', + 'string;', + 'string?', + 'string?)', + 'string}', + 'string}}', + 'test', + 'test-access-key', + 'thisisnottherealsecret', + 'todo', + 'true', + 'true):', + 'true,', + 'true;', + 'undef', + 'undef,', + '{', + '{{', +} +''' # Includes ], ', " as closing CLOSING = r'[]\'"]{0,2}' DENYLIST_REGEX = r'|'.join(DENYLIST)