diff --git a/detect_secrets/plugins/keyword.py b/detect_secrets/plugins/keyword.py index 00a716716..441c88ab1 100644 --- a/detect_secrets/plugins/keyword.py +++ b/detect_secrets/plugins/keyword.py @@ -202,6 +202,17 @@ ), flags=re.IGNORECASE, ) +FOLLOWED_BY_ARROW_FUNCTION_SIGN_QUOTES_REQUIRED_REGEX = re.compile( + # e.g. my_password => "bar" or my_password => bar + r'{denylist}({closing})?{whitespace}=>?{whitespace}({quote})({secret})(\3)'.format( + denylist=DENYLIST_REGEX, + closing=CLOSING, + quote=QUOTE, + whitespace=OPTIONAL_WHITESPACE, + secret=SECRET, + ), + flags=re.IGNORECASE, +) CONFIG_DENYLIST_REGEX_TO_GROUP = { FOLLOWED_BY_COLON_REGEX: 4, PRECEDED_BY_EQUAL_COMPARISON_SIGNS_QUOTES_REQUIRED_REGEX: 2, @@ -226,6 +237,7 @@ PRECEDED_BY_EQUAL_COMPARISON_SIGNS_QUOTES_REQUIRED_REGEX: 2, FOLLOWED_BY_EQUAL_SIGNS_QUOTES_REQUIRED_REGEX: 5, FOLLOWED_BY_QUOTES_AND_SEMICOLON_REGEX: 3, + FOLLOWED_BY_ARROW_FUNCTION_SIGN_QUOTES_REQUIRED_REGEX: 4, } REGEX_BY_FILETYPE = { FileType.GO: GOLANG_DENYLIST_REGEX_TO_GROUP, diff --git a/tests/plugins/keyword_test.py b/tests/plugins/keyword_test.py index c9591db51..ec5cf4ce2 100644 --- a/tests/plugins/keyword_test.py +++ b/tests/plugins/keyword_test.py @@ -142,12 +142,16 @@ ('if (db_pass !== "{}") {{'.format(COMMON_SECRET), COMMON_SECRET), ('password "{}";'.format(COMMON_SECRET), COMMON_SECRET), ('password = {}'.format(COMMON_SECRET), None), # Secret without quotes + ('password = "{}"'.format(COMMON_SECRET), COMMON_SECRET), + ('password => "{}"'.format(COMMON_SECRET), COMMON_SECRET), ('api_key = ""', None), # Nothing in the quotes ("secret: ''", None), # Nothing in the quotes ('password: ${link}', None), # Has a ${ followed by a } ('some_key = "real_secret"', None), # We cannot make 'key' a Keyword, too noisy) ('private_key "hopenobodyfindsthisone\';', None), # Double-quote does not match single-quote) (LONG_LINE, None), # Long line test + ('password => ""', None), + ('password => {}'.format(COMMON_SECRET), None), ]