From 497faa26c41428aae0f379aa338f73127aca7974 Mon Sep 17 00:00:00 2001 From: John-Paul Dakran Date: Tue, 21 Jun 2022 06:43:00 -0700 Subject: [PATCH 1/2] Add regex for the arrow function assignment operator followed by quotes to keyword plugin --- detect_secrets/plugins/keyword.py | 12 ++++++++++++ requirements-dev.txt | 6 +++--- tests/plugins/keyword_test.py | 4 ++++ 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/detect_secrets/plugins/keyword.py b/detect_secrets/plugins/keyword.py index 00a716716..441c88ab1 100644 --- a/detect_secrets/plugins/keyword.py +++ b/detect_secrets/plugins/keyword.py @@ -202,6 +202,17 @@ ), flags=re.IGNORECASE, ) +FOLLOWED_BY_ARROW_FUNCTION_SIGN_QUOTES_REQUIRED_REGEX = re.compile( + # e.g. my_password => "bar" or my_password => bar + r'{denylist}({closing})?{whitespace}=>?{whitespace}({quote})({secret})(\3)'.format( + denylist=DENYLIST_REGEX, + closing=CLOSING, + quote=QUOTE, + whitespace=OPTIONAL_WHITESPACE, + secret=SECRET, + ), + flags=re.IGNORECASE, +) CONFIG_DENYLIST_REGEX_TO_GROUP = { FOLLOWED_BY_COLON_REGEX: 4, PRECEDED_BY_EQUAL_COMPARISON_SIGNS_QUOTES_REQUIRED_REGEX: 2, @@ -226,6 +237,7 @@ PRECEDED_BY_EQUAL_COMPARISON_SIGNS_QUOTES_REQUIRED_REGEX: 2, FOLLOWED_BY_EQUAL_SIGNS_QUOTES_REQUIRED_REGEX: 5, FOLLOWED_BY_QUOTES_AND_SEMICOLON_REGEX: 3, + FOLLOWED_BY_ARROW_FUNCTION_SIGN_QUOTES_REQUIRED_REGEX: 4, } REGEX_BY_FILETYPE = { FileType.GO: GOLANG_DENYLIST_REGEX_TO_GROUP, diff --git a/requirements-dev.txt b/requirements-dev.txt index 1294e7861..5211a88ea 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -1,5 +1,5 @@ attrs==21.4.0 -backports.entry-points-selectable==1.1.1 +backports.entry-points-selectable==1.1.0 certifi==2021.10.8 cfgv==3.2.0 charset-normalizer==2.0.7 @@ -13,7 +13,7 @@ idna==3.3 importlib-metadata==4.8.1 iniconfig==1.1.1 mccabe==0.6.1 -monotonic==1.6 +monotonic==1.5 mypy==0.790 mypy-extensions==0.4.3 nodeenv==1.6.0 @@ -37,6 +37,6 @@ tox-pip-extensions==1.6.0 typed-ast==1.4.3 typing-extensions==3.10.0.2 unidiff==0.7.3 -urllib3==1.26.9 +urllib3==1.26.7 virtualenv==20.6.0 zipp==3.6.0 diff --git a/tests/plugins/keyword_test.py b/tests/plugins/keyword_test.py index c9591db51..ec5cf4ce2 100644 --- a/tests/plugins/keyword_test.py +++ b/tests/plugins/keyword_test.py @@ -142,12 +142,16 @@ ('if (db_pass !== "{}") {{'.format(COMMON_SECRET), COMMON_SECRET), ('password "{}";'.format(COMMON_SECRET), COMMON_SECRET), ('password = {}'.format(COMMON_SECRET), None), # Secret without quotes + ('password = "{}"'.format(COMMON_SECRET), COMMON_SECRET), + ('password => "{}"'.format(COMMON_SECRET), COMMON_SECRET), ('api_key = ""', None), # Nothing in the quotes ("secret: ''", None), # Nothing in the quotes ('password: ${link}', None), # Has a ${ followed by a } ('some_key = "real_secret"', None), # We cannot make 'key' a Keyword, too noisy) ('private_key "hopenobodyfindsthisone\';', None), # Double-quote does not match single-quote) (LONG_LINE, None), # Long line test + ('password => ""', None), + ('password => {}'.format(COMMON_SECRET), None), ] From 4ed85ca8ea00c548d42938809a91657dae4be496 Mon Sep 17 00:00:00 2001 From: John-Paul Dakran Date: Tue, 21 Jun 2022 06:55:14 -0700 Subject: [PATCH 2/2] Revert local dependency changes --- requirements-dev.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 5211a88ea..1294e7861 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -1,5 +1,5 @@ attrs==21.4.0 -backports.entry-points-selectable==1.1.0 +backports.entry-points-selectable==1.1.1 certifi==2021.10.8 cfgv==3.2.0 charset-normalizer==2.0.7 @@ -13,7 +13,7 @@ idna==3.3 importlib-metadata==4.8.1 iniconfig==1.1.1 mccabe==0.6.1 -monotonic==1.5 +monotonic==1.6 mypy==0.790 mypy-extensions==0.4.3 nodeenv==1.6.0 @@ -37,6 +37,6 @@ tox-pip-extensions==1.6.0 typed-ast==1.4.3 typing-extensions==3.10.0.2 unidiff==0.7.3 -urllib3==1.26.7 +urllib3==1.26.9 virtualenv==20.6.0 zipp==3.6.0