Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use different regexes in KeywordDetector to improve accuracy #86

Merged
merged 19 commits into from
Jan 3, 2019
Merged

Use different regexes in KeywordDetector to improve accuracy #86

merged 19 commits into from
Jan 3, 2019

Conversation

KevinHock
Copy link
Collaborator

No description provided.

domanchi
domanchi previously requested changes Oct 22, 2018
View reviewed changes
tests/plugins/keyword_test.py Outdated Show resolved Hide resolved
detect_secrets/plugins/keyword.py Outdated Show resolved Hide resolved
detect_secrets/plugins/keyword.py Outdated Show resolved Hide resolved
detect_secrets/plugins/keyword.py Outdated Show resolved Hide resolved
domanchi
domanchi reviewed Oct 22, 2018
View reviewed changes
detect_secrets/plugins/keyword.py Outdated Show resolved Hide resolved
detect_secrets/plugins/keyword.py Outdated Show resolved Hide resolved
detect_secrets/plugins/keyword.py Outdated Show resolved Hide resolved
detect_secrets/plugins/keyword.py Outdated Show resolved Hide resolved
tests/plugins/keyword_test.py Outdated Show resolved Hide resolved
@KevinHock KevinHock mentioned this pull request Nov 12, 2018
Merged
KevinHock referenced this pull request Nov 20, 2018
@KevinHock
Fix tests w/ no KeywordDetector, add comment
6d98c81
@KevinHock KevinHock mentioned this pull request Nov 26, 2018
Closed
KevinHock
KevinHock commented Nov 27, 2018
View reviewed changes
Copy link
Collaborator Author

@KevinHock KevinHock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One nit

tests/plugins/keyword_test.py Outdated Show resolved Hide resolved
@domanchi domanchi mentioned this pull request Dec 10, 2018
Merged
@KevinHock
Copy link
Collaborator Author

Just stating for memories sake, that we had a discussion that I'll paraphrase here, I'll maybe make a separate issue:

Currently, the assumption is that "no secret is repeated within a single file" however, with this plugin it is more likely that this assumption is gonna break e.g. if you have 2 different assignments of password = "ehehehwew" in the same file, the hash of ehehehwew will be in 1 place in the baseline, but 2 places in the file. This is currently true for e.g. high-entropy secrets right now, for instance.

We can either (a) incorporate line numbers in

detect-secrets/detect_secrets/core/potential_secret.py

Line 53 in 5f4a055

self.fields_to_compare = ['filename', 'secret_hash', 'type']
, or (b) put a count of how many secrets are in the file, and put the count in baseline.

The downsides of doing nothing, and merging the PR as is:

  1. It looks unintelligent to users, as in "This tool doesn't even detect the same secret on the next line."
  2. When removing a secret, you suddenly get alerted to a new one that we did not complain about before.
  3. Less concerning: Adding a new secret can be missed, if it is already in that file.
  4. Less concerning: The audit command does not show the secret more than once.

We agree changing that assumption is a larger task than what's at hand.

@KevinHock
🔭[Keyword Plugin] Filter false-positives
a27659a 
Filter out $variables for PHP files
Filter out `(|[` followed by `)|]`
Add `not`, more empty quotes and `password` variable names to FALSE_POSITIVES
@KevinHock
Merge branch 'master' into upgrade_keyword_detector
a4c0432
@KevinHock
🐍 Make tests pass
d8f4e29 
After merging in master
@KevinHock
🐍 Improve test coverage
ed6a374 
Trim uncovered code
Change tox to ensure tests are covered 100%
@KevinHock
🔭[Keyword Plugin] Precision improvements
3fd9e87 
Removed `token` as a keyword
Made FOLLOWED_BY_EQUAL_SIGNS_RE require variable ends with keyword
KevinHock
KevinHock commented Dec 14, 2018
View reviewed changes
detect_secrets/core/audit.py
"""Generates raw secrets by re-scanning the line, with the specified plugin"""
for raw_secret in plugin.secret_generator(secret_line):
yield raw_secret
if isinstance(plugin, KeywordDetector):
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I felt :/ about writing it like this, but didn't see a better way.

Just wanted to put neon lights on it for the review 😅

@KevinHock KevinHock mentioned this pull request Dec 18, 2018
Merged
@joshuarli joshuarli mentioned this pull request Dec 19, 2018
Closed
@KevinHock
⚡ Remove unnecessary wrapping parens
f15366e 
In keyword_test.py
@KevinHock
🔭[Keyword Plugin] Precision improvements
e01d818 
Made quotes required in Python files/added regexes for this
Added a Filetype Enum and `determine_file_type` function

Replaced 'pass' with 'db_pass' in BLACKLIST
Added 'aws_secret_access_key' to BLACKLIST
Added some trailing char cases to FALSE_POSITIVES

:boom: Changed secret_type to 'Secret Keyword'
@KevinHock KevinHock force-pushed the upgrade_keyword_detector branch from ea99830 to e01d818 Compare December 28, 2018 22:43
@KevinHock KevinHock force-pushed the upgrade_keyword_detector branch from ce5862b to ec1e0cd Compare December 28, 2018 23:48
@KevinHock
🔭[Keyword Plugin] Handle dict['keyword']
b7e48ab 
By adding an optional `((\'|")])?` to the regexes
This is to catch 'foo' in e.g. `some_dict["secret"] = "foo"`
@KevinHock KevinHock force-pushed the upgrade_keyword_detector branch from ec1e0cd to b7e48ab Compare December 28, 2018 23:49
@KevinHock KevinHock force-pushed the upgrade_keyword_detector branch from 76ddcdf to a37a9c9 Compare December 29, 2018 00:05
@calvinli calvinli self-requested a review January 3, 2019 01:18
calvinli
calvinli approved these changes Jan 3, 2019
View reviewed changes
Copy link
Member

@calvinli calvinli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM based on internal testing. There are some remaining false positives but it should be okay.

@KevinHock
🔭[Keyword Plugin] Precision improvements
a29108b 
Added Javascript specific false-positive checks
Added ${ before } heuristic for  e.g. ${link}
Added more false-positives to FALSE_POSITIVES

:zap: keyword_test.py
Make STANDARD_NEGATIVES list and STANDARD_POSITIVES set for DRYness
@KevinHock KevinHock force-pushed the upgrade_keyword_detector branch from 7dd4926 to a29108b Compare January 3, 2019 23:03
@KevinHock KevinHock merged commit 164b7eb into master Jan 3, 2019
@KevinHock KevinHock mentioned this pull request Feb 21, 2019
Closed
@KevinHock KevinHock deleted the upgrade_keyword_detector branch March 21, 2019 22:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@calvinli calvinli calvinli approved these changes

@domanchi domanchi domanchi left review comments

@joshuarli joshuarli joshuarli left review comments

Assignees

@domanchi domanchi

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@KevinHock @calvinli @domanchi @joshuarli