Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document and test against known true & false positive patterns #1222

Open
rgmz opened this issue Jul 4, 2023 · 0 comments
Open

Document and test against known true & false positive patterns #1222

rgmz opened this issue Jul 4, 2023 · 0 comments
Labels
enhancement New feature or request

Comments

@rgmz
Copy link
Contributor

rgmz commented Jul 4, 2023
edited

Describe the solution you'd like

Gitleaks relies on a core set of regex patterns that are mysterious and seem to work well enough, but may in fact have some blind spots (as mentioned in this comment). I believe that we can significantly increase the quality of detections (more true positives and fewer false positives) by creating a set of known/realistic true & false positive, and testing each rule against them, rather than manually creating one or a handful of test cases for each rule.

gitleaks/cmd/generate/config/rules/adobe.go

Lines 19 to 22 in 06db3b9

tps := []string{
generateSampleSecret("adobe", secrets.NewSecret(hex("32"))),
}
return validate(r, tps, nil)

Below, I've created the skeleton of what that list may look like. Realistically it may not be possible to match all of these scenarios, or do so without creating significant false positives.

Configuration Formats

HCL

INI (https://quickref.me/ini.html)

Quoted

value = "{secret}"
value="{secret}"

Unquoted

value = {secret}
value={secret}

Comments

;{secret}
; {secret}
;value={secret}
; value={secret}

#{secret}
# {secret}
# ; value={secret}

Comments after line

value = {secret} ; This is a comment
value = {secret} # This is a comment

JSON (https://quickref.me/json.html)

String value

{
    "value": "{secret}"
}

Separate key/value

{
    "name": "secret",
    "value": "{secret}"
}

Array value

{
  "values": ["{secret}", "otherstuff"]
}
{
  "values": [
    "{secret}", 
    "otherstuff"
  ]
}

Escaped

"{\"value\": \"{secret}\"}"
"{\\\\\"value\\\\\":\\\\\"{secret}\\\\\"}"

"{\"name\": \"key\", \"value\": \"{secret}\"}"
"{\"name\": \"key\",\r\n\"value\": \"{secret}\"}"
"{\"name\": \"key\",\n\"value\": \"{secret}\"}"

"{\\\\\"name\\\\\": \\\\\"key\\\\\", \\\\\"value\\\\\": \\\\\"{secret}\\\\\"}"

Properties

Equals sign

value={secret}
value = {secret}

Colon

value:{secret}
value: {secret}

TOML

XML

Element

<value>{secret}</value>
<value>
    {secret}
</value>

Attribute

<entry name="value" value="{secret}" />

Separate key/value nodes

<entry>
  <name="value" />
  <value="{secret}" />
</entry>

YAML (https://yaml-multiline.info/)

Single line

value: {secret}
value: "{secret}"
value: '{secret}'

Multiline (literal style)

value: |
  {secret}
value: |-
  {secret}
value: |+2
  {secret}

Multiline (folding style)

value: >
  {secret}
value: >-
  {secret}
value: >+2
  {secret}

Programming Languages

C# / .NET

Variable

string value = "{secret}";
var value = "{secret}";

Go (https://quickref.me/go)

Variable

var value string = "{secret}"
var value string = `{secret}`

Short variable

value := "{secret}"
value := `{secret}`

Java / JVM

Java

String value = "{secret}";

Kotlin

var value: string = "{secret}"
var value = "{secret}"
val value: string = "{secret}"
val value = "{secret}"

Node.js / JavaScript / TypeScript

PHP

Python

Simple variable

value = "{secret}"
value = '{secret}'

Ruby

Miscellaneous Tools & File Formats

CSV

...

Logstash

  "value" => "{secret}"

Makefile

VALUE = {secret}
VALUE := {secret}
VALUE ?= {secret}
VALUE += {secret}

cc @zricethezav
@rgmz rgmz added the enhancement New feature or request label Jul 4, 2023
@rgmz rgmz mentioned this issue Aug 24, 2023
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rgmz