Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What kind of secret that ripsecrets can find out #31

Closed
Sherlock-Holo opened this issue Apr 25, 2022 · 4 comments
Closed

What kind of secret that ripsecrets can find out #31

Sherlock-Holo opened this issue Apr 25, 2022 · 4 comments

Comments

@Sherlock-Holo
Copy link

I write a simple code like

package main

func main() {
        clientSecretKey := "alkfjlaf^*flkajlfkay7782085ljafg"
        println(clientSecretKey)
}

and hope ripsecrets can tell me 'you hardcode the secret in source files', but there's nothing output
@Sherlock-Holo
Copy link
Author

the alkfjlaf^*flkajlfkay7782085ljafg is just I press the keyboard randomly to generate some string :)

sirwart added a commit that referenced this issue Apr 26, 2022
@sirwart
[Bug #31] Detect secrets assigned with := operator
f3b5f7e
@sirwart
Copy link
Owner

sirwart commented Apr 26, 2022

I investigated and a regression was recently introduced that didn't detect secrets assigned with the := operator, but I just pushed a fix for that.

Even with that change though it still doesn't detect that as a secret though for 2 reasons:

  1. ^ and * are not considered characters that are normally part of secrets
  2. Even without them, the string you typed is not likely to occur randomly. The probability engine gave it only a 0.00000000007% percent chance of happening randomly, which is below our threshold for considering it a secret.

@sirwart sirwart closed this as completed Apr 26, 2022
@ethanmsl
Copy link

To +1 Sherlock-Holo's original point though -- there's no easy way to tell what secrets ripsecrets does support.

e.g. I just tried dropping a yubikey string into a file and running ripsecrets and nothing came up.

As it is the only way to understand what the program does and whether it's useful is to figure out how it works, where the files are, and then decipher the Rust + Regex. It's not ergonomic or safe to use if we don't know whether it can catch what we're trying to protect against.

Seems like a very cool tool, but strangely opaque, given it's security focus.
Even a quick walkthrough in the README on how it works and where in the source file to look woudl be helpful. (It looks like there are a small number of predetermined patterns in find_secrets.rs in predefined_secrets_regexes() and then the rest comes down to a "randomness" estimate in p_random.rs which is using some sort of binomial calculation with a focus on bigrams. But I'm not even sure that's everything. Nor is it immediately obvious how the "randomness" calculator works.

Again, awesome work -- but there are a lot of decisions and judgements and not much transparency.
Inviting the user to the inner workings would be apprciated.

@sirwart
Copy link
Owner

sirwart commented Aug 27, 2022

@ethanmsl I added a "How it works" section to the README to address your feedback: https://github.com/sirwart/ripsecrets#how-it-works. I hope it helps!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sirwart @Sherlock-Holo @ethanmsl