#404 Add comma separator in password detection pattern

thoughtworks · Feb 3, 2023 · 7abe34d · 7abe34d
1 parent 7dbcd0b
commit 7abe34d
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/.talismanrc b/.talismanrc
@@ -21,7 +21,7 @@ fileignoreconfig:
 - filename: detector/pattern/match_pattern_test.go
   checksum: c95b8106ced5ad34ec1d00773a05f8789715034a734197c93cdaa4ed5036c177
 - filename: detector/pattern/pattern_detector.go
-  checksum: 98c4edddc95b4b974ed9b3e4f48079f2503b5c85309fadf37878a3d28de31e72
+  checksum: 78cddc944d4092ae2e88535d04f05281784848a990fb55a9d38339f29080a239
 - filename: detector/pattern/pattern_detector_test.go
   checksum: 4d70b790f28f2d23d506f808d489aa43f1efd2514549ae6a83a535e1223382e3
 - filename: detector/pattern_detector_test.go

diff --git a/detector/pattern/pattern_detector.go b/detector/pattern/pattern_detector.go
@@ -18,7 +18,7 @@ type PatternDetector struct {
 
 var (
 	detectorPatterns = []*severity.PatternSeverity{
-		{Pattern: regexp.MustCompile(`(?i)((.*)(password|passphrase|secret|key|pwd|pword|pass)(.*) *[:=>][^,;\n]{8,})`), Severity: severity.SeverityConfiguration["PasswordPhrasePattern"]},
+		{Pattern: regexp.MustCompile(`(?i)((.*)(password|passphrase|secret|key|pwd|pword|pass)(.*) *[:=>,][^,;\n]{8,})`), Severity: severity.SeverityConfiguration["PasswordPhrasePattern"]},
 		{Pattern: regexp.MustCompile(`(?i)((:)(password|passphrase|secret|key|pwd|pword|pass)(.*) *[ ][^,;\n]{8,})`), Severity: severity.SeverityConfiguration["PasswordPhrasePattern"]},
 		{Pattern: regexp.MustCompile(`(?i)(['"_]?pw['"]? *[:=][^,;\n]{8,})`), Severity: severity.SeverityConfiguration["PasswordPhrasePattern"]},
 		{Pattern: regexp.MustCompile(`(?i)(<ConsumerKey>\S*</ConsumerKey>)`), Severity: severity.SeverityConfiguration["ConsumerKeyPattern"]},

diff --git a/detector/pattern/pattern_detector_test.go b/detector/pattern/pattern_detector_test.go
@@ -29,6 +29,9 @@ func TestShouldDetectPasswordPatterns(t *testing.T) {
 		shouldPassDetectionOfSecretPattern(filename, []byte(values[i]+"=UnsafeString"), t)
 		shouldPassDetectionOfSecretPattern(filename, []byte("."+values[i]+"=randomStringGoesHere}"), t)
 		shouldPassDetectionOfSecretPattern(filename, []byte(":"+values[i]+" randomStringGoesHere"), t)
+		shouldPassDetectionOfSecretPattern(filename, []byte(values[i]+" ,\"randomStringGoesHere\""), t)
+		shouldPassDetectionOfSecretPattern(filename, []byte("'" + values[i]+"' ,\"randomStringGoesHere\""), t)
+		shouldPassDetectionOfSecretPattern(filename, []byte("\"" + values[i]+"\" ,\"randomStringGoesHere\""), t)
 		shouldPassDetectionOfSecretPattern(filename,
 			[]byte("\"SERVER_"+strings.ToUpper(values[i])+"\" : UnsafeString"),
 			t)
@@ -55,7 +58,7 @@ func TestShouldDetectPasswordPatterns(t *testing.T) {
 
 	shouldFailDetectionOfSecretPattern(filename, []byte("\"pAsSWoRD\" :1234567"), t)
 	shouldFailDetectionOfSecretPattern(filename, []byte(`setPassword("12345678")`), t)
-	shouldFailDetectionOfSecretPattern(filename, []byte(`setenv(password, "12345678")`), t)
+	shouldFailDetectionOfSecretPattern(filename, []byte(`setenv(password,123456)`), t)
 	shouldFailDetectionOfSecretPattern(filename, []byte(`random=12345678)`), t)
 }