search

PyCQA / bandit

Bandit is a tool designed to find common security issues in Python code.
https://bandit.readthedocs.io
Apache License 2.0
6.5k stars 610 forks source link

Test for hardcoded credentials, CWE798 #1167

Closed knyazer closed 3 months ago

knyazer commented 3 months ago

Tests all the strings for exposed secrets.

The thing was additionally tested on noise, to ensure that in 100MB of generated noise there are no false positives.

The test file, examples/exposed_secrets.py shows 4 leaked keys that are correctly detected, and 4 keys that should be ignored (e.g. human-constructed example keys).

Also leads to a pretty significant performance degradation of around 15% due to the use of every-string-scanning decorator. This is mostly because the decorator is slow, and seemingly unrelated to the implementation itself.

Closes #443

knyazer commented 3 months ago

Thanks, @ericwb!

I didn't really spend a ton of time on writing the secret-detecting part overall, I just took the one from gitleaks, and modified it heavily (and mostly automatically) to be easier. But still sad that a few hours of my work were useless :(

Another problem, is that when I was looking through the existing plugins, I was not able to find any that do regex search over the complete files. So, if there is one, could you direct me towards it? And if there is none, I'm happy to just implement such functionality, probably also using it in 'weak_cryptographic_key' one, to avoid the string visitor.

knyazer commented 3 months ago

To sum up, I will work on the integration, and I'm going to close this PR (and open a new one) as soon as I will get the integration PR ready.

Thanks for the insanely fast feedback :)

sigmavirus24 commented 3 months ago

@knyazer then in stealing an implementation from somewhere else where you did not own the copyright you were opening this project up to a severe issue by contributing that code.

knyazer commented 3 months ago

@sigmavirus24, nope, I checked that the license is MIT, even included the original license in the file that I "borrowed"; And the modification is so heavy I don't think you can find more than two adjacent lines that would be unchanged. And all the "meaningful" content is modified quite a bit.

No worries, I am aware how copyrights work, but that's reasonable to assume that the average developer doesn't ;)

But please, if you are accusing people of something, ensure that the accusation is not wrongful. I don't really mind, but having a friendly atmosphere is always nice.