Open tsigouris007 opened 1 week ago
So I found a workaround here.
In file detect_secrets/core/scan.py
method _process_line_based_plugins
I escaped the square brackets as shown:
line = line.rstrip().replace("[", "\[").replace("]", "\]")
I will open a PR if this works for you. It didn't seem to break anything else but I haven't tested it thoroughly.
Any improvements are more than welcome. That was something that worked after testing.
Current behavior
A user is able to bypass the tool engine by using
[]
characters. This is also a security issue.Steps to reproduce
To reproduce you can use the following
config.rb
file as is (the secrets are dummy / generated values):Or raw without the line numbers:
Run:
Output:
All
access_key_id
s andsecret_key
s should be caught. The tool missed lines 3, 4. By using the[]
characters all secrets seem to be missed. Tried on multiple plugins.Security bypass.
Environment:
Other information
I suspected file
detect_secrets/plugins/base.py
methodbuild_assignment_regex
variablesopt_open_square_bracket
andopt_close_square_bracket
and tried to solve locally with no success. I have a feeling that theGenerator
is problematic. Still analyzing the code and haven't pinpointed the exact location of the problem.