specify a delimiter - Githubissues

nickdeis / eslint-plugin-no-secrets

An eslint plugin to find strings that might be secrets/credentials

MIT License

127 stars 4 forks source link

specify a delimiter #3

Closed oprogramador closed 4 years ago

oprogramador commented 4 years ago

Currently, if a given string contains many words delimited with a space, each word has a separate entropy calculated.

I want to be able to specify other delimiters as well e.g. _, -, @.

oprogramador commented 4 years ago

Moreover, I'd like to be able to split words if a string is written with CamelCase but not if the entire string is with uppercase.

'FooBarBaz' => ['foo', 'bar', 'baz']
'FOO' => ['foo']
'FOo' => ['f', 'oo']
'FoO' => ['fo', 'o']

oprogramador commented 4 years ago

It could also support some options like:

minimum number of delimiters

if it's set to 3:
'FOO_BAR_BAZ' => ['foo', 'bar', 'baz]
'FOO_BAR' => 'foo_bar'

minimum number of words in a CamelCase string:

if it's set to 3:
'FooBarBaz' => ['foo', 'bar', 'baz]
'FooBar' => ['foobar']

minimum word length in a CamelCase string:

if it's set to 3:
'FooBarBaz' => ['foo', 'bar', 'baz]
'FoBar' => ['fobar']
'FoBarBaz' => ['fobar', 'baz']

maximum number for a given delimiter:

we set '@' to be a delimiter with max one time:
'john@gmail.com' => ['john', 'gmail.com']
'foo@bar@baz' => ['foo@bar@baz']

nickdeis commented 4 years ago

Hey Piotr, Thanks for the detailed feature request and taking the time out of your day to make this project better. I think I can make the delimiter configurable since I'm just using String#split. Let me work on a design this week and I'll update this thread. Cheers, Nick

oprogramador commented 4 years ago

@nickdeis

When are you going to implement these improvements? If you don't have enough time, I can open a PR.

nickdeis commented 4 years ago

Hey @oprogramador, that would be great! I'm moving this weekend so I'm kind of short on time.

oprogramador commented 4 years ago

@nickdeis

I wrote this plugin https://github.com/oprogramador/eslint-plugin-no-credentials

Anyway thanks for your plugin, it helped me to write mine.

nickdeis commented 4 years ago

Hey @oprogramador, I've added two options to help out with false positives

additionalDelimiters: In addition to splitting the string by whitespace, tokens will be further split by these delimiters
ignoreCase: Ignores character case when calculating entropy. This could lead to some false negatives

I'm testing this over some real world scenarios. I think I might remove ignoreCase since it's causing too many false negatives. Splitting by camel case has also some false negatives. I wanted to know your thoughts on this since your feedback has been very helpful. Cheers, Nick

oprogramador commented 4 years ago

false negative - you mean a secret which isn't detected?

nickdeis commented 4 years ago

@oprogramador Yes. Particularly JWT. I found that I had to tune the regular expression so that it would have a certain number of lowercase afterwards. It was still helpful.

nickdeis commented 4 years ago

After using this, I think this feature works on all of your use cases. Closing this for now.