Skip to content

Commit

Permalink
Support url-safe base64 secrets
Browse files Browse the repository at this point in the history
This commit updates the base64 plugin to support url-safe
plugins by just adding - and _ to the charset.
Victor Zhou committed Oct 7, 2019
1 parent b21c5f8 commit e10b9a3
Showing 3 changed files with 24 additions and 4 deletions.
9 changes: 8 additions & 1 deletion detect_secrets/plugins/high_entropy_strings.py
Original file line number Diff line number Diff line change
@@ -339,8 +339,15 @@ class Base64HighEntropyString(HighEntropyStringsPlugin):
secret_type = 'Base64 High Entropy String'

def __init__(self, base64_limit, exclude_lines_regex=None, automaton=None, **kwargs):
charset = (
string.ascii_letters
+ string.digits
+ '+/' # regular base64
+ '\\-_' # url-safe base64
+ '=' # padding
)
super(Base64HighEntropyString, self).__init__(
charset=string.ascii_letters + string.digits + '+/=',
charset=charset,
limit=base64_limit,
exclude_lines_regex=exclude_lines_regex,
automaton=automaton,
2 changes: 1 addition & 1 deletion test_data/config.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
credentials:
some_value_here: not_a_secret
some_value_here: not_secret
other_value_here: 1234567890a
CanonicalUserGetSkippedByExcludeLines: 1234567890ab
nested:
17 changes: 15 additions & 2 deletions tests/plugins/high_entropy_strings_test.py
Original file line number Diff line number Diff line change
@@ -139,10 +139,10 @@ def test_entropy_upper_limit(self):
Base64HighEntropyString(15)


class TestBase64HighEntropyStrings(HighEntropyStringsTest):
class TestRegularBase64HighEntropyStrings(HighEntropyStringsTest):

def setup(self):
super(TestBase64HighEntropyStrings, self).setup(
super(TestRegularBase64HighEntropyStrings, self).setup(
# Testing default limit, as suggested by truffleHog.
logic=Base64HighEntropyString(
base64_limit=4.5,
@@ -237,6 +237,19 @@ def test_env_file(self):
)


class TestUrlSafeBase64HighEntropyStrings(HighEntropyStringsTest):
def setup(self):
super(TestUrlSafeBase64HighEntropyStrings, self).setup(
# Testing default limit, as suggested by truffleHog.
logic=Base64HighEntropyString(
base64_limit=4.5,
exclude_lines_regex='CanonicalUser',
),
non_secret_string='Zrm-ySTAq7D2sHk=', # too short for high entropy
secret_string='I6FwzQZFL9l-44nviI1F04OTmorMaVQf9GS4Oe07qxL_vNkW6CRas4Lo42vqJMT0M6riJfma_f-pTAuoX2U=', # noqa: E501
)


class HexHighEntropyStringsWithStandardEntropy(HexHighEntropyString):
"""Copies the HexHighEntropyString class, but keeps the standard
Shannon entropy calculation.

0 comments on commit e10b9a3

Please sign in to comment.