Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] v1 UUID format secrets not being detected #61

Open
gary1998 opened this issue Mar 17, 2022 · 1 comment
Open

[BUG] v1 UUID format secrets not being detected #61

gary1998 opened this issue Mar 17, 2022 · 1 comment

Comments

@gary1998
Copy link

gary1998 commented Mar 17, 2022
edited
Loading

Describe the bug
It is not able to detect JFrog artifactory role ID and role secret ID, which is actually a v1 UUID.

To Reproduce
Steps to reproduce the behavior:

  1. Have a file with content similar to this:
/*******************************************************************************
* IBM Confidential
* OCO Source Materials
* (C) Copyright IBM Corp  2018 All Rights Reserved.
* The source code for this program is not published or otherwise divested of
* its trade secrets, * irrespective of what has been deposited with
* the U.S. Copyright Office.
******************************************************************************/

// Keep these properties populated.
process.env.vault_url = "https://some.url.com";
process.env.vault_path = "blah blah";

// Keep these properties empty and commented out unless you need to run tests locally.
// Contact your team lead or DevOps team member for the values.
process.env.vault_role_id = "<v1-uuid>";
process.env.vault_secret_id = "<v1-uuid>";

//For debug purposes.
// process.env.VAULT_DEBUG = "true";
  1. Run detect-secrets scan --use-all-plugins --update .secrets.baseline over it.
  2. Run detect-secrets audit .secrets.baseline over it, and you'll see it says:
Nothing to audit.

And voila, you've successfully leaked the secrets 😅.
@bigpick
Copy link
Member

bigpick commented Dec 7, 2023

This still occurs on latest version (0.13.1+ibm.62.dss) FWIW.

Problem is that the v1 UUIDs match the UUID filter:

detect-secrets/detect_secrets/plugins/common/filters.py

Lines 90 to 110 in d7c7992

_UUID_REGEX = re.compile(
r'[a-f0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}',
re.IGNORECASE,
)
def is_potential_uuid(secret, *args):
"""
Determines if a potential secret contains any UUIDs.
:type secret: str
:rtype: bool
Returns True if the string has a UUID, false otherwise.
"""
# Using a regex to find strings that look like false-positives
# will find us more false-positives than if we just tried validate
# the input string as a UUID (for example, if the string has a prefix
# or suffix).
return bool(_UUID_REGEX.search(secret))

So gets flagged as a false positive and let through. The Yelp source has the ability to disable filters via --disable-filter <...> but that doesn't seem to be an option with the IBM fork.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bigpick @gary1998