alloy icon indicating copy to clipboard operation
alloy copied to clipboard

Published 20 hours ago verified publisher icon grafana

Update component secret-filter gitleaks.toml

Open andrejshapal opened this issue 6 months ago • 3 comments

PR Description

Hi, The file was gitleaks.toml not updated for last 6 months and there was lot of fixes for different false positives and other improvements. Updating from v8.19.0 (approximately, because file was taken from some commit) to v8.26.0 We faced falsepositive where ip address in traefik logs was masked by generic-api-key: (?i)(?:key|api|token|secret|client|passwd|password|auth|access)(?:[0-9a-z-\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|||:|<=|=>|:|?=)(?:'|"|\s|=|\x60){0,5}([0-9a-z-.=]{10,150})(?:['|"|\n|\r|\s|\x60|;]|$)

I think it the file should be kept up to date and we should rely on gitleaks changes.

Which issue(s) this PR fixes

Notes to the Reviewer

PR Checklist

  • [ ] CHANGELOG.md updated
  • [ ] Documentation added
  • [ ] Tests updated
  • [ ] Config converters updated

andrejshapal avatar May 22 '25 08:05 andrejshapal

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar May 22 '25 08:05 CLAassistant

Hey there are a test failing due to changes in the global allow list, specifically this regex '''^(?i:a+|b+|c+|d+|e+|f+|g+|h+|i+|j+|k+|l+|m+|n+|o+|p+|q+|r+|s+|t+|u+|v+|w+|x+|y+|z+|\*+|\.+)$''',.

We have a test that generates a generic api key that looks like this token:AAAAAAAAAAAAAAA. So we need to find a pattern that would need to be caught. I pretty sure just adding a numeric character would make it to pass all allow filters and be detected as a token

Then you need to do the changes here

Sure thing, will do soon.

andrejshapal avatar May 22 '25 17:05 andrejshapal

@kalleep Need some approval.

andrejshapal avatar May 23 '25 09:05 andrejshapal

Hey everything looks good except that our fuzzing is failing. I fetched the seed and tried it locally but that passes.

But I was able to generate new seeds locally by checking out this pr and run go test -v -fuzz="FuzzProcessEntry\$" -run="FuzzProcessEntry\$" --fuzztime="5m" -parallel=16 . I am pretty sure we are hitting https://github.com/golang/go/issues/56238. Internally there is a hardcoded timeout for each test of 10s. With this new files we have more regexps so I am pretty sure this is happening.

I will look into rewriting this test a bit because we are calling proccessEntry for 8 different components within a single run, and now with more regexes after the update this can clearly take longer when testing different configurations within a single test run

kalleep avatar May 26 '25 09:05 kalleep

@kalleep Thank you for your help. I am not familiar with buzz at this point. Locally it was passing as you said. Regarding secret-filter parsing time, this is not just buzz issue and I would like to discuss this: https://github.com/grafana/alloy/issues/3694 I found the secret-filter handful, but I am wondering how to make it safe for alloy. Regex operations are super greedy.

andrejshapal avatar May 26 '25 11:05 andrejshapal

@kelnage Will you merge it later as for me "Merging is blocked"?

andrejshapal avatar Jun 09 '25 15:06 andrejshapal

While this says it can merge automatically, it looks like the changelog may be merged incorrectly. Can you merge main/rebase to ensure the changelog entry goes into the unreleased section?

dehaansa avatar Jun 10 '25 13:06 dehaansa

@dehaansa done

andrejshapal avatar Jun 10 '25 13:06 andrejshapal