SEDATED
SEDATED copied to clipboard
Published
20 hours ago •
OWASP
OWASP
Regex Improvement: False Positive while using a series of asterisks
Here are some false positive examples:
-
ssl.truststore.password=********* -
password=********* -
password:********* -
pass=******** -
secret=********* -
secret:*********
For now of course we've just recommended utilizing an all text fake password but it'd be nice if these weren't flagged.
Somehow these could be baked into the regexes but we haven't done work for that yet. If they were able to be included and no longer blocked it'd be important the * is still recognized as a special character.
It seems like this would be another good candidate for some type of regex acceptlist as mentioned here in order to not introduce more complexity into the regexes as well as handle false positives in the future.
