detect-secrets icon indicating copy to clipboard operation
detect-secrets copied to clipboard

Published 20 hours ago verified publisher icon Yelp

Despite #247 NOPASSWD is still detected

Open nymous opened this issue 5 years ago • 5 comments

Changelog for 0.13.0 indicates that after #247 the directive NOPASSWD should be excluded from results. However it seems that this is not the case.

Steps to reproduce:

  • Create a file (eg. sudoers) with the following content:
%wheel ALL=(ALL) NOPASSWD: ALL

(directive is copied from the /etc/sudoers file from an Archlinux install)

  • Install detect-secrets 0.13.0
  • Run detect-secrets scan --exclude-files '.venv' --all-files

Expected results:

 
{
  "exclude": {
    "files": ".venv",
    "lines": null
  },
  "generated_at": "2019-11-07T13:00:15Z",
  "plugins_used": [
    {
      "name": "AWSKeyDetector"
    },
    {
      "name": "ArtifactoryDetector"
    },
    {
      "base64_limit": 4.5,
      "name": "Base64HighEntropyString"
    },
    {
      "name": "BasicAuthDetector"
    },
    {
      "hex_limit": 3,
      "name": "HexHighEntropyString"
    },
    {
      "name": "JwtTokenDetector"
    },
    {
      "keyword_exclude": null,
      "name": "KeywordDetector"
    },
    {
      "name": "MailchimpDetector"
    },
    {
      "name": "PrivateKeyDetector"
    },
    {
      "name": "SlackDetector"
    },
    {
      "name": "SoftlayerDetector"
    },
    {
      "name": "StripeDetector"
    }
  ],
  "results": {},
  "version": "0.13.0",
  "word_list": {
    "file": null,
    "hash": null
  }
}

Actual results:

 
{
  "exclude": {
    "files": ".venv",
    "lines": null
  },
  "generated_at": "2019-11-07T13:00:15Z",
  "plugins_used": [
    {
      "name": "AWSKeyDetector"
    },
    {
      "name": "ArtifactoryDetector"
    },
    {
      "base64_limit": 4.5,
      "name": "Base64HighEntropyString"
    },
    {
      "name": "BasicAuthDetector"
    },
    {
      "hex_limit": 3,
      "name": "HexHighEntropyString"
    },
    {
      "name": "JwtTokenDetector"
    },
    {
      "keyword_exclude": null,
      "name": "KeywordDetector"
    },
    {
      "name": "MailchimpDetector"
    },
    {
      "name": "PrivateKeyDetector"
    },
    {
      "name": "SlackDetector"
    },
    {
      "name": "SoftlayerDetector"
    },
    {
      "name": "StripeDetector"
    }
  ],
  "results": {
    "sudoers": [
      {
        "hashed_secret": "d87c448044defb778f33158d8ccf94a20531d600",
        "is_verified": false,
        "line_number": 1,
        "type": "Secret Keyword"
      }
    ]
  },
  "version": "0.13.0",
  "word_list": {
    "file": null,
    "hash": null
  }
}

Note: the --exclude-files '.venv' directive was added because detect-secrets was installed in a virtualenv

nymous avatar Nov 07 '19 13:11 nymous

It looks like the bug is that the FALSE_POSITIVE list are referencing values, not keys (source: https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/keyword.py#L355).

In this case, the key that is flagged is the existence of PASSWD in NOPASSWD (source), and then the secret value extracted is ALL.

Since ALL (rightfully) isn't in the false positive list, it gets flagged.

The fix here would be to filter out false positives in both the keys and the values. However, that could be a trickier fix than expected.

domanchi avatar Nov 11 '19 12:11 domanchi

also, is there a way to turn off this one detection plugin? detect-secrets --help gives no clue nor does the README. shall I dive into he code?

ira-bv avatar Dec 04 '19 12:12 ira-bv

Try detect-secrets scan --help

KevinHock avatar Dec 04 '19 20:12 KevinHock

Halleluyah! too well hidden for my taste, but I'll take it.

ira-bv avatar Dec 05 '19 07:12 ira-bv

I feel the same way @ira-bv, we haven't done anything hacky around argparse to change the default behavior.

KevinHock avatar Jan 11 '20 19:01 KevinHock