ripsecrets icon indicating copy to clipboard operation
ripsecrets copied to clipboard
verified publisher icon sirwart

It doesn't work

Open dodalovicgran opened this issue 2 years ago • 9 comments

➜ temp cat src/source.java password=123 username=333 pwd=344 passwort=3333333 benutzername=32 ➜ temp ripsecrets ➜ temp

dodalovicgran avatar Jun 08 '23 13:06 dodalovicgran

I can successfully reproduce OP's behavior with the following script:

#!/usr/bin/env bash

# Ensure the directory is empty.
TEST_DIR=/tmp/ripsecrets-68
rm -rf "$TEST_DIR"
mkdir "$TEST_DIR"

# Create the content
cat << EOF > "$TEST_DIR"/source.java
password=123
username=333
pwd=344
passwort=3333333
benutzername=32
EOF

# Run ripsecrets.
cd "$TEST_DIR"
ripsecrets

lafrenierejm avatar Jul 07 '23 18:07 lafrenierejm

With a sufficiently long and random string, I'm able to get ripsecrets to detect a value.

Contents of test.sh:

#!/usr/bin/env bash

# Ensure the directory is empty.
TEST_DIR=/tmp/ripsecrets-68
rm -rf "$TEST_DIR"
mkdir "$TEST_DIR"

# Create the content
cat << EOF > "$TEST_DIR"/source.java
password=vslJRBRIHkmZjbs2PgadKAkQb4WiS24Tcrgyp0T/e2wfK1YYsjnEzA8Uqc5dplEFUiCA39VMhAVp
username=333
EOF

# Run ripsecrets.
cd "$TEST_DIR"
ripsecrets

Output of running the script:

$ ./test.sh
./source.java:1:password=vslJRBRIHkmZjbs2PgadKAkQb4WiS24Tcrgyp0T/e2wfK1YYsjnEzA8Uqc5dplEFUiCA39VMhAVp

lafrenierejm avatar Jul 07 '23 18:07 lafrenierejm

@dodalovicgran Just to clarify, can you specify which of the original values you would like ripsecrets to detect?

lafrenierejm avatar Jul 07 '23 18:07 lafrenierejm 

password=123
username=333
pwd=344
passwort=3333333
benutzername=32

dodalovicgran avatar Jul 08 '23 21:07 dodalovicgran

Although some of those lines contain the keywords that trigger the random data inspector (which could stand for some expansion to include pwd and some localization of password, e.g. passwort, wachtwoord, pasvorto, etc.

https://github.com/sirwart/ripsecrets/blob/713e03e31627289bff9c3ae384eb9a2895bd6c58/src/matcher/mod.rs#L9

…the lines definitely don't match known patterns.

https://github.com/sirwart/ripsecrets/blob/713e03e31627289bff9c3ae384eb9a2895bd6c58/src/lib.rs#L22

and they aren't long enough to trigger the random data inspector:

https://github.com/sirwart/ripsecrets/blob/713e03e31627289bff9c3ae384eb9a2895bd6c58/src/matcher/p_random.rs#L11-L13

N.b., that length is 15,80 in the RANDOM_STRING_REGEX above.

colindean avatar Sep 12 '23 03:09 colindean

password generated from pwgen doesn't reported as secret. example: quah0dou7gueraiyoo4Eeg6i ohm7Fushobeaho0iemahke8ta8chaowouphughoVanaigho0ohthoh0eedufiMohzeibeeRakoot6

dramer-817 avatar Oct 26 '23 07:10 dramer-817

I don't have time to implement it right now, but perhaps a test that could run pwgen --secure ${rand(range(15,80))} 1000 and see how often the random detector heuristic correctly detects what pwgen represents as random, and document that.

colindean avatar Oct 29 '23 20:10 colindean

@dramer-817 what does the secret look like in the file? If it's just a random string (i.e doesn't have a well known secret prefix) it needs to have something that makes it look like secret. For example

password = 'ohm7Fushobeaho0iemahke8ta8chaowouphughoVanaigho0ohthoh0eedufiMohzeibeeRakoot6'

sirwart avatar Oct 29 '23 22:10 sirwart

@sirwart yes tried that and not detected @colindean pwgen with no --secure option not detected, with --secure correctly detected

dramer-817 avatar Nov 03 '23 05:11 dramer-817