↪️ Merge pull request #162 from baboateng/goLangSupport

handle golang string assignments
Yelp · Apr 12, 2019 · f2b06c3 · f2b06c3
2 parents 6f87adb + 4596d0a
commit f2b06c3
Show file tree

Hide file tree

Showing 3 changed files with 81 additions and 7 deletions.
diff --git a/detect_secrets/plugins/common/filetype.py b/detect_secrets/plugins/common/filetype.py
@@ -3,12 +3,13 @@
 
 class FileType(Enum):
     CLS = 0
-    JAVA = 1
-    JAVASCRIPT = 2
-    PHP = 3
-    PYTHON = 4
-    YAML = 5
-    OTHER = 6
+    GO = 1
+    JAVA = 2
+    JAVASCRIPT = 3
+    PHP = 4
+    PYTHON = 5
+    YAML = 6
+    OTHER = 7
 
 
 def determine_file_type(filename):
@@ -19,6 +20,8 @@ def determine_file_type(filename):
     """
     if filename.endswith('.cls'):
         return FileType.CLS
+    elif filename.endswith('.go'):
+        return FileType.GO
     elif filename.endswith('.java'):
         return FileType.JAVA
     elif filename.endswith('.js'):

diff --git a/detect_secrets/plugins/keyword.py b/detect_secrets/plugins/keyword.py
@@ -178,6 +178,16 @@
         secret=SECRET,
     ),
 )
+FOLLOWED_BY_COLON_EQUAL_SIGNS_REGEX = re.compile(
+    # e.g. my_password := "bar" or my_password := bar
+    r'({blacklist})({closing})?{whitespace}:=?{whitespace}({quote}?)({secret})(\3)'.format(
+        blacklist=BLACKLIST_REGEX,
+        closing=CLOSING,
+        quote=QUOTE,
+        whitespace=OPTIONAL_WHITESPACE,
+        secret=SECRET,
+    ),
+)
 BLACKLIST_REGEX_TO_GROUP = {
     FOLLOWED_BY_COLON_REGEX: 4,
     FOLLOWED_BY_EQUAL_SIGNS_REGEX: 4,
@@ -188,6 +198,11 @@
     FOLLOWED_BY_EQUAL_SIGNS_QUOTES_REQUIRED_REGEX: 4,
     FOLLOWED_BY_QUOTES_AND_SEMICOLON_REGEX: 3,
 }
+GOLANG_BLACKLIST_REGEX_TO_GROUP = {
+    FOLLOWED_BY_EQUAL_SIGNS_REGEX: 4,
+    FOLLOWED_BY_QUOTES_AND_SEMICOLON_REGEX: 3,
+    FOLLOWED_BY_COLON_EQUAL_SIGNS_REGEX: 4,
+}
 QUOTES_REQUIRED_FILETYPES = {
     FileType.CLS,
     FileType.JAVA,
@@ -240,6 +255,8 @@ def secret_generator(self, string, filetype):
 
         if filetype in QUOTES_REQUIRED_FILETYPES:
             blacklist_regex_to_group = QUOTES_REQUIRED_BLACKLIST_REGEX_TO_GROUP
+        elif filetype == FileType.GO:
+            blacklist_regex_to_group = GOLANG_BLACKLIST_REGEX_TO_GROUP
         else:
             blacklist_regex_to_group = BLACKLIST_REGEX_TO_GROUP
 

diff --git a/tests/plugins/keyword_test.py b/tests/plugins/keyword_test.py
@@ -93,6 +93,37 @@
         ],
     },
 }
+FOLLOWED_BY_COLON_EQUAL_SIGNS_RE = {
+    "negatives": {
+        "quotes_required": [
+            'theapikey := ""',  # Nothing in the quotes
+            'theapikey := "somefakekey"',  # 'fake' in the secret
+        ],
+        "quotes_not_required": [
+            'theapikeyforfoo := hopenobodyfindsthisone',  # Characters between apikey and :=
+        ],
+    },
+    "positives": {
+        "quotes_required": [
+            'apikey := "{{h}o)p${e]nob(ody[finds>-_$#thisone}}"',
+            'apikey :="{{h}o)p${e]nob(ody[finds>-_$#thisone}}"',
+            'apikey  :=   "{{h}o)p${e]nob(ody[finds>-_$#thisone}}"',
+            "apikey := '{{h}o)p${e]nob(ody[finds>-_$#thisone}}'",
+            "apikey :='{{h}o)p${e]nob(ody[finds>-_$#thisone}}'",
+            'apikey:= "{{h}o)p${e]nob(ody[finds>-_$#thisone}}"',
+            'apikey:="{{h}o)p${e]nob(ody[finds>-_$#thisone}}"',
+            "apikey:= '{{h}o)p${e]nob(ody[finds>-_$#thisone}}'",
+            "apikey:='{{h}o)p${e]nob(ody[finds>-_$#thisone}}'",
+            "apikey:=  '{{h}o)p${e]nob(ody[finds>-_$#thisone}}'",
+        ],
+        "quotes_not_required": [
+            "apikey := {{h}o)p${e]nob(ody[finds>-_$#thisone}}",
+            "apikey :={{h}o)p${e]nob(ody[finds>-_$#thisone}}",
+            "apikey:= {{h}o)p${e]nob(ody[finds>-_$#thisone}}",
+            "apikey:={{h}o)p${e]nob(ody[finds>-_$#thisone}}",
+        ],
+    },
+}
 
 STANDARD_NEGATIVES = []
 STANDARD_POSITIVES = []
@@ -102,7 +133,9 @@
     + FOLLOWED_BY_COLON_RE.get("negatives").get("quotes_not_required")
     + FOLLOWED_BY_EQUAL_SIGNS_RE.get("negatives").get("quotes_required")
     + FOLLOWED_BY_EQUAL_SIGNS_RE.get("negatives").get("quotes_not_required")
-    + FOLLOWED_BY_QUOTES_AND_SEMICOLON_RE.get("negatives").get("quotes_required"),
+    + FOLLOWED_BY_QUOTES_AND_SEMICOLON_RE.get("negatives").get("quotes_required")
+    + FOLLOWED_BY_COLON_EQUAL_SIGNS_RE.get("negatives").get("quotes_required")
+    + FOLLOWED_BY_COLON_EQUAL_SIGNS_RE.get("negatives").get("quotes_not_required"),
 )
 STANDARD_POSITIVES.extend(
     FOLLOWED_BY_COLON_RE.get("positives").get("quotes_required")
@@ -168,6 +201,27 @@ def test_analyze_quotes_required_positives(self, file_content, file_extension):
                 == PotentialSecret.hash_secret('{{h}o)p${e]nob(ody[finds>-_$#thisone}}')
             )
 
+    @pytest.mark.parametrize(
+        'file_content',
+        FOLLOWED_BY_EQUAL_SIGNS_RE.get("positives").get("quotes_required")
+        + FOLLOWED_BY_EQUAL_SIGNS_RE.get("positives").get("quotes_not_required")
+        + FOLLOWED_BY_QUOTES_AND_SEMICOLON_RE.get("positives").get("quotes_required")
+        + FOLLOWED_BY_COLON_EQUAL_SIGNS_RE.get("positives").get("quotes_required")
+        + FOLLOWED_BY_COLON_EQUAL_SIGNS_RE.get("positives").get("quotes_not_required"),
+    )
+    def test_analyze_go_positives(self, file_content):
+        logic = KeywordDetector()
+
+        f = mock_file_object(file_content)
+        output = logic.analyze(f, 'mock_filename.go')
+        assert len(output) == 1
+        for potential_secret in output:
+            assert 'mock_filename.go' == potential_secret.filename
+            assert (
+                potential_secret.secret_hash ==
+                PotentialSecret.hash_secret('{{h}o)p${e]nob(ody[finds>-_$#thisone}}')
+            )
+
     @pytest.mark.parametrize(
         'file_content',
         STANDARD_NEGATIVES,