Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate when valid high-entropy secrets do not have quotes (outside of yaml/ini files) #203

Open
KevinHock opened this issue Jun 25, 2019 · 2 comments
Open

Investigate when valid high-entropy secrets do not have quotes (outside of yaml/ini files) #203

KevinHock opened this issue Jun 25, 2019 · 2 comments
Labels
false negatives help wanted Indicates that we would like someone that’s not a maintainer to work on the issue. triaged The issue has been reviewed but has not been solved yet.

Comments

@KevinHock
Copy link
Collaborator

There is the very rare valid secret in the form of

foo bar HIGH-ENTROPY

or just

HIGH-ENTROPY

etc.

where there are no quotes. We currently require quotes for high-entropy secrets, which is a sensible thing IMO, since it is one of the noisier plugin classes already.

I am not saying it is worth the increase in false-positives to catch these in general, simply that we should (a) add some documentation around it, and/or (b) investigate a more sophisticated approach than if we were to just remove the quote requirement all together, if feasible, i.e. handle the special cases where we might come across it. 🤔

I'd love to hear about if anyone else has encountered a valid secret of this form, and what the secret was, so that we could discuss possible solutions.
@OiCMudkips OiCMudkips mentioned this issue Jul 10, 2019
Closed
@KevinHock
Copy link
Collaborator Author

KevinHock commented Jul 10, 2019
edited
Loading

In the interest of transparency, I've only found 1 secret like this and it was in a file that did not have an extension and was autogenerated.

I believe we do find high-entropy secrets without quotes in valid Yaml or ini files, as shown in test_data/, this issue is specifically for non-ini and non-yaml files.

@KevinHock KevinHock changed the title Investigate when valid high-entropy secrets do not have quotes Investigate when valid high-entropy secrets do not have quotes (outside of yaml/ini files) Jul 10, 2019
killuazhu pushed a commit to IBM/detect-secrets that referenced this issue May 28, 2020
@justineyster
Refactor DB2 verification for calling externally (Yelp#203)
11a063f 
Supports fixing bug [here](https://github.ibm.com/git-defenders/detect-secrets-stream/blob/master/detect_secrets_stream/validation/db2.py#L25)
killuazhu pushed a commit to IBM/detect-secrets that referenced this issue Jul 9, 2020
@justineyster
Refactor DB2 verification for calling externally (Yelp#203)
ef40340 
Supports fixing bug [here](https://github.ibm.com/git-defenders/detect-secrets-stream/blob/master/detect_secrets_stream/validation/db2.py#L25)
@lamkeewei lamkeewei mentioned this issue Aug 18, 2020
Merged
killuazhu pushed a commit to IBM/detect-secrets that referenced this issue Sep 17, 2020
@justineyster
DB2 Detector (Yelp#194)
b88ad9e 
Supports git-defenders/detect-secrets-discuss#190

DB2 Verification (Yelp#196)

Supports git-defenders/detect-secrets-discuss#190

Use DB2 detector (Yelp#199)

Supports git-defenders/detect-secrets-discuss#190

Refactor DB2 verification for calling externally (Yelp#203)

Supports fixing bug [here](https://github.ibm.com/git-defenders/detect-secrets-stream/blob/master/detect_secrets_stream/validation/db2.py#L25)

Catch DB2 hostname, port, database from connection url (Yelp#209)

Supports git-defenders/detect-secrets-discuss#212

Timeout DB2 detector if it takes too long (Yelp#214)
@lorenzodb1 lorenzodb1 added pending The issue still needs to be reviewed by one of the maintainers. and removed accuracy labels Jun 13, 2022
@lorenzodb1 lorenzodb1 added help wanted Indicates that we would like someone that’s not a maintainer to work on the issue. selected The issue has been selected to be worked on. and removed pending The issue still needs to be reviewed by one of the maintainers. labels May 9, 2024
@lorenzodb1
Copy link
Member

This could be addressed by #697.

@lorenzodb1 lorenzodb1 added triaged The issue has been reviewed but has not been solved yet. and removed selected The issue has been selected to be worked on. labels May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
false negatives help wanted Indicates that we would like someone that’s not a maintainer to work on the issue. triaged The issue has been reviewed but has not been solved yet.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@KevinHock @lorenzodb1