Skip to content

Commit

Permalink
Make is_likely_id_string More Strict (#526)
Browse files Browse the repository at this point in the history 
* Make is_likely_id_string more strict to avoid filtering true positives

* Clarify test comment

* Fix regex capturing groups

* Add plural ids to is_likely_id_string regex

* Add regex detail comments
  • Loading branch information
@jpdakran
jpdakran authored Apr 13, 2022
1 parent 9ea24b1 commit e07c7d1
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 1 deletion.
9 changes: 8 additions & 1 deletion detect_secrets/filters/heuristic.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,14 @@ def is_likely_id_string(secret: str, line: str) -> bool:

@lru_cache(maxsize=1)
def _get_id_detector_regex() -> Pattern:
return re.compile(r'id[^a-z0-9]', re.IGNORECASE)
"""
Regex Details:
^(id|myid|userid) -> Common id identifiers with no prefix
_id -> id identifier with prefixes allowed
s? -> Optional plural id identifier
[^a-z0-9] -> Non-letter/numeric character
"""
return re.compile(r'(^(id|myid|userid)|_id)s?[^a-z0-9]', re.IGNORECASE)


def is_non_text_file(filename: str) -> bool:
Expand Down
11 changes: 11 additions & 0 deletions tests/filters/heuristic_filter_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,14 @@ class TestIsLikelyIdString:
('RANDOM_STRING', 'myid: RANDOM_STRING'),
('RANDOM_STRING', 'myid=RANDOM_STRING'),
('RANDOM_STRING', 'myid = RANDOM_STRING'),
('RANDOM_STRING', 'userid: RANDOM_STRING'),
('RANDOM_STRING', 'userid=RANDOM_STRING'),
('RANDOM_STRING', 'userid = RANDOM_STRING'),
('RANDOM_STRING', 'data test_id: RANDOM_STRING'),
('RANDOM_STRING', 'data test_id=RANDOM_STRING'),
('RANDOM_STRING', 'data test_id = RANDOM_STRING'),
('RANDOM_STRING', 'ids = RANDOM_STRING, RANDOM_STRING'),
('RANDOM_STRING', 'my_ids: RANDOM_STRING, RANDOM_STRING'),
],
)
def test_success(self, secret, line):
Expand All @@ -79,6 +87,9 @@ def test_success(self, secret, line):
# fail silently if the secret isn't even on the line
('SOME_RANDOM_STRING', 'id: SOME_OTHER_RANDOM_STRING'),
# fail although the word david ends in id
('RANDOM_STRING', 'postgres://david:RANDOM_STRING'),
],
)
def test_failure(self, secret, line):
Expand Down

0 comments on commit e07c7d1

Please sign in to comment.