forked from Yelp/detect-secrets
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathyaml_file_parser.py
133 lines (103 loc) · 4.12 KB
/
yaml_file_parser.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
import yaml
from detect_secrets.plugins.core.constants import WHITELIST_REGEX
class YamlFileParser(object):
"""
Yaml config files are interesting, because they don't necessarily conform
to our basic regex for detecting HighEntropyStrings as strings don't
need to be quoted.
This causes interesting issues, because our regex won't catch non-quoted
strings, and if we ignore the quoting requirement, then we increase our
false positive rate, because any long string would have high entropy.
Therefore, we take a different approach: intercept the parsing of the yaml
file to identify string values. This assumes:
1. Secrets are strings
2. Secrets are not keys
Then, we calculate the entropy of those string values.
The difficulty comes from determining the line number which these values
come from. To do this, we transform the string into a dictionary of
meta-tags, in the following format:
>>> {
'key': {
'__value__': value,
'__line__': <line_number>,
}
}
This way, we can quickly identify the line number for auditing at a later
stage.
This parsing method is inspired by https://stackoverflow.com/a/13319530.
"""
def __init__(self, file):
self.content = file.read()
self.loader = yaml.SafeLoader(self.content)
self.loader.compose_node = self._compose_node_shim
def json(self):
return self.loader.get_single_data()
def _compose_node_shim(self, parent, index):
line = self.loader.line
node = yaml.composer.Composer.compose_node(self.loader, parent, index)
node.__line__ = line + 1
if node.tag.endswith(':map'):
return self._tag_dict_values(node)
# TODO: Not sure if need to do :seq
return node
def _tag_dict_values(self, map_node):
"""
:type map_node: yaml.nodes.MappingNode
:param map_node: It looks like map_node.value contains a list of
pair tuples, corresponding to key,value pairs.
"""
new_values = []
for key, value in map_node.value:
if not value.tag.endswith(':str'):
new_values.append((key, value,))
continue
augmented_string = yaml.nodes.MappingNode(
tag=map_node.tag,
value=[
self._create_key_value_pair_for_mapping_node_value(
'__value__',
value.value,
'tag:yaml.org,2002:str',
),
self._create_key_value_pair_for_mapping_node_value(
'__line__',
str(value.__line__),
'tag:yaml.org,2002:int',
),
],
)
new_values.append((key, augmented_string,))
output = yaml.nodes.MappingNode(
tag=map_node.tag,
value=new_values,
start_mark=map_node.start_mark,
end_mark=map_node.end_mark,
flow_style=map_node.flow_style,
)
return output
@staticmethod
def _create_key_value_pair_for_mapping_node_value(key, value, tag):
return (
yaml.nodes.ScalarNode(
tag='tag:yaml.org,2002:str',
value=key,
),
yaml.nodes.ScalarNode(
tag=tag,
value=value,
),
)
def get_ignored_lines(self):
"""
Return a set of integers that refer to line numbers that were
whitelisted by the user and should be ignored.
We need to parse the file separately from PyYAML parsing because
the parser drops the comments (at least up to version 3.13):
https://github.com/yaml/pyyaml/blob/a2d481b8dbd2b352cb001f07091ccf669227290f/lib3/yaml/scanner.py#L749
:return: set
"""
ignored_lines = set()
for line_number, line in enumerate(self.content.split('\n'), 1):
if WHITELIST_REGEX.search(line):
ignored_lines.add(line_number)
return ignored_lines