Merge pull request #448 from pablosantiagolopez/feature/config-keyword-plugin

Keyword plugin: default regex modification

Author: domanchi

Diff for: detect_secrets/plugins/keyword.py

@@ -193,7 +193,7 @@
     ),
     flags=re.IGNORECASE,
 )
-DENYLIST_REGEX_TO_GROUP = {
+CONFIG_DENYLIST_REGEX_TO_GROUP = {
     FOLLOWED_BY_COLON_REGEX: 4,
     PRECEDED_BY_EQUAL_COMPARISON_SIGNS_QUOTES_REQUIRED_REGEX: 2,
     FOLLOWED_BY_EQUAL_SIGNS_REGEX: 5,
@@ -230,6 +230,11 @@
     FileType.PYTHON: QUOTES_REQUIRED_DENYLIST_REGEX_TO_GROUP,
     FileType.SWIFT: QUOTES_REQUIRED_DENYLIST_REGEX_TO_GROUP,
     FileType.TERRAFORM: QUOTES_REQUIRED_DENYLIST_REGEX_TO_GROUP,
+    FileType.YAML: CONFIG_DENYLIST_REGEX_TO_GROUP,
+    FileType.CONFIG: CONFIG_DENYLIST_REGEX_TO_GROUP,
+    FileType.INI: CONFIG_DENYLIST_REGEX_TO_GROUP,
+    FileType.PROPERTIES: CONFIG_DENYLIST_REGEX_TO_GROUP,
+    FileType.TOML: CONFIG_DENYLIST_REGEX_TO_GROUP,
 }
 
 
@@ -260,7 +265,6 @@ def analyze_string(
         if denylist_regex_to_group is None:
             attempts = [
                 QUOTES_REQUIRED_DENYLIST_REGEX_TO_GROUP,
-                DENYLIST_REGEX_TO_GROUP,
             ]
         else:
             attempts = [denylist_regex_to_group]
@@ -284,7 +288,7 @@ def analyze_line(
         **kwargs: Any,
     ) -> Set[PotentialSecret]:
         filetype = determine_file_type(filename)
-        denylist_regex_to_group = REGEX_BY_FILETYPE.get(filetype, DENYLIST_REGEX_TO_GROUP)
+        denylist_regex_to_group = REGEX_BY_FILETYPE.get(filetype, QUOTES_REQUIRED_DENYLIST_REGEX_TO_GROUP)  # noqa: E501
         return super().analyze_line(
             filename=filename,
             line=line,

Diff for: detect_secrets/util/filetype.py

@@ -17,7 +17,11 @@ class FileType(Enum):
     C_SHARP = 11
     C = 12
     C_PLUS_PLUS = 13
-    OTHER = 14
+    CONFIG = 14
+    INI = 15
+    PROPERTIES = 16
+    TOML = 17
+    OTHER = 18
 
 
 def determine_file_type(filename: str) -> FileType:
@@ -39,5 +43,12 @@ def determine_file_type(filename: str) -> FileType:
         '.yml': FileType.YAML,
         '.cs': FileType.C_SHARP,
         '.c': FileType.C,
-        '.cpp': FileType.C_PLUS_PLUS
+        '.cpp': FileType.C_PLUS_PLUS,
+        '.cnf': FileType.CONFIG,
+        '.conf': FileType.CONFIG,
+        '.cfg': FileType.CONFIG,
+        '.cf': FileType.CONFIG,
+        '.ini': FileType.INI,
+        '.properties': FileType.PROPERTIES,
+        '.toml': FileType.TOML
     }.get(file_extension, FileType.OTHER)

Diff for: tests/filters/heuristic_filter_test.py

@@ -90,7 +90,7 @@ def test_failure(self, secret, line):
     (
         ('secret = {hunter2}', False),
         ('secret = <hunter2>', False),
-        ('secret = hunter2', True),
+        ('secret = "hunter2"', True),
         ('secret= ${hunter2}', False),
     ),
 )

Diff for: tests/plugins/keyword_test.py

@@ -15,7 +15,7 @@
 
 LONG_LINE = '<img src="data:image/png;base64,{}\n"\n>'.format(base64.b64encode((str(randint(0, 9)) * 30500).encode()))  # noqa: E501
 
-GENERIC_TEST_CASES = [
+CONFIG_TEST_CASES = [
     ('password = "{}"'.format(WHITES_SECRET), WHITES_SECRET),
     ('password_super_secure = "{}"'.format(WHITES_SECRET), WHITES_SECRET),  # Suffix
     ('my_password_super_secure = "{}"'.format(WHITES_SECRET), WHITES_SECRET),  # Prefix/suffix
@@ -40,7 +40,7 @@
     ('password = {}'.format(SYMBOL_SECRET), None),  # At least 1 alphanumeric character is required
     ('api_key = ""', None),  # Nothing in the quotes
     ("secret: ''", None),   # Nothing in the quotes
-    ('secret = "abcdefghi"', None),     # Alphabet sequential string
+    ('password = "somefakekey"', None),  # 'fake' in the secret
     ('password: ${link}', None),        # Has a ${ followed by a }
     ('some_key = "real_secret"', None),  # We cannot make 'key' a Keyword, too noisy)
     ('private_key "hopenobodyfindsthisone\';', None),   # Double-quote does not match single-quote)
@@ -144,7 +144,6 @@
     ('password = {}'.format(COMMON_SECRET), None),  # Secret without quotes
     ('api_key = ""', None),              # Nothing in the quotes
     ("secret: ''", None),                # Nothing in the quotes
-    ('password = "somefakekey"', None),  # 'fake' in the secret
     ('password: ${link}', None),         # Has a ${ followed by a }
     ('some_key = "real_secret"', None),  # We cannot make 'key' a Keyword, too noisy)
     ('private_key "hopenobodyfindsthisone\';', None),  # Double-quote does not match single-quote)
@@ -163,7 +162,7 @@ def parse_test_cases(test_cases):
     'file_extension, line, expected_secret',
     (
         parse_test_cases([
-            (None, GENERIC_TEST_CASES),
+            ('conf', CONFIG_TEST_CASES),
             ('go', GOLANG_TEST_CASES),
             ('m', COMMON_C_TEST_CASES),
             ('c', COMMON_C_TEST_CASES),
@@ -175,6 +174,7 @@ def parse_test_cases(test_cases):
             ('js', QUOTES_REQUIRED_TEST_CASES),
             ('swift', QUOTES_REQUIRED_TEST_CASES),
             ('tf', QUOTES_REQUIRED_TEST_CASES),
+            (None, QUOTES_REQUIRED_TEST_CASES),
         ])
     ),
 )