Merge pull request #612 from nimrodkor/don't_filter_out_access_key_id_finding

lorenzodb1 · web-flow · commit a12a15ed3746 · 2022-09-22T13:48:22.000-07:00
Don't filter out AWS access key ID with the ID filter
diff --git a/detect_secrets/filters/heuristic.py b/detect_secrets/filters/heuristic.py
@@ -2,8 +2,12 @@
 import re
 import string
 from functools import lru_cache
+from typing import Optional
 from typing import Pattern
 
+from detect_secrets.plugins.base import BasePlugin
+from detect_secrets.plugins.base import RegexBasedDetector
+
 
 def is_sequential_string(secret: str) -> bool:
     sequences = (
@@ -57,13 +61,14 @@ def _get_uuid_regex() -> Pattern:
     )
 
 
-def is_likely_id_string(secret: str, line: str) -> bool:
+def is_likely_id_string(secret: str, line: str, plugin: Optional[BasePlugin] = None) -> bool:
     try:
         index = line.index(secret)
     except ValueError:
         return False
 
-    return bool(_get_id_detector_regex().search(line, pos=0, endpos=index))
+    return (not plugin or not isinstance(plugin, RegexBasedDetector)) \
+        and bool(_get_id_detector_regex().search(line, pos=0, endpos=index))
 
 
 @lru_cache(maxsize=1)
diff --git a/tests/filters/heuristic_filter_test.py b/tests/filters/heuristic_filter_test.py
@@ -4,6 +4,7 @@
 
 from detect_secrets import filters
 from detect_secrets.core.scan import scan_line
+from detect_secrets.plugins.aws import AWSKeyDetector
 from detect_secrets.settings import transient_settings
 
 
@@ -77,23 +78,26 @@ def test_success(self, secret, line):
         assert filters.heuristic.is_likely_id_string(secret, line)
 
     @pytest.mark.parametrize(
-        'secret, line',
+        'secret, line, plugin',
         [
             # the word hidden has the word id in it, but lets
             # not mark that as an id string
-            ('RANDOM_STRING', 'hidden_secret: RANDOM_STRING'),
-            ('RANDOM_STRING', 'hidden_secret=RANDOM_STRING'),
-            ('RANDOM_STRING', 'hidden_secret = RANDOM_STRING'),
+            ('RANDOM_STRING', 'hidden_secret: RANDOM_STRING', None),
+            ('RANDOM_STRING', 'hidden_secret=RANDOM_STRING', None),
+            ('RANDOM_STRING', 'hidden_secret = RANDOM_STRING', None),
 
             # fail silently if the secret isn't even on the line
-            ('SOME_RANDOM_STRING', 'id: SOME_OTHER_RANDOM_STRING'),
+            ('SOME_RANDOM_STRING', 'id: SOME_OTHER_RANDOM_STRING', None),
 
             # fail although the word david ends in id
-            ('RANDOM_STRING', 'postgres://david:RANDOM_STRING'),
+            ('RANDOM_STRING', 'postgres://david:RANDOM_STRING', None),
+
+            # fail since this is an aws access key id, a real secret
+            ('AKIA4NACSIJMDDNSEDTE', 'aws_access_key_id=AKIA4NACSIJMDDNSEDTE', AWSKeyDetector()),
         ],
     )
-    def test_failure(self, secret, line):
-        assert not filters.heuristic.is_likely_id_string(secret, line)
+    def test_failure(self, secret, line, plugin):
+        assert not filters.heuristic.is_likely_id_string(secret, line, plugin)
 
 
 @pytest.mark.parametrize(
