Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Despite #247 NOPASSWD is still detected #265

Open
nymous opened this issue Nov 7, 2019 · 5 comments
Open

Despite #247 NOPASSWD is still detected #265

nymous opened this issue Nov 7, 2019 · 5 comments
Assignees
@KevinHock
Labels
bug The issue describes a malfunctioning aspect of the project. false positives triaged The issue has been reviewed but has not been solved yet.

Comments

@nymous
Copy link
Contributor

nymous commented Nov 7, 2019

Changelog for 0.13.0 indicates that after #247 the directive NOPASSWD should be excluded from results. However it seems that this is not the case.

Steps to reproduce:

  • Create a file (eg. sudoers) with the following content:
%wheel ALL=(ALL) NOPASSWD: ALL

(directive is copied from the /etc/sudoers file from an Archlinux install)

  • Install detect-secrets 0.13.0
  • Run detect-secrets scan --exclude-files '.venv' --all-files

Expected results:

 
{
  "exclude": {
    "files": ".venv",
    "lines": null
  },
  "generated_at": "2019-11-07T13:00:15Z",
  "plugins_used": [
    {
      "name": "AWSKeyDetector"
    },
    {
      "name": "ArtifactoryDetector"
    },
    {
      "base64_limit": 4.5,
      "name": "Base64HighEntropyString"
    },
    {
      "name": "BasicAuthDetector"
    },
    {
      "hex_limit": 3,
      "name": "HexHighEntropyString"
    },
    {
      "name": "JwtTokenDetector"
    },
    {
      "keyword_exclude": null,
      "name": "KeywordDetector"
    },
    {
      "name": "MailchimpDetector"
    },
    {
      "name": "PrivateKeyDetector"
    },
    {
      "name": "SlackDetector"
    },
    {
      "name": "SoftlayerDetector"
    },
    {
      "name": "StripeDetector"
    }
  ],
  "results": {},
  "version": "0.13.0",
  "word_list": {
    "file": null,
    "hash": null
  }
}

Actual results:

 
{
  "exclude": {
    "files": ".venv",
    "lines": null
  },
  "generated_at": "2019-11-07T13:00:15Z",
  "plugins_used": [
    {
      "name": "AWSKeyDetector"
    },
    {
      "name": "ArtifactoryDetector"
    },
    {
      "base64_limit": 4.5,
      "name": "Base64HighEntropyString"
    },
    {
      "name": "BasicAuthDetector"
    },
    {
      "hex_limit": 3,
      "name": "HexHighEntropyString"
    },
    {
      "name": "JwtTokenDetector"
    },
    {
      "keyword_exclude": null,
      "name": "KeywordDetector"
    },
    {
      "name": "MailchimpDetector"
    },
    {
      "name": "PrivateKeyDetector"
    },
    {
      "name": "SlackDetector"
    },
    {
      "name": "SoftlayerDetector"
    },
    {
      "name": "StripeDetector"
    }
  ],
  "results": {
    "sudoers": [
      {
        "hashed_secret": "d87c448044defb778f33158d8ccf94a20531d600",
        "is_verified": false,
        "line_number": 1,
        "type": "Secret Keyword"
      }
    ]
  },
  "version": "0.13.0",
  "word_list": {
    "file": null,
    "hash": null
  }
}

Note: the --exclude-files '.venv' directive was added because detect-secrets was installed in a virtualenv
@domanchi
Copy link
Contributor

It looks like the bug is that the FALSE_POSITIVE list are referencing values, not keys (source: https://github.com/Yelp/detect-secrets/blob/master/detect_secrets/plugins/keyword.py#L355).

In this case, the key that is flagged is the existence of PASSWD in NOPASSWD (source), and then the secret value extracted is ALL.

Since ALL (rightfully) isn't in the false positive list, it gets flagged.

The fix here would be to filter out false positives in both the keys and the values. However, that could be a trickier fix than expected.

@ira-bv
Copy link

ira-bv commented Dec 4, 2019

also, is there a way to turn off this one detection plugin? detect-secrets --help gives no clue nor does the README. shall I dive into he code?

@KevinHock
Copy link
Collaborator

Try detect-secrets scan --help

@ira-bv
Copy link

ira-bv commented Dec 5, 2019

Halleluyah! too well hidden for my taste, but I'll take it.

@KevinHock
Copy link
Collaborator

I feel the same way @ira-bv, we haven't done anything hacky around argparse to change the default behavior.

@KevinHock KevinHock self-assigned this Apr 6, 2020
killuazhu pushed a commit to IBM/detect-secrets that referenced this issue May 28, 2020
@justineyster
Revert "Login with resource group (Yelp#264)" (Yelp#265)
61e7289 
This reverts commit 4c0fd84.
killuazhu pushed a commit to IBM/detect-secrets that referenced this issue Jul 9, 2020
@justineyster
Revert "Login with resource group (Yelp#264)" (Yelp#265)
df67b22 
This reverts commit 4c0fd84.
@lorenzodb1 lorenzodb1 added pending The issue still needs to be reviewed by one of the maintainers. and removed keyword detector labels Jun 13, 2022
@lorenzodb1 lorenzodb1 added bug The issue describes a malfunctioning aspect of the project. triaged The issue has been reviewed but has not been solved yet. and removed pending The issue still needs to be reviewed by one of the maintainers. labels May 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@KevinHock KevinHock

Labels
bug The issue describes a malfunctioning aspect of the project. false positives triaged The issue has been reviewed but has not been solved yet.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@KevinHock @nymous @domanchi @lorenzodb1 @ira-bv