From 1de28c26b0d6b5f08354352ab3039363255b43f9 Mon Sep 17 00:00:00 2001 From: Julian Fonticoba Mouriz Date: Tue, 9 Mar 2021 17:21:40 +0100 Subject: [PATCH 1/8] Add swagger filter --- detect_secrets/filters/heuristic.py | 7 +++++++ detect_secrets/settings.py | 1 + docs/filters.md | 1 + tests/filters/heuristic_filter_test.py | 10 ++++++++++ 4 files changed, 19 insertions(+) diff --git a/detect_secrets/filters/heuristic.py b/detect_secrets/filters/heuristic.py index e8d194306..5093d7c2f 100644 --- a/detect_secrets/filters/heuristic.py +++ b/detect_secrets/filters/heuristic.py @@ -191,3 +191,10 @@ def is_lock_file(filename: str) -> bool: 'Podfile.lock', 'yarn.lock', } + +def is_swagger_file(filename: str) -> bool: + """ + Filters swagger files + """ + regex = re.compile(r'.*swagger.*') + return bool(regex.search(filename)) \ No newline at end of file diff --git a/detect_secrets/settings.py b/detect_secrets/settings.py index 63cb367eb..54f841228 100644 --- a/detect_secrets/settings.py +++ b/detect_secrets/settings.py @@ -119,6 +119,7 @@ def clear(self) -> None: 'detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign', 'detect_secrets.filters.heuristic.is_indirect_reference', 'detect_secrets.filters.heuristic.is_lock_file', + 'detect_secrets.filters.heuristic.is_swagger_file', } } diff --git a/docs/filters.md b/docs/filters.md index 1b6e28d0a..0e08c8617 100644 --- a/docs/filters.md +++ b/docs/filters.md @@ -50,6 +50,7 @@ the `detect_secrets.filters` namespace. | `heuristic.is_indirect_reference` | Primarily for `KeywordDetector`, filters secrets like `secret = get_secret_key()`. | | `heuristic.is_likely_id_string` | Ignores secret values prefixed with `id`. | | `heuristic.is_lock_file` | Ignores common lock files. | +| `heuristic.is_swagger_file` | Ignores swagger files and paths, like swagger-ui.html or /swagger/. | | `heuristic.is_non_text_file` | Ignores non-text files (e.g. archives, images). | | `heuristic.is_potential_uuid` | Ignores uuid looking secret values. | | `heuristic.is_prefixed_with_dollar_sign` | Primarily for `KeywordDetector`, filters secrets like `secret = $variableName;`. | diff --git a/tests/filters/heuristic_filter_test.py b/tests/filters/heuristic_filter_test.py index d951606cc..2fc1b3ce7 100644 --- a/tests/filters/heuristic_filter_test.py +++ b/tests/filters/heuristic_filter_test.py @@ -138,3 +138,13 @@ def test_is_lock_file(): # assert non-regex assert not filters.heuristic.is_lock_file('Gemfilealock') + +def test_is_swagger_file(): + # Swagger filename test + assert filters.heuristic.is_swagger_file('/path/swagger-ui.html') + + # Swagger path test + assert filters.heuristic.is_swagger_file('/path/swagger/config.yml') + + # assert non-regex + assert not filters.heuristic.is_swagger_file('/path/non/swager/files') From db445b464da89de5d398f093bad97ec8a4826380 Mon Sep 17 00:00:00 2001 From: Pablo Santiago Date: Thu, 11 Mar 2021 14:02:37 +0100 Subject: [PATCH 2/8] Error corrections --- detect_secrets/filters/heuristic.py | 3 ++- docs/filters.md | 2 +- tests/filters/heuristic_filter_test.py | 20 ++++++++++++-------- 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/detect_secrets/filters/heuristic.py b/detect_secrets/filters/heuristic.py index 5093d7c2f..0a55a0e90 100644 --- a/detect_secrets/filters/heuristic.py +++ b/detect_secrets/filters/heuristic.py @@ -192,9 +192,10 @@ def is_lock_file(filename: str) -> bool: 'yarn.lock', } + def is_swagger_file(filename: str) -> bool: """ - Filters swagger files + Filters swagger files and paths, like swagger-ui.html or /swagger/. """ regex = re.compile(r'.*swagger.*') return bool(regex.search(filename)) \ No newline at end of file diff --git a/docs/filters.md b/docs/filters.md index 0e08c8617..fdf57b3e7 100644 --- a/docs/filters.md +++ b/docs/filters.md @@ -50,11 +50,11 @@ the `detect_secrets.filters` namespace. | `heuristic.is_indirect_reference` | Primarily for `KeywordDetector`, filters secrets like `secret = get_secret_key()`. | | `heuristic.is_likely_id_string` | Ignores secret values prefixed with `id`. | | `heuristic.is_lock_file` | Ignores common lock files. | -| `heuristic.is_swagger_file` | Ignores swagger files and paths, like swagger-ui.html or /swagger/. | | `heuristic.is_non_text_file` | Ignores non-text files (e.g. archives, images). | | `heuristic.is_potential_uuid` | Ignores uuid looking secret values. | | `heuristic.is_prefixed_with_dollar_sign` | Primarily for `KeywordDetector`, filters secrets like `secret = $variableName;`. | | `heuristic.is_sequential_string` | Ignores secrets like `abcdefg`. | +| `heuristic.is_swagger_file` | Ignores swagger files and paths, like swagger-ui.html or /swagger/. | | `heuristic.is_templated_secret` | Ignores secrets like `secret = `, `secret = {{key}}` and `secret = ${key}`. | | `regex.should_exclude_line` | Powers the [`--exclude-lines` functionality](../README.md#--exclude-lines). | | `regex.should_exclude_file` | Powers the [`--exclude-files` functionality](../README.md#--exclude-files). | diff --git a/tests/filters/heuristic_filter_test.py b/tests/filters/heuristic_filter_test.py index 2fc1b3ce7..561eff776 100644 --- a/tests/filters/heuristic_filter_test.py +++ b/tests/filters/heuristic_filter_test.py @@ -1,3 +1,5 @@ +import os + import pytest from detect_secrets import filters @@ -139,12 +141,14 @@ def test_is_lock_file(): # assert non-regex assert not filters.heuristic.is_lock_file('Gemfilealock') -def test_is_swagger_file(): - # Swagger filename test - assert filters.heuristic.is_swagger_file('/path/swagger-ui.html') - - # Swagger path test - assert filters.heuristic.is_swagger_file('/path/swagger/config.yml') - # assert non-regex - assert not filters.heuristic.is_swagger_file('/path/non/swager/files') +@pytest.mark.parametrize( + 'filename, result', + ( + ('{sep}path{sep}swagger-ui.html', True), + ('{sep}path{sep}swagger{sep}config.yml', True), + ('{sep}path{sep}non{sep}swager{sep}files', False), + ), +) +def test_is_swagger_file(filename, result): + assert filters.heuristic.is_swagger_file(filename.format(sep=os.path.sep)) is result From 881d8b04d91769e751b101ca0629657f6a6b55fe Mon Sep 17 00:00:00 2001 From: Pablo Santiago Date: Thu, 11 Mar 2021 14:11:10 +0100 Subject: [PATCH 3/8] Pre-commit fix --- detect_secrets/filters/heuristic.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detect_secrets/filters/heuristic.py b/detect_secrets/filters/heuristic.py index 0a55a0e90..efea41a14 100644 --- a/detect_secrets/filters/heuristic.py +++ b/detect_secrets/filters/heuristic.py @@ -198,4 +198,4 @@ def is_swagger_file(filename: str) -> bool: Filters swagger files and paths, like swagger-ui.html or /swagger/. """ regex = re.compile(r'.*swagger.*') - return bool(regex.search(filename)) \ No newline at end of file + return bool(regex.search(filename)) From d93426cf7ed38eddab311e19ea15edfac6a57f09 Mon Sep 17 00:00:00 2001 From: Pablo Santiago Date: Thu, 11 Mar 2021 16:27:24 +0100 Subject: [PATCH 4/8] Regex cached --- detect_secrets/filters/heuristic.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/detect_secrets/filters/heuristic.py b/detect_secrets/filters/heuristic.py index efea41a14..318325518 100644 --- a/detect_secrets/filters/heuristic.py +++ b/detect_secrets/filters/heuristic.py @@ -197,5 +197,9 @@ def is_swagger_file(filename: str) -> bool: """ Filters swagger files and paths, like swagger-ui.html or /swagger/. """ - regex = re.compile(r'.*swagger.*') - return bool(regex.search(filename)) + return bool(_get_swagger_regex().search(filename)) + + +@lru_cache(maxsize=1) +def _get_swagger_regex() -> Pattern: + return re.compile(r'.*swagger.*') From 8bd6a89e7ec3a8b4b072466c9ac4bcb31bac9beb Mon Sep 17 00:00:00 2001 From: Nick Josevski Date: Tue, 16 Mar 2021 21:07:45 +1100 Subject: [PATCH 5/8] fix typo in detect-secrets-hook --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0690cef16..d8d0d4249 100644 --- a/README.md +++ b/README.md @@ -71,7 +71,7 @@ For baselines older than version 0.9, just recreate it. **Scanning Staged Files Only:** ```bash -$ detect-secret-hook --baseline .secrets.baseline $(git diff --staged --name-only) +$ detect-secrets-hook --baseline .secrets.baseline $(git diff --staged --name-only) ``` **Scanning All Tracked Files:** From f128820a23e60acbb3cc68068538d0fa24f56a55 Mon Sep 17 00:00:00 2001 From: Aaron Loo Date: Wed, 17 Mar 2021 14:53:35 -0700 Subject: [PATCH 6/8] don't override the root logger --- detect_secrets/core/log.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detect_secrets/core/log.py b/detect_secrets/core/log.py index 7242a2291..ca8731321 100644 --- a/detect_secrets/core/log.py +++ b/detect_secrets/core/log.py @@ -64,4 +64,4 @@ def set_debug_level(self, debug_level: int) -> None: ) -log = get_logger() +log = get_logger('detect-secrets') From 890a74d8dfd679e4d8cdb070fe22c3332a7a11e7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Mar 2021 20:22:20 +0000 Subject: [PATCH 7/8] Bump urllib3 from 1.26.2 to 1.26.3 Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.2 to 1.26.3. - [Release notes](https://github.com/urllib3/urllib3/releases) - [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst) - [Commits](https://github.com/urllib3/urllib3/compare/1.26.2...1.26.3) Signed-off-by: dependabot[bot] --- requirements-dev.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 5853095ee..8365abbfd 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -37,6 +37,6 @@ tox-pip-extensions==1.6.0 typed-ast==1.4.1 typing-extensions==3.7.4.3 unidiff==0.6.0 -urllib3==1.26.2 +urllib3==1.26.3 virtualenv==20.2.1 zipp==3.4.0 From 54346ca7ed852eaedf0d8fe7099f2188e84cbe41 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 25 Mar 2021 21:43:09 +0000 Subject: [PATCH 8/8] Bump pyyaml from 5.3.1 to 5.4 Bumps [pyyaml](https://github.com/yaml/pyyaml) from 5.3.1 to 5.4. - [Release notes](https://github.com/yaml/pyyaml/releases) - [Changelog](https://github.com/yaml/pyyaml/blob/master/CHANGES) - [Commits](https://github.com/yaml/pyyaml/compare/5.3.1...5.4) Signed-off-by: dependabot[bot] --- requirements-dev.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements-dev.txt b/requirements-dev.txt index 5853095ee..05653108b 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -27,7 +27,7 @@ pycodestyle==2.3.1 pyflakes==1.6.0 pyparsing==2.4.7 pytest==6.1.2 -PyYAML==5.3.1 +PyYAML==5.4 requests==2.25.0 responses==0.12.1 six==1.15.0