Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False Negative - YAML Parser Stops Reading After First String Value/Does Not Read Lists of Strings #791

Open
1 of 2 tasks
RobertRosca opened this issue Feb 16, 2024 · 0 comments
Labels
false negatives pending The issue still needs to be reviewed by one of the maintainers.

Comments

@RobertRosca
Copy link

RobertRosca commented Feb 16, 2024

  • I'm submitting a ...

    • bug report
    • feature request
  • What is the current behavior?

Secrets are not detected in (docker compose) yaml files when a top-level entry for a string is present.

  • If the current behavior is a bug, please provide the steps to reproduce and if possible a minimal demo of the problem

This will not detect any secrets:

version: "3.8"

services:
  foo:
    environment:
      - SECRET_KEY=k0l7eDvHl2PhniP0Z146aCOeiw86LGJh5hS2i4LJM

But changing the first line to version: 3.8 will:

version: 3.8

services:
  foo:
    environment:
      - SECRET_KEY=k0l7eDvHl2PhniP0Z146aCOeiw86LGJh5hS2i4LJM
ERROR: Potential secrets about to be committed to git repo!

Secret Type: Secret Keyword
Location:    ./foo.yaml:6

edit: actually, it's a bit more complex, when removing the version value secrets are detected:

services:
  foo:
    environment:
      - SECRET_KEY=k0l7eDvHl2PhniP0Z146aCOeiw86LGJh5hS2i4LJM

Unless you add in something else which is not a mapping to a string:

services:
  foo:
    build: .
    environment:
      - SECRET_KEY=k0l7eDvHl2PhniP0Z146aCOeiw86LGJh5hS2i4LJM

Changing environment from a list of strings to a mapping fixes the issue though:

services:
  foo:
    build: .
    environment:
      SECRET_KEY: k0l7eDvHl2PhniP0Z146aCOeiw86LGJh5hS2i4LJM

But then you're no longer able to use docker compose interpolation within the environment variables, which can be a problem if it's being done for some other variables, e.g the following only works when environment is a list of strings, if it's a mapping you can't do this anymore:

services:
  foo:
    environment:
      - SOMETHING_${FOO}=${BAR}
      - SECRET_KEY=k0l7eDvHl2PhniP0Z146aCOeiw86LGJh5hS2i4LJM
  • What is the expected behavior?

Secrets to be detected when a string entry is present before some nested structure.

  • What is the motivation / use case for changing the behavior?

  • Please tell us about your environment:

    • detect-secrets Version: 1.4.0
    • Python Version: 3.11.7
    • OS Version: Arch
    • File type (if applicable): yaml
  • Other information

Problem seems to be with the yaml parser, for the buggy case of version: "3.8" the lines variable in detect_secrets.scan:269 is:

['version: "3.8"']

So nothing was parsed after that value, which is why the secret isn't found. For the working case of version: 3.8 it is:

[
  'version: 3.8\n',
  '\n', 'services:\n',
  '  foo:\n',
  '    environment:\n',
  '      - SECRET_KEY=k0l7eDvHl2PhniP0Z146aCOeiw86LGJh5hS2i4LJM\n'
]
@RobertRosca RobertRosca changed the title False Negative - YAML Parser Stops Reading After First String Value False Negative - YAML Parser Stops Reading After First String Value/Does Not Read Lists of Strings Feb 16, 2024
RobertRosca added a commit to European-XFEL/zulip-write-only-proxy that referenced this issue Feb 20, 2024
@lorenzodb1 lorenzodb1 added false negatives pending The issue still needs to be reviewed by one of the maintainers. labels May 16, 2024
RobertRosca added a commit to European-XFEL/zulip-write-only-proxy that referenced this issue Sep 24, 2024
RobertRosca added a commit to European-XFEL/zulip-write-only-proxy that referenced this issue Sep 24, 2024
RobertRosca added a commit to European-XFEL/zulip-write-only-proxy that referenced this issue Sep 24, 2024
RobertRosca added a commit to European-XFEL/zulip-write-only-proxy that referenced this issue Sep 24, 2024
RobertRosca added a commit to European-XFEL/zulip-write-only-proxy that referenced this issue Sep 24, 2024
RobertRosca added a commit to European-XFEL/zulip-write-only-proxy that referenced this issue Sep 24, 2024
RobertRosca added a commit to European-XFEL/zulip-write-only-proxy that referenced this issue Sep 24, 2024
RobertRosca added a commit to European-XFEL/zulip-write-only-proxy that referenced this issue Sep 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
false negatives pending The issue still needs to be reviewed by one of the maintainers.
Projects
None yet
Development

No branches or pull requests

2 participants