From 543c6d76e6efe5d51d44a1996dbca2cfc5f5856f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sindri=20Gu=C3=B0mundsson?= Date: Mon, 4 Sep 2023 15:32:23 +0000 Subject: [PATCH 1/2] Catch index error when checking dollar prefix As shown by the test, we want to return False for the empty string when checking if it is prefixed with a dollar. --- detect_secrets/filters/heuristic.py | 8 +++----- tests/filters/heuristic_filter_test.py | 14 ++++++++++---- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/detect_secrets/filters/heuristic.py b/detect_secrets/filters/heuristic.py index 0dbdb4949..775657f1f 100644 --- a/detect_secrets/filters/heuristic.py +++ b/detect_secrets/filters/heuristic.py @@ -2,11 +2,9 @@ import re import string from functools import lru_cache -from typing import Optional -from typing import Pattern +from typing import Optional, Pattern -from detect_secrets.plugins.base import BasePlugin -from detect_secrets.plugins.base import RegexBasedDetector +from detect_secrets.plugins.base import BasePlugin, RegexBasedDetector def is_sequential_string(secret: str) -> bool: @@ -164,7 +162,7 @@ def is_prefixed_with_dollar_sign(secret: str) -> bool: # false negatives than `is_templated_secret` (e.g. secrets that actually start with a $). # This is best used with files that actually use this as a means of referencing variables. # TODO: More intelligent filetype handling? - return secret[0] == '$' + return bool(secret) and secret[0] == '$' def is_indirect_reference(line: str) -> bool: diff --git a/tests/filters/heuristic_filter_test.py b/tests/filters/heuristic_filter_test.py index a2f5dbb2b..91a4e7ef9 100644 --- a/tests/filters/heuristic_filter_test.py +++ b/tests/filters/heuristic_filter_test.py @@ -1,7 +1,6 @@ import os import pytest - from detect_secrets import filters from detect_secrets.core.scan import scan_line from detect_secrets.plugins.aws import AWSKeyDetector @@ -121,9 +120,16 @@ def test_is_templated_secret(line, result): assert bool(list(scan_line(line))) is result -def test_is_prefixed_with_dollar_sign(): - assert filters.heuristic.is_prefixed_with_dollar_sign('$secret') - assert not filters.heuristic.is_prefixed_with_dollar_sign('secret') +@pytest.mark.parametrize( + 'secret, result', + ( + ('$secret', True), + ('secret', False), + ('', False), + ), +) +def test_is_prefixed_with_dollar_sign(secret, result): + assert filters.heuristic.is_prefixed_with_dollar_sign(secret) == result @pytest.mark.parametrize( From 9d790dbbb57318ecb59e955f97379cdaf87924b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sindri=20Gu=C3=B0mundsson?= Date: Mon, 20 Nov 2023 09:57:05 +0000 Subject: [PATCH 2/2] Revert import order changes --- detect_secrets/filters/heuristic.py | 6 ++++-- tests/filters/heuristic_filter_test.py | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/detect_secrets/filters/heuristic.py b/detect_secrets/filters/heuristic.py index 775657f1f..7fb078181 100644 --- a/detect_secrets/filters/heuristic.py +++ b/detect_secrets/filters/heuristic.py @@ -2,9 +2,11 @@ import re import string from functools import lru_cache -from typing import Optional, Pattern +from typing import Optional +from typing import Pattern -from detect_secrets.plugins.base import BasePlugin, RegexBasedDetector +from detect_secrets.plugins.base import BasePlugin +from detect_secrets.plugins.base import RegexBasedDetector def is_sequential_string(secret: str) -> bool: diff --git a/tests/filters/heuristic_filter_test.py b/tests/filters/heuristic_filter_test.py index 91a4e7ef9..90e1eb0de 100644 --- a/tests/filters/heuristic_filter_test.py +++ b/tests/filters/heuristic_filter_test.py @@ -1,6 +1,7 @@ import os import pytest + from detect_secrets import filters from detect_secrets.core.scan import scan_line from detect_secrets.plugins.aws import AWSKeyDetector