What kind of secret that ripsecrets can find out

Question

What kind of secret that ripsecrets can find out

Closed this issue 3 years ago · 4 comments

I write a simple code like

package main

func main() {
        clientSecretKey := "alkfjlaf^*flkajlfkay7782085ljafg"
        println(clientSecretKey)
}

and hope ripsecrets can tell me 'you hardcode the secret in source files', but there's nothing output

Answer 1 · 2022-04-25T07:35:20.000Z

the alkfjlaf^*flkajlfkay7782085ljafg is just I press the keyboard randomly to generate some string :)

Answer 2 · 2022-04-26T04:36:01.000Z

I investigated and a regression was recently introduced that didn't detect secrets assigned with the := operator, but I just pushed a fix for that.

Even with that change though it still doesn't detect that as a secret though for 2 reasons:

^ and * are not considered characters that are normally part of secrets
Even without them, the string you typed is not likely to occur randomly. The probability engine gave it only a 0.00000000007% percent chance of happening randomly, which is below our threshold for considering it a secret.

Answer 3 · 2022-08-26T02:59:29.000Z

To +1 Sherlock-Holo's original point though -- there's no easy way to tell what secrets ripsecrets does support.

e.g. I just tried dropping a yubikey string into a file and running ripsecrets and nothing came up.

As it is the only way to understand what the program does and whether it's useful is to figure out how it works, where the files are, and then decipher the Rust + Regex. It's not ergonomic or safe to use if we don't know whether it can catch what we're trying to protect against.

Seems like a very cool tool, but strangely opaque, given it's security focus.
Even a quick walkthrough in the README on how it works and where in the source file to look woudl be helpful. (It looks like there are a small number of predetermined patterns in find_secrets.rs in predefined_secrets_regexes() and then the rest comes down to a "randomness" estimate in p_random.rs which is using some sort of binomial calculation with a focus on bigrams. But I'm not even sure that's everything. Nor is it immediately obvious how the "randomness" calculator works.

Again, awesome work -- but there are a lot of decisions and judgements and not much transparency.
Inviting the user to the inner workings would be apprciated.

Answer 4 · 2022-08-27T04:01:03.000Z

@ethanmsl I added a "How it works" section to the README to address your feedback: https://github.com/sirwart/ripsecrets#how-it-works. I hope it helps!