sirwart/ripsecrets

It doesn't work

Opened this issue · 9 comments

dodalovicgran commented

➜ temp cat src/source.java
password=123
username=333
pwd=344
passwort=3333333
benutzername=32
➜ temp ripsecrets
➜ temp

lafrenierejm commented

I can successfully reproduce OP's behavior with the following script:

#!/usr/bin/env bash

# Ensure the directory is empty.
TEST_DIR=/tmp/ripsecrets-68
rm -rf "$TEST_DIR"
mkdir "$TEST_DIR"

# Create the content
cat << EOF > "$TEST_DIR"/source.java
password=123
username=333
pwd=344
passwort=3333333
benutzername=32
EOF

# Run ripsecrets.
cd "$TEST_DIR"
ripsecrets
lafrenierejm commented

With a sufficiently long and random string, I'm able to get ripsecrets to detect a value.

Contents of test.sh:

#!/usr/bin/env bash

# Ensure the directory is empty.
TEST_DIR=/tmp/ripsecrets-68
rm -rf "$TEST_DIR"
mkdir "$TEST_DIR"

# Create the content
cat << EOF > "$TEST_DIR"/source.java
password=vslJRBRIHkmZjbs2PgadKAkQb4WiS24Tcrgyp0T/e2wfK1YYsjnEzA8Uqc5dplEFUiCA39VMhAVp
username=333
EOF

# Run ripsecrets.
cd "$TEST_DIR"
ripsecrets

Output of running the script:

$ ./test.sh
./source.java:1:password=vslJRBRIHkmZjbs2PgadKAkQb4WiS24Tcrgyp0T/e2wfK1YYsjnEzA8Uqc5dplEFUiCA39VMhAVp
lafrenierejm commented

@dodalovicgran Just to clarify, can you specify which of the original values you would like ripsecrets to detect?

dodalovicgran commented 
password=123
username=333
pwd=344
passwort=3333333
benutzername=32
  • 👀1
colindean commented

Although some of those lines contain the keywords that trigger the random data inspector (which could stand for some expansion to include pwd and some localization of password, e.g. passwort, wachtwoord, pasvorto, etc.

ripsecrets/src/matcher/mod.rs

Line 9 in 713e03e

pub const RANDOM_STRING_REGEX: &str = r#"(?:secret|token|key|password|Secret|SECRET|Token|TOKEN|Key|KEY|Password|PASSWORD)\w*['"]?]?\s*(?:=|:|:=)\s*['"` \t]?([A-Za-z0-9+/_\-.~=]{15,80})(?:['"` \t\n]|$)"#;

…the lines definitely don't match known patterns.

ripsecrets/src/lib.rs

Line 22 in 713e03e

fn predefined_secret_regexes() -> Vec<&'static str> {

and they aren't long enough to trigger the random data inspector:

ripsecrets/src/matcher/p_random.rs

Lines 11 to 13 in 713e03e

/// When we get a potential secret that doesn't match any known secret patterns, we need to make some determination of
/// whether it's a random string or not. To do that we assume it's random, and then calculate the probability that a few
/// metrics came about by chance:

N.b., that length is 15,80 in the RANDOM_STRING_REGEX above.

  • 👍1
dramer-817 commented

password generated from pwgen doesn't reported as secret. example:
quah0dou7gueraiyoo4Eeg6i
ohm7Fushobeaho0iemahke8ta8chaowouphughoVanaigho0ohthoh0eedufiMohzeibeeRakoot6

colindean commented

I don't have time to implement it right now, but perhaps a test that could run pwgen --secure ${rand(range(15,80))} 1000 and see how often the random detector heuristic correctly detects what pwgen represents as random, and document that.

sirwart commented

@dramer-817 what does the secret look like in the file? If it's just a random string (i.e doesn't have a well known secret prefix) it needs to have something that makes it look like secret. For example

password = 'ohm7Fushobeaho0iemahke8ta8chaowouphughoVanaigho0ohthoh0eedufiMohzeibeeRakoot6'
dramer-817 commented

@sirwart yes tried that and not detected
@colindean pwgen with no --secure option not detected, with --secure correctly detected