Add new pattern (#222)

bridgecrewio · Nov 4, 2024 · 1790240 · 1790240
1 parent b8e72be
commit 1790240
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/detect_secrets/plugins/keyword.py b/detect_secrets/plugins/keyword.py
@@ -223,6 +223,16 @@
     ),
     flags=re.IGNORECASE,
 )
+DATA_PUT_PASSWORD_REGEX = re.compile(
+    # Matches patterns like data.put("password", "bar") or data.put('password', 'bar')
+    r'data\.put\({whitespace}{quote}{denylist}{quote}{whitespace},{whitespace}{quote}({secret}){quote}{whitespace}\)'.format(
+        denylist=DENYLIST_REGEX_WITH_PREFIX,
+        quote=QUOTE,
+        whitespace=OPTIONAL_WHITESPACE,
+        secret=SECRET,
+    ),
+    re.IGNORECASE,
+)
 CONFIG_DENYLIST_REGEX_TO_GROUP = {
     FOLLOWED_BY_COLON_REGEX: 4,
     PRECEDED_BY_EQUAL_COMPARISON_SIGNS_QUOTES_REQUIRED_REGEX: 2,
@@ -248,6 +258,7 @@
     FOLLOWED_BY_EQUAL_SIGNS_QUOTES_REQUIRED_REGEX: 5,
     FOLLOWED_BY_QUOTES_AND_SEMICOLON_REGEX: 3,
     FOLLOWED_BY_ARROW_FUNCTION_SIGN_QUOTES_REQUIRED_REGEX: 4,
+    DATA_PUT_PASSWORD_REGEX: 2,
 }
 
 TERRAFORM_DENYLIST_REGEX_TO_GROUP = {

diff --git a/tests/plugins/keyword_test.py b/tests/plugins/keyword_test.py
@@ -162,6 +162,8 @@
     (LONG_LINE, None),  # Long line test
     ('password => ""', None),
     ('password => {}'.format(COMMON_SECRET), None),
+    ('data.put("password", "{}")'.format(COMMON_SECRET), COMMON_SECRET),
+    ('data.put("secret", "{}")'.format(COMMON_SECRET), COMMON_SECRET),
 ]
 
 QUOTES_REQUIRED_TEST_CASES = [