Do not require leading quotes for high-entropy strings in ini and yaml

bridgecrewio · Apr 24, 2024 · 96aeb9c · 96aeb9c
1 parent 2b96e50
commit 96aeb9c
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/detect_secrets/plugins/high_entropy_strings.py b/detect_secrets/plugins/high_entropy_strings.py
@@ -30,7 +30,7 @@ def __init__(self, charset: str, limit: float) -> None:
 
         # We require quoted strings to reduce noise.
         # NOTE: We need this to be a capturing group, so back-reference can work.
-        self.regex = re.compile(r'([\'"]?)([{}]+)(\1)'.format(re.escape(charset)))
+        self.regex = re.compile(r'([\'":=])\s*([{}]+)([\'"]?)'.format(re.escape(charset)))
 
     def analyze_string(self, string: str) -> Generator[str, None, None]:
         for result in self.regex.findall(string):

diff --git a/tests/plugins/high_entropy_strings_test.py b/tests/plugins/high_entropy_strings_test.py
@@ -34,7 +34,15 @@ class TestHighEntropyString:
             ("'{secret}'", True),
 
             # Non-quoted string
-            ('{secret}', True),
+            ('{secret}', False),
+
+            # Non-quoted string from ini file
+            ('some_key = {secret}', True),
+            ('some_key={secret}', True),
+            #
+            # Non-quoted string from Yaml
+            ('some_key: {secret}', True),
+            ('some_key:{secret}', True),
         ),
     )
     def test_basic(plugin, non_secret, secret, format, should_be_caught):