Do not require leading quotes for high-entropy strings (#208)

bridgecrewio · Apr 24, 2024 · a3c4644 · a3c4644
1 parent 2811de5
commit a3c4644
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 2 deletions.
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -33,7 +33,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
+        os: [ubuntu-latest, macos-12, windows-latest]
         python: ['3.8', '3.9', '3.10', '3.11', '3.12']
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3

diff --git a/detect_secrets/plugins/high_entropy_strings.py b/detect_secrets/plugins/high_entropy_strings.py
@@ -30,7 +30,7 @@ def __init__(self, charset: str, limit: float) -> None:
 
         # We require quoted strings to reduce noise.
         # NOTE: We need this to be a capturing group, so back-reference can work.
-        self.regex = re.compile(r'([\'"])([{}]+)(\1)'.format(re.escape(charset)))
+        self.regex = re.compile(r'([\'":=])\s*([{}]+)([\'"]?)'.format(re.escape(charset)))
 
     def analyze_string(self, string: str) -> Generator[str, None, None]:
         for result in self.regex.findall(string):

diff --git a/tests/plugins/high_entropy_strings_test.py b/tests/plugins/high_entropy_strings_test.py
@@ -35,6 +35,14 @@ class TestHighEntropyString:
 
             # Non-quoted string
             ('{secret}', False),
+
+            # Non-quoted string from ini file
+            ('some_key = {secret}', True),
+            ('some_key={secret}', True),
+            #
+            # Non-quoted string from Yaml
+            ('some_key: {secret}', True),
+            ('some_key:{secret}', True),
         ),
     )
     def test_basic(plugin, non_secret, secret, format, should_be_caught):