Skip to content

Commit

Permalink
SNOW-1452613 Update secret detector (#961)
Browse files Browse the repository at this point in the history 
### Description
SNOW-1452613 Update secret detector

### Checklist
- [x] Code compiles correctly
- [x] Code is formatted according to [Coding
Conventions](../blob/master/CodingConventions.md)
- [x] Created tests which fail without the change (if possible)
- [x] All tests passing (`dotnet test`)
- [x] Extended the README / documentation, if necessary
- [x] Provide JIRA issue id (if possible) or GitHub issue id in PR name
  • Loading branch information
@sfc-gh-knozderko
sfc-gh-knozderko authored Jun 6, 2024
1 parent 815f708 commit a4349d7
Show file tree
Hide file tree
Showing 3 changed files with 167 additions and 63 deletions.
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
repos:
- repo: [email protected]:snowflakedb/casec_precommit.git
rev: v1.20
rev: v1.35.4
hooks:
- id: secret-scanner
126 changes: 95 additions & 31 deletions Snowflake.Data.Tests/UnitTests/SecretDetectorTest.cs
View file
Original file line number Diff line number Diff line change
@@ -1,16 +1,15 @@
/*
* Copyright (c) 2021 Snowflake Computing Inc. All rights reserved.
* Copyright (c) 2021-2024 Snowflake Computing Inc. All rights reserved.
*/

using Amazon.S3.Model.Internal.MarshallTransformations;
using NUnit.Framework;
using Snowflake.Data.Log;
using Snowflake.Data.Tests.Mock;
using System;
using System.Text;

namespace Snowflake.Data.Tests.UnitTests
{
using NUnit.Framework;
using Snowflake.Data.Log;
using Snowflake.Data.Tests.Mock;
using System;
using System.Collections.Generic;

[TestFixture]
class SecretDetectorTest
Expand Down Expand Up @@ -95,7 +94,7 @@ public void TestAWSKeys()
BasicMasking(@"""aws_key_id""='aaaaaaaa'", @"""aws_key_id""='****'");

//aws_key_id|aws_secret_key|access_key_id|secret_access_key)('|"")?(\s*[:|=]\s*)'([^']+)'
// Delimiters before start of value to mask
// Delimiters before start of value to mask
BasicMasking(@"aws_key_id:'aaaaaaaa'", @"aws_key_id:'****'");
BasicMasking(@"aws_key_id='aaaaaaaa'", @"aws_key_id='****'");
}
Expand Down Expand Up @@ -144,7 +143,7 @@ public void TestSASTokens()
BasicMasking(@"sig=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", @"sig=****");

// signature
BasicMasking(@"signature=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", @"signature=****");
BasicMasking(@"signature=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", @"signature=****");

// AWSAccessKeyId
BasicMasking(@"AWSAccessKeyId=ABCDEFGHIJKL01234", @"AWSAccessKeyId=****"); // pragma: allowlist secret
Expand All @@ -167,6 +166,32 @@ public void TestPrivateKey()
"-----BEGIN PRIVATE KEY-----\\\\nXXXX\\\\n-----END PRIVATE KEY-----"); // pragma: allowlist secret
}

[Test]
public void TestPrivateKeyProperty()
{
BasicMasking(@"something=anything;private_key=aaaaaa", @"something=anything;private_key=****");
BasicMasking("something=anything;private_key \r\n =aaaaaa", "something=anything;private_key \r\n =****");
BasicMasking(@"something=anything;private_key=aaaaaaaaaaaaaaaaaa", @"something=anything;private_key=****");
BasicMasking(@"something=anything;private_key=a", @"something=anything;private_key=****");
BasicMasking(@"something=anything;private_key=""a"";someOtherProperty=someValue", @"something=anything;private_key=****");
BasicMasking(@"something=anything;private_key='a';someOtherProperty=someValue", @"something=anything;private_key=****");
BasicMasking($"something=anything;private_key ={GetStringWithManyWeirdCharacters()}\r\nxxxxxx\r\nyyyyyy;someOtherProperty=someValue", @"something=anything;private_key =****");
}

private string GetStringWithManyWeirdCharacters()
{
var bytes = new byte[256];
for (var i = 0; i < 256; i++)
{
if (i < 20)
{
bytes[i] = 58;
}
bytes[i] = (byte) i;
}
return Encoding.Default.GetString(bytes);
}

[Test]
public void TestPrivateKeyData()
{
Expand All @@ -185,12 +210,12 @@ public void TestConnectionTokens()
// assertion content
BasicMasking(@"assertion content:aaaaaaaa", @"assertion content:****");

// Delimiters before start of value to mask
// Delimiters before start of value to mask
BasicMasking(@"token""aaaaaaaa", @"token""****"); // "
BasicMasking(@"token'aaaaaaaa", @"token'****"); // '
BasicMasking(@"token=aaaaaaaa", @"token=****"); // =
BasicMasking(@"token aaaaaaaa", @"token ****"); // {space}
BasicMasking(@"token ="" 'aaaaaaaa", @"token ="" '****"); // Mix
BasicMasking(@"token ="" 'aaaaaaaa", @"token =****"); // Mix

// Verify that all allowed characters are correctly supported
BasicMasking(@"Token:a=b/c_d-e+F:025", @"Token:****");
Expand All @@ -211,17 +236,57 @@ public void TestPassword()
// passcode
BasicMasking(@"passcode:aaaaaaaa", @"passcode:****");

// Delimiters before start of value to mask
// Delimiters before start of value to mask
BasicMasking(@"password""aaaaaaaa", @"password""****"); // "
BasicMasking(@"password'aaaaaaaa", @"password'****"); // '
BasicMasking(@"password=aaaaaaaa", @"password=****"); // =
BasicMasking(@"password aaaaaaaa", @"password ****"); // {space}
BasicMasking(@"password ="" 'aaaaaaaa", @"password ="" '****"); // Mix
BasicMasking(@"password ="" 'aaaaaaaa", @"password =****"); // Mix

// Verify that all allowed characters are correctly supported
BasicMasking(@"password:a!b""c#d$e%f&g'h(i)k*k+l,m;n<o=p>q?r@s[t]u^v_w`x{y|z}Az0123", @"password:****");
}

[Test]
public void TestPasswordProperty()
{
BasicMasking(@"somethingBefore=cccc;password=aa", @"somethingBefore=cccc;password=****");
BasicMasking(@"somethingBefore=cccc;password=aa;somethingNext=bbbb", @"somethingBefore=cccc;password=****");
BasicMasking(@"somethingBefore=cccc;password=""aa"";somethingNext=bbbb", @"somethingBefore=cccc;password=****");
BasicMasking(@"somethingBefore=cccc;password=;somethingNext=bbbb", @"somethingBefore=cccc;password=****");
BasicMasking(@"somethingBefore=cccc;password=", @"somethingBefore=cccc;password=****");
BasicMasking(@"somethingBefore=cccc;password =aa;somethingNext=bbbb", @"somethingBefore=cccc;password =****");
BasicMasking(@"somethingBefore=cccc;password="" 'aa", @"somethingBefore=cccc;password=****");

BasicMasking(@"somethingBefore=cccc;proxypassword=aa", @"somethingBefore=cccc;proxypassword=****");
BasicMasking(@"somethingBefore=cccc;proxypassword=aa;somethingNext=bbbb", @"somethingBefore=cccc;proxypassword=****");
BasicMasking(@"somethingBefore=cccc;proxypassword=""aa"";somethingNext=bbbb", @"somethingBefore=cccc;proxypassword=****");
BasicMasking(@"somethingBefore=cccc;proxypassword=;somethingNext=bbbb", @"somethingBefore=cccc;proxypassword=****");
BasicMasking(@"somethingBefore=cccc;proxypassword=", @"somethingBefore=cccc;proxypassword=****");
BasicMasking(@"somethingBefore=cccc;proxypassword =aa;somethingNext=bbbb", @"somethingBefore=cccc;proxypassword =****");
BasicMasking(@"somethingBefore=cccc;proxypassword="" 'aa", @"somethingBefore=cccc;proxypassword=****");

BasicMasking(@"somethingBefore=cccc;private_key_pwd=aa", @"somethingBefore=cccc;private_key_pwd=****");
BasicMasking(@"somethingBefore=cccc;private_key_pwd=aa;somethingNext=bbbb", @"somethingBefore=cccc;private_key_pwd=****");
BasicMasking(@"somethingBefore=cccc;private_key_pwd=""aa"";somethingNext=bbbb", @"somethingBefore=cccc;private_key_pwd=****");
BasicMasking(@"somethingBefore=cccc;private_key_pwd=;somethingNext=bbbb", @"somethingBefore=cccc;private_key_pwd=****");
BasicMasking(@"somethingBefore=cccc;private_key_pwd=", @"somethingBefore=cccc;private_key_pwd=****");
BasicMasking(@"somethingBefore=cccc;private_key_pwd =aa;somethingNext=bbbb", @"somethingBefore=cccc;private_key_pwd =****");
BasicMasking(@"somethingBefore=cccc;private_key_pwd="" 'aa", @"somethingBefore=cccc;private_key_pwd=****");
}

[Test]
[TestCase("2020-04-30 23:06:04,069 - MainThread auth.py:397 - write_temporary_credential() - DEBUG - no ID password was not given")]
[TestCase("2020-04-30 23:06:04,069 - MainThread auth.py:397 - write_temporary_credential() - DEBUG - no ID proxyPassword was not given")]
[TestCase("2020-04-30 23:06:04,069 - MainThread auth.py:397 - write_temporary_credential() - DEBUG - no ID private_key_pwd was not given")]
public void TestPasswordFalsePositive(string falsePositiveMessage)
{
mask = SecretDetector.MaskSecrets(falsePositiveMessage);
Assert.IsFalse(mask.isMasked);
Assert.AreEqual(falsePositiveMessage, mask.maskedText);
Assert.IsNull(mask.errStr);
}

[Test]
public void TestMaskToken()
{
Expand Down Expand Up @@ -268,7 +333,7 @@ public void TestMaskToken()
string snowFlakeAuthToken = "Authorization: Snowflake Token=\"ver:1-hint:92019676298218-ETMsDgAAAXswwgJhABRBRVMvQ0JDL1BLQ1M1UGFkZGluZwEAABAAEF1tbNM3myWX6A9sNSK6rpIAAACA6StojDJS4q1Vi3ID+dtFEucCEvGMOte0eapK+reb39O6hTHYxLfOgSGsbvbM5grJ4dYdNJjrzDf1r07tID4I2RJJRYjS4/DWBJn98Untd3xeNnXE1/45HgvwKVHlmZQLVwfWAxI7ifl2MVDwJlcXBufLZoVMYhUd4np121d7zFwAFGQzKyzUYQwI3M9Nqja9syHgaotG\"";
mask = SecretDetector.MaskSecrets(snowFlakeAuthToken);
Assert.IsTrue(mask.isMasked);
Assert.AreEqual(@"Authorization: Snowflake Token=""****""", mask.maskedText);
Assert.AreEqual(@"Authorization: Snowflake Token=****", mask.maskedText);
Assert.IsNull(mask.errStr);
}

Expand Down Expand Up @@ -311,7 +376,7 @@ public void TestPasswords()
string randomPasswordEqualSign = "password = " + randomPassword;
mask = SecretDetector.MaskSecrets(randomPasswordEqualSign);
Assert.IsTrue(mask.isMasked);
Assert.AreEqual(@"password = ****", mask.maskedText);
Assert.AreEqual(@"password =****", mask.maskedText);
Assert.IsNull(mask.errStr);

string randomPwdWithPrefix = "pwd:" + randomPassword;
Expand Down Expand Up @@ -350,9 +415,7 @@ public void TestTokenPassword()
mask = SecretDetector.MaskSecrets(testStringWithPrefix);
Assert.IsTrue(mask.isMasked);
Assert.AreEqual(
"token=****" +
" random giberish " +
"password:****",
"token=****",
mask.maskedText);
Assert.IsNull(mask.errStr);

Expand All @@ -378,11 +441,7 @@ public void TestTokenPassword()
mask = SecretDetector.MaskSecrets(testStringWithPrefix);
Assert.IsTrue(mask.isMasked);
Assert.AreEqual(
"token=****" +
" random giberish " +
"password:****" +
" random giberish " +
"idToken:****",
"token=****",
mask.maskedText);
Assert.IsNull(mask.errStr);

Expand All @@ -393,10 +452,7 @@ public void TestTokenPassword()
mask = SecretDetector.MaskSecrets(testStringWithPrefix);
Assert.IsTrue(mask.isMasked);
Assert.AreEqual(
"password=****" +
" random giberish " +
"pwd:****",
mask.maskedText);
"password=****", mask.maskedText);
Assert.IsNull(mask.errStr);

// multiple passwords
Expand All @@ -408,15 +464,23 @@ public void TestTokenPassword()
mask = SecretDetector.MaskSecrets(testStringWithPrefix);
Assert.IsTrue(mask.isMasked);
Assert.AreEqual(
"password=****" +
" random giberish " +
"password=****" +
" random giberish " +
"password=****",
mask.maskedText);
Assert.IsNull(mask.errStr);
}

[Test]
public void TestTokenProperty()
{
BasicMasking(@"somethingBefore=cccc;token=aa", @"somethingBefore=cccc;token=****");
BasicMasking(@"somethingBefore=cccc;token=aa;somethingNext=bbbb", @"somethingBefore=cccc;token=****");
BasicMasking(@"somethingBefore=cccc;token=""aa"";somethingNext=bbbb", @"somethingBefore=cccc;token=****");
BasicMasking(@"somethingBefore=cccc;token=;somethingNext=bbbb", @"somethingBefore=cccc;token=****");
BasicMasking(@"somethingBefore=cccc;token=", @"somethingBefore=cccc;token=****");
BasicMasking(@"somethingBefore=cccc;token =aa;somethingNext=bbbb", @"somethingBefore=cccc;token =****");
BasicMasking(@"somethingBefore=cccc;token="" 'aa", @"somethingBefore=cccc;token=****");
}

[Test]
public void TestCustomPattern()
{
Expand Down
Loading

0 comments on commit a4349d7

Please sign in to comment.