rails-guarddog 0.1.9 → 0.1.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ae20382e818b53d7afdb3344fdd95711edd8c8890441ec4212231ccea489c41f
4
- data.tar.gz: a0ff9456c95b09c64983d80165ebbc6b59868dd4e6aef6b56aef3d1b21e7d467
3
+ metadata.gz: 13a4a099ed1043cb4c5169191304022c1e9f75e8ee28b977fd4a4968a1f458ac
4
+ data.tar.gz: b62273a1dcaa5d126f19545e8f4c51716decd8e1d7b50ab32aa84d047bf9388b
5
5
  SHA512:
6
- metadata.gz: cd08bde46e4cd0125ee004805cac926cc053fc66ddf655b58ddfa9d1bb5dd534ed02cf498c8695a44b51a4b96ad5321398b9a49dcad4771da544d2cc4b7c9760
7
- data.tar.gz: 78adf464a90b83119d33bcd54c652497da03125fa9356f3820df37d5405186601808522e03b5f7e789a0f8633a1fe6b530290cd0f0df55404b71d2452618d4c8
6
+ metadata.gz: 3c18887f0434640f5092cc2fe2f13ce706ca10d121f0ffb64a8601f86f673596ad7dd232b62c744e5610cdbd37368a8b2413f95bd8fd0c92a50bc545e703ef03
7
+ data.tar.gz: 485c37f61a02f85cc9a78710e03441ed7271badb21a3f05818d511e6f3cded152260c9463f05e1fbb427a076d322685122e6dfb76551337ed235c7ffb3246fc0
@@ -2,20 +2,33 @@ module Rails
2
2
  module Guarddog
3
3
  module Checkers
4
4
  class SecretsChecker < BaseChecker
5
+ # Paths whose files should never be checked for secrets.
6
+ # Locale/i18n YAML files contain human-readable strings, not credentials.
7
+ SKIP_PATH_FRAGMENTS = %w[config/locales].freeze
8
+
9
+ # Each pattern uses:
10
+ # \b / \w* — boundary/prefix so compound names like AUTH_TOKEN,
11
+ # access_token, devise_token are all caught.
12
+ # [^\s'"]{N,} — secret value must be space-free and at least N chars;
13
+ # this eliminates human-readable sentences (false positives)
14
+ # e.g. no_token: "You can't access this page..." won't match.
5
15
  PATTERNS = [
6
- /api[_-]?key\s*[=:]\s*['"][^'"]+['"]/i,
7
- /secret[_-]?key\s*[=:]\s*['"][^'"]+['"]/i,
8
- /password\s*[=:]\s*['"][^'"]+['"]/i,
9
- /token\s*[=:]\s*['"][^'"]+['"]/i
10
- ]
16
+ /\bapi[_-]?key\s*[=:]\s*['"][^\s'"]{6,}['"]/i,
17
+ /\bsecret[_-]?key\s*[=:]\s*['"][^\s'"]{6,}['"]/i,
18
+ /\bpassword\s*[=:]\s*['"][^\s'"]{4,}['"]/i,
19
+ # Matches: token, AUTH_TOKEN, access_token, devise_token, reset_token, etc.
20
+ /\b\w*token\w*\s*[=:]\s*['"][^\s'"]{6,}['"]/i
21
+ ].freeze
11
22
 
12
23
  def run
13
- %w[*.rb *.yml .env .env.local].each do |pattern|
14
- glob_files("**/{#{pattern}}").each do |file|
24
+ %w[*.rb *.yml .env .env.local].each do |file_pattern|
25
+ glob_files("**/{#{file_pattern}}").each do |file|
26
+ next if skip_file?(file)
27
+
15
28
  content = File.read(file) rescue next
16
29
  content.each_line.with_index do |line, idx|
17
- PATTERNS.each do |pattern|
18
- if line.match?(pattern) && !line.strip.start_with?('#')
30
+ PATTERNS.each do |pat|
31
+ if line.match?(pat) && !line.strip.start_with?('#')
19
32
  add_finding(
20
33
  severity: :critical,
21
34
  message: "Hardcoded secret detected",
@@ -30,6 +43,12 @@ module Rails
30
43
  end
31
44
  findings
32
45
  end
46
+
47
+ private
48
+
49
+ def skip_file?(file)
50
+ SKIP_PATH_FRAGMENTS.any? { |fragment| file.include?(fragment) }
51
+ end
33
52
  end
34
53
  end
35
54
  end
@@ -1,5 +1,5 @@
1
1
  module Rails
2
2
  module Guarddog
3
- VERSION = "0.1.9"
3
+ VERSION = "0.1.10"
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rails-guarddog
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.9
4
+ version: 0.1.10
5
5
  platform: ruby
6
6
  authors:
7
7
  - Security Team