rails-guarddog 0.1.9 → 0.1.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/rails/guarddog/checkers/secrets_checker.rb +28 -9
- data/lib/rails/guarddog/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 13a4a099ed1043cb4c5169191304022c1e9f75e8ee28b977fd4a4968a1f458ac
|
|
4
|
+
data.tar.gz: b62273a1dcaa5d126f19545e8f4c51716decd8e1d7b50ab32aa84d047bf9388b
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3c18887f0434640f5092cc2fe2f13ce706ca10d121f0ffb64a8601f86f673596ad7dd232b62c744e5610cdbd37368a8b2413f95bd8fd0c92a50bc545e703ef03
|
|
7
|
+
data.tar.gz: 485c37f61a02f85cc9a78710e03441ed7271badb21a3f05818d511e6f3cded152260c9463f05e1fbb427a076d322685122e6dfb76551337ed235c7ffb3246fc0
|
|
@@ -2,20 +2,33 @@ module Rails
|
|
|
2
2
|
module Guarddog
|
|
3
3
|
module Checkers
|
|
4
4
|
class SecretsChecker < BaseChecker
|
|
5
|
+
# Paths whose files should never be checked for secrets.
|
|
6
|
+
# Locale/i18n YAML files contain human-readable strings, not credentials.
|
|
7
|
+
SKIP_PATH_FRAGMENTS = %w[config/locales].freeze
|
|
8
|
+
|
|
9
|
+
# Each pattern uses:
|
|
10
|
+
# \b / \w* — boundary/prefix so compound names like AUTH_TOKEN,
|
|
11
|
+
# access_token, devise_token are all caught.
|
|
12
|
+
# [^\s'"]{N,} — secret value must be space-free and at least N chars;
|
|
13
|
+
# this eliminates human-readable sentences (false positives)
|
|
14
|
+
# e.g. no_token: "You can't access this page..." won't match.
|
|
5
15
|
PATTERNS = [
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
16
|
+
/\bapi[_-]?key\s*[=:]\s*['"][^\s'"]{6,}['"]/i,
|
|
17
|
+
/\bsecret[_-]?key\s*[=:]\s*['"][^\s'"]{6,}['"]/i,
|
|
18
|
+
/\bpassword\s*[=:]\s*['"][^\s'"]{4,}['"]/i,
|
|
19
|
+
# Matches: token, AUTH_TOKEN, access_token, devise_token, reset_token, etc.
|
|
20
|
+
/\b\w*token\w*\s*[=:]\s*['"][^\s'"]{6,}['"]/i
|
|
21
|
+
].freeze
|
|
11
22
|
|
|
12
23
|
def run
|
|
13
|
-
%w[*.rb *.yml .env .env.local].each do |
|
|
14
|
-
glob_files("**/{#{
|
|
24
|
+
%w[*.rb *.yml .env .env.local].each do |file_pattern|
|
|
25
|
+
glob_files("**/{#{file_pattern}}").each do |file|
|
|
26
|
+
next if skip_file?(file)
|
|
27
|
+
|
|
15
28
|
content = File.read(file) rescue next
|
|
16
29
|
content.each_line.with_index do |line, idx|
|
|
17
|
-
PATTERNS.each do |
|
|
18
|
-
if line.match?(
|
|
30
|
+
PATTERNS.each do |pat|
|
|
31
|
+
if line.match?(pat) && !line.strip.start_with?('#')
|
|
19
32
|
add_finding(
|
|
20
33
|
severity: :critical,
|
|
21
34
|
message: "Hardcoded secret detected",
|
|
@@ -30,6 +43,12 @@ module Rails
|
|
|
30
43
|
end
|
|
31
44
|
findings
|
|
32
45
|
end
|
|
46
|
+
|
|
47
|
+
private
|
|
48
|
+
|
|
49
|
+
def skip_file?(file)
|
|
50
|
+
SKIP_PATH_FRAGMENTS.any? { |fragment| file.include?(fragment) }
|
|
51
|
+
end
|
|
33
52
|
end
|
|
34
53
|
end
|
|
35
54
|
end
|