@netlify/build 33.3.0 → 33.4.0

package/lib/plugins_core/secrets_scanning/utils.js

@@ -84,6 +84,26 @@ export function getSecretKeysToScanFor(env, secretKeys) {
     const filteredSecretKeys = filterOmittedKeys(env, secretKeys);
     return filteredSecretKeys.filter((key) => !isValueTrivial(env[key]));
 }
+const getShannonEntropy = (str) => {
+    const len = str.length;
+    if (len === 0)
+        return 0;
+    const freqMap = {};
+    for (const char of str) {
+        freqMap[char] = (freqMap[char] || 0) + 1;
+    }
+    let entropy = 0;
+    for (const char in freqMap) {
+        const p = freqMap[char] / len;
+        entropy -= p * Math.log2(p);
+    }
+    return entropy;
+};
+const HIGH_ENTROPY_THRESHOLD = 4.5;
+const doesEntropyMeetThresholdForSecret = (str) => {
+    const entropy = getShannonEntropy(str);
+    return entropy >= HIGH_ENTROPY_THRESHOLD;
+};
 // Most prefixes are 4-5 chars, so requiring 12 chars after ensures a reasonable secret length
 const MIN_CHARS_AFTER_PREFIX = 12;
 // Escape special regex characters (like $, *, +, etc) in prefixes so they're treated as literal characters
@@ -129,6 +149,10 @@ export function findLikelySecrets({ text, omitValuesFromEnhancedScan = [], }) {
         if (!token || !prefix || allOmittedValues.includes(token)) {
             continue;
         }
+        // Despite the prefix, the string does not look random enough to be convinced it's a secret
+        if (!doesEntropyMeetThresholdForSecret(token)) {
+            continue;
+        }
         matches.push({
             prefix,
             index: match.index,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@netlify/build",
-  "version": "33.3.0",
+  "version": "33.4.0",
   "description": "Netlify build module",
   "type": "module",
   "exports": "./lib/index.js",
@@ -158,5 +158,5 @@
   "engines": {
     "node": ">=18.14.0"
   },
-  "gitHead": "df148594017a78f0f419591da402311ed08e4d64"
+  "gitHead": "5289c05c1991824b24e3a8c38c8457bdc5534046"
 }