nickdeis / eslint-plugin-no-secrets Goto Github PK

View Code? Open in Web Editor NEW

123.0 2.0 4.0 174 KB

An eslint plugin to find strings that might be secrets/credentials

License: MIT License

JavaScript 100.00%

eslint-plugin eslint eslint-rules security security-tools

eslint-plugin-no-secrets's Introduction

eslint-plugin-no-secrets

An eslint rule that searches for potential secrets/keys in code and JSON files.

1. Usage
- 1.1. Flat config
- 1.2. eslintrc
- 1.3. Include JSON files
  - 1.3.1. Include JSON files with in "flat configs"
1. Config
1. When it's really not a secret
1. Options
1. Acknowledgements

1. Usage

npm i -D eslint-plugin-no-secrets

1.1. Flat config

eslint.config.js

import noSecrets from "eslint-plugin-no-secrets";

export default [
  {
    files: ["**/*.js"],
    plugins: {
      "no-secrets": noSecrets,
    },
    rules: {
      "no-secrets/no-secrets": "error",
    },
  },
];

1.2. eslintrc

.eslintrc

{
  "plugins": ["no-secrets"],
  "rules": {
    "no-secrets/no-secrets": "error"
  }
}

//Found a string with entropy 4.3 : "ZWVTjPQSdhwRgl204Hc51YCsritMIzn8B=/p9UyeX7xu6KkAGqfm3FJ+oObLDNEva"
const A_SECRET =
  "ZWVTjPQSdhwRgl204Hc51YCsritMIzn8B=/p9UyeX7xu6KkAGqfm3FJ+oObLDNEva";
//Found a string that matches "AWS API Key" : "AKIAIUWUUQQN3GNUA88V"
const AWS_TOKEN = "AKIAIUWUUQQN3GNUA88V";

1.3. Include JSON files

To include JSON files, install eslint-plugin-jsonc

npm install --save-dev eslint-plugin-jsonc

Then in your .eslint configuration file, extend the jsonc base config

{
  "extends": ["plugin:jsonc/base"]
}

1.3.1. Include JSON files with in "flat configs"

eslint.config.js

import noSecrets from "eslint-plugin-no-secrets";
import jsoncExtend from "eslint-plugin-jsonc";

export default [
  ...jsoncExtend.configs["flat/recommended-with-jsonc"],
  {
    languageOptions: { ecmaVersion: 6 },
    plugins: {
      "no-secrets": noSecret,
    },
    rules: {
      "no-secrets/no-secrets": "error",
    },
  },
];

2. Config

Decrease the tolerance for entropy

{
  "plugins": ["no-secrets"],
  "rules": {
    "no-secrets/no-secrets": ["error", { "tolerance": 3.2 }]
  }
}

Add additional patterns to check for certain token formats.
Standard patterns can be found here

{
  "plugins": ["no-secrets"],
  "rules": {
    "no-secrets/no-secrets": [
      "error",
      {
        "additionalRegexes": {
          "Basic Auth": "Authorization: Basic [A-Za-z0-9+/=]*"
        }
      }
    ]
  }
}

3. When it's really not a secret

3.1. Either disable it with a comment

// Set of potential base64 characters
// eslint-disable-next-line no-secrets/no-secrets
const BASE64_CHARS =
  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";

This will tell future maintainers of the codebase that this suspicious string isn't an oversight

3.2. use the `ignoreContent` to ignore certain content

{
  "plugins": ["no-secrets"],
  "rules": {
    "no-secrets/no-secrets": ["error", { "ignoreContent": "^ABCD" }]
  }
}

3.3. Use `ignoreIdentifiers` to ignore certain variable/property names

{
  "plugins": ["no-secrets"],
  "rules": {
    "no-secrets/no-secrets": [
      "error",
      { "ignoreIdentifiers": ["BASE64_CHARS"] }
    ]
  }
}

3.4. Use `additionalDelimiters` to further split up tokens

Tokens will always be split up by whitespace within a string. However, sometimes words that are delimited by something else (e.g. dashes, periods, camelcase words). You can use additionalDelimiters to handle these cases.

For example, if you want to split words up by the character . and by camelcase, you could use this configuration:

{
  "plugins": ["no-secrets"],
  "rules": {
    "no-secrets/no-secrets": [
      "error",
      { "additionalDelimiters": [".", "(?=[A-Z][a-z])"] }
    ]
  }
}

4. Options

Option	Description	Default	Type
tolerance	Minimum "randomness"/entropy allowed. Only strings above this threshold will be shown.	`4`	`number`
additionalRegexes	Object of additional patterns to check. Key is check name and value is corresponding pattern	`{}`	{[regexCheckName:string]:string \| RegExp}
ignoreContent	Will ignore the entire string if matched. Expects either a pattern or an array of patterns. This option takes precedent over `additionalRegexes` and the default regular expressions	`[]`	string \| RegExp \| (string\|RegExp)[]
ignoreModules	Ignores strings that are an argument in `import()` and `require()` or is the path in an `import` statement.	`true`	`boolean`
ignoreIdentifiers	Ignores the values of properties and variables that match a pattern or an array of patterns.	`[]`	string \| RegExp \| (string\|RegExp)[]
ignoreCase	Ignores character case when calculating entropy. This could lead to some false negatives	`false`	`boolean`
additionalDelimiters	In addition to splitting the string by whitespace, tokens will be further split by these delimiters	`[]`	(string\|RegExp)[]

5. Acknowledgements

Huge thanks to truffleHog for the inspiration, the regexes, and the measure of entropy.

eslint-plugin-no-secrets's People

Contributors

Stargazers

Watchers

Forkers

dr-aryone constgen saadbazaz tomato6966

eslint-plugin-no-secrets's Issues

Unexpected token v when used with eslint-plugin-json

I get the following error when I have this package and eslint-plugin-json installed.

/dev/eslint-config-adjunct/package.json
  1:1  error  Unexpected token v

Downgrading to version 0.5.4 fixes the issue

continuous integration

Could you add a continuous integration in order to check easily the tests status?
E.g. TravisCI is reliable and free for Open Source.

upgrading dependencies

Could you upgrade dependencies?

btw. I checked require("eslint/lib/testers/rule-tester") works for eslint@5 but doesn't for eslint@6

[feature request] Blacklist particular statements

Description

I would like to be able to exclude strings in some statements from consideration, no matter what entropy level they have:

optionally exclude strings by contents
optionally exclude particular variables (by regexes of their names)
optionally exclude strings in common expressions, like import, require, className, maybe various strings of CSS-in-JS frameworks

Motivation

For example, the rule is triggered for this string:

const webpackFriendlyConsole = require('./config/webpack/webpackFriendlyConsole')

The entropy of './config/webpack/webpackFriendlyConsole' is 4.1, however it is an obvious false positive.

Possible interface

The corresponding options could look for example like this:

  'no-secrets/no-secrets': [
    'warn',
    {
      tolerance: 5,
      additionalRegexes: {},
      ignoreContent: [
        /.*some high-entropy text that is not a secret: bla bla bla.*/,
      ],
      ignoreImports: true,
      ignoreCommonjsRequires: true,
      ignoreCssClassNames: true,
      ignoreVariableNames: [/^NOT_A_SECRET_.*$/, 'highEntropySample'],
    },
  ],

Additional considerations

Although some of the blacklisting can, of course, can be achieved by selectively disabling the rule for a line or file or even adding particular files to override with this rule disabled, it would be awesome to have some sort of centralized control and additional customization, as described above.

In any case, thanks for the great plugin! ;)

Minimum entropy threshold

Hey,
I don't want this plugin to detect strings with entropy less than 4.3 (because those are usually not secrets for my project). How can I get that done?

question: find secrets in comments?

Hi,

I tried your plugin and it works great, at least for secrets in source code.

Is there a way to make it find secrets in comments?

Sample:

// const passwords = "admin123"     <---- HERE I forget to remove this commented line
const password = ""

BTW, maybe related, we are using TypeScript.

Thanks

real entropy

IMO Shannon entropy isn't a good measurement because a given string repeated 100 times has the same entropy as repeated only once.
Of course, repeating the same sequence doesn't increase much the amount of information but in some level increases.

IMO:

abcd -> log_2 (4) which gives 2
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd (abcd repeated 100 times) -> log_2 (4 + log_2 (100)) = 3.41

https://www.shannonentropy.netmark.pl/calculate

Support "Flat Config" (ESLint 9)

ESLint is migrating to a new "flat config" format that will be the default in ESLint v9.

It doesn't look like eslint-plugin-no-secrets has support yet. It would be nice if was implemented.

Some additional resources:

Configuration Migration Guide
Plugin Migration Guide
Blog posts on the new config system: Part 1: Background, Part 2: Introduction to flat config

is there a Changelog?

Thank you for your work on this great plugin. I use it in https://github.com/dimitropoulos/eslint-config-intense

I'm updating dependencies on my config today and can't seem to find a changelog to see what changed between 0.3.4 and 0.6.8. Apologies if I just missed it somewhere.

does this library support ESLint 7?

once https://github.com/typescript-eslint/typescript-eslint/releases/tag/v3.0.0-alpha.23 merges, I'll be testing it myself, but I just thought I'd drop a friendly note that probably people will be inquiring here as to whether ESLint 7 is supported soon.

It may very well be already supported! There weren't a ton of breaking changes in ESLint 7 or anything. If so, it'd be nice to say that ESLint 7 is supported on the main README

specify a delimiter

Currently, if a given string contains many words delimited with a space, each word has a separate entropy calculated.

I want to be able to specify other delimiters as well e.g. _, -, @.