Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(secrets): Fix omitting of secrets that are json encoded #3964

Merged
merged 6 commits into from
Dec 1, 2022
Merged

fix(secrets): Fix omitting of secrets that are json encoded #3964

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
7fa5819
Fix omitting of secrets that are json encoded
nimrodkor Dec 1, 2022
7debe7c
Fix UTs
nimrodkor Dec 1, 2022
300aa01
Avoid changing current behavior
nimrodkor Dec 1, 2022
1301c7c
Fix threshold 2
nimrodkor Dec 1, 2022
dadab35
Remove threshold
nimrodkor Dec 1, 2022
5fbc4d9
Fix for sure with threshold
nimrodkor Dec 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions checkov/common/util/secrets.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

import copy
import itertools
import json
import logging
import re

Expand Down Expand Up @@ -120,12 +121,15 @@ def omit_multiple_secret_values_from_line(secrets: set[str], line_text: str) ->

def omit_secret_value_from_line(secret: str, line_text: str) -> str:
secret_length = len(secret)
secret_len_to_expose = secret_length // 4
secret_len_to_expose = secret_length // 4 if secret_length < 100 else secret_length // 10

try:
secret_index = line_text.index(secret)
except ValueError:
return line_text
try:
secret_index = line_text.index(json.dumps(secret))
except ValueError:
return line_text

censored_line = f'{line_text[:secret_index + secret_len_to_expose]}' \
f'{"*" * (secret_length - secret_len_to_expose)}' \
Expand Down
50 changes: 47 additions & 3 deletions tests/common/utils/test_secrets_utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
from checkov.common.util.secrets import omit_secret_value_from_checks, omit_secret_value_from_definitions
from checkov.common.models.enums import CheckResult
from checkov.terraform.checks.resource.azure.SecretExpirationDate import SecretExpirationDate
from checkov.common.util.secrets import omit_secret_value_from_checks, omit_secret_value_from_definitions
from checkov.terraform.checks.provider.aws.credentials import AWSCredentials
from checkov.terraform.checks.resource.azure.SecretExpirationDate import SecretExpirationDate


def test_omit_secret_value_from_checks_by_attribute(tfplan_resource_lines_with_secrets,
Expand All @@ -18,7 +18,7 @@ def test_omit_secret_value_from_checks_by_attribute(tfplan_resource_lines_with_s


def test_omit_secret_value_from_checks_by_secret(aws_provider_lines_with_secrets, aws_provider_config_with_secrets,
aws_provider_lines_without_secrets):
aws_provider_lines_without_secrets):
check = AWSCredentials()
check_result = {'result': CheckResult.FAILED}

Expand All @@ -33,3 +33,47 @@ def test_omit_secret_value_from_definitions_by_attribute(tfplan_definitions_with
censored_definitions = omit_secret_value_from_definitions(tfplan_definitions_with_secrets,
resource_attributes_to_omit)
assert censored_definitions == tfplan_definitions_without_secrets


def test_omit_secret_value_from_checks_by_secret_2():
entity_lines_with_secrets = [
(93, ' "values": {\n'),
(94, ' "content_type": null,\n'),
(95, ' "expiration_date": null,\n'),
(96, ' "key_vault_id": "/subscriptions/my-subscription/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-vault",\n'),
(97, ' "name": "my-key-vault",\n'),
(98, ' "not_before_date": null,\n'),
(99, ' "tags": null,\n'),
(100, ' "timeouts": null,\n'),
(101, ' "value": "-----BEGIN RSA PRIVATE KEY-----\\nMOCKKEYmer0YcjoLJVs4VvyLaigj7ygbpplVefQFHXseE7Lx0S2YBA6cg5SHoe4huMCsLwqyHJane2aseEq6oreSUG4Fzk3XpZSJ8fhNTdH2XHjCiK2LmAMHLV34adw2DEVKESa3PTf86EPIXu77qOH5HMl9tCXl9e1xf3wluaecOjdamK9HcNv8l0R58tTIuHpK+HiT69EHUjn7Igv904vPoTSl3f0Ut+xYTWOBBQJRG9YI7fHLJTL5ki1Hbb6Kl/6rsFur3P32kHQqFtDb9l7AQ/J68ws6MNfi+n5EylyRMgWkDRaryDPfRp9Aoe82Fo0pZDarEmphE58+FTKw5eC6qh3\\n-----END RSA PRIVATE KEY-----\\n"\n')
]
entity_config_with_secrets = {
'content_type': [None],
'expiration_date': [None],
'key_vault_id': ['/subscriptions/my-subscription/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-vault'],
'name': ['my-key-vault'], 'not_before_date': [None], 'tags': [None], 'timeouts': [None],
'value': ['-----BEGIN RSA PRIVATE KEY-----\nMOCKKEYmer0YcjoLJVs4VvyLaigj7ygbpplVefQFHXseE7Lx0S2YBA6cg5SHoe4huMCsLwqyHJane2aseEq6oreSUG4Fzk3XpZSJ8fhNTdH2XHjCiK2LmAMHLV34adw2DEVKESa3PTf86EPIXu77qOH5HMl9tCXl9e1xf3wluaecOjdamK9HcNv8l0R58tTIuHpK+HiT69EHUjn7Igv904vPoTSl3f0Ut+xYTWOBBQJRG9YI7fHLJTL5ki1Hbb6Kl/6rsFur3P32kHQqFtDb9l7AQ/J68ws6MNfi+n5EylyRMgWkDRaryDPfRp9Aoe82Fo0pZDarEmphE58+FTKw5eC6qh3\n-----END RSA PRIVATE KEY-----\n'],
'__startline__': [93], '__endline__': [102], 'start_line': [92], 'end_line': [101],
'references_': ['tls_private_key.ssh.private_key_pem', 'tls_private_key.ssh'],
'__address__': 'azurerm_key_vault_secret.akv_009_pass_01', '__change_actions__': ['create']}
check = SecretExpirationDate()
check.entity_type = 'azurerm_key_vault_secret'
check_result = {'result': CheckResult.FAILED}

entity_lines_without_secrets = [
(93, ' "values": {\n'),
(94, ' "content_type": null,\n'),
(95, ' "expiration_date": null,\n'),
(96, ' "key_vault_id": "/subscriptions/my-subscription/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-vault",\n'),
(97, ' "name": "my-key-vault",\n'),
(98, ' "not_before_date": null,\n'),
(99, ' "tags": null,\n'),
(100, ' "timeouts": null,\n'),
(101, ' "value": "-----BEGIN RSA PRIVATE KEY-----\\nMOCKKEY*********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************--\\n"\n')
]
resource_attributes_to_omit = {'azurerm_key_vault_secret': 'value'}

result = omit_secret_value_from_checks(check, check_result, entity_lines_with_secrets, entity_config_with_secrets,
resource_attributes_to_omit)

assert result == entity_lines_without_secrets