feat(redact): close crypto-suffix identifier + webhook-URL gaps#79
Open
swarit-stepsecurity wants to merge 1 commit into
Open
feat(redact): close crypto-suffix identifier + webhook-URL gaps#79swarit-stepsecurity wants to merge 1 commit into
swarit-stepsecurity wants to merge 1 commit into
Conversation
Two narrow extensions to the redactor, motivated by a stress-test
audit:
1. Identifiers that *contain* a credential word but don't end on it
(passwordHash, apiKeyDigest, accessTokenHmac, ...) slipped past
secret_assignment because the existing rule anchored on the
credential word ending the identifier. New rule
`secret_assignment_crypto_suffix` matches the same prefix shape
with a tight allowed-suffix list (HASH/HASHED/DIGEST/HMAC/
CIPHER/ENCRYPTED/SIGNATURE/SALT/SALTED). The suffix list is
intentionally narrow so non-credential names like `passwordless`,
`tokenize`, `secretary`, and `tokenization_enabled` stay
non-redacted (covered by TestStringPreservesNonCredentialNeighbors).
2. Webhook URLs carry their auth in the path; the URL itself is
credential-grade. Added three rules:
- slack_webhook_url: hooks.slack.com/{services,workflows}/...
- discord_webhook_url: discord.com/api/webhooks/<id>/<token>
- teams_webhook_url: *.webhook.office.com / outlook.office.com
Tests cover both directions — the new shapes are redacted, and the
adjacent-but-non-credential shapes stay intact.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two narrow extensions to the redactor, motivated by a stress-test audit:
Identifiers that contain a credential word but don't end on it (passwordHash, apiKeyDigest, accessTokenHmac, ...) slipped past secret_assignment because the existing rule anchored on the credential word ending the identifier. New rule
secret_assignment_crypto_suffixmatches the same prefix shape with a tight allowed-suffix list (HASH/HASHED/DIGEST/HMAC/ CIPHER/ENCRYPTED/SIGNATURE/SALT/SALTED). The suffix list is intentionally narrow so non-credential names likepasswordless,tokenize,secretary, andtokenization_enabledstay non-redacted (covered by TestStringPreservesNonCredentialNeighbors).Webhook URLs carry their auth in the path; the URL itself is credential-grade. Added three rules: - slack_webhook_url: hooks.slack.com/{services,workflows}/...
Tests cover both directions — the new shapes are redacted, and the adjacent-but-non-credential shapes stay intact.
What does this PR do?
Type of change
Testing
./stepsecurity-dev-machine-guard --verbose./stepsecurity-dev-machine-guard --json | python3 -m json.toolmake lintmake testRelated Issues