nickdeis / eslint-plugin-no-secrets Goto Github PK

Hi,

I tried your plugin and it works great, at least for secrets in source code.

Is there a way to make it find secrets in comments?

Sample:

// const passwords = "admin123"     <---- HERE I forget to remove this commented line
const password = ""

BTW, maybe related, we are using TypeScript.

Thanks

Description

I would like to be able to exclude strings in some statements from consideration, no matter what entropy level they have:

• optionally exclude strings by contents
• optionally exclude particular variables (by regexes of their names)
• optionally exclude strings in common expressions, like import, require, className, maybe various strings of CSS-in-JS frameworks

Motivation

For example, the rule is triggered for this string:

const webpackFriendlyConsole = require('./config/webpack/webpackFriendlyConsole')

The entropy of './config/webpack/webpackFriendlyConsole' is 4.1, however it is an obvious false positive.

Possible interface

The corresponding options could look for example like this:

  'no-secrets/no-secrets': [
    'warn',
    {
      tolerance: 5,
      additionalRegexes: {},
      ignoreContent: [
        /.*some high-entropy text that is not a secret: bla bla bla.*/,
      ],
      ignoreImports: true,
      ignoreCommonjsRequires: true,
      ignoreCssClassNames: true,
      ignoreVariableNames: [/^NOT_A_SECRET_.*$/, 'highEntropySample'],
    },
  ],

Additional considerations

Although some of the blacklisting can, of course, can be achieved by selectively disabling the rule for a line or file or even adding particular files to override with this rule disabled, it would be awesome to have some sort of centralized control and additional customization, as described above.

In any case, thanks for the great plugin! ;)

Could you add a continuous integration in order to check easily the tests status?
E.g. TravisCI is reliable and free for Open Source.

once https://github.com/typescript-eslint/typescript-eslint/releases/tag/v3.0.0-alpha.23 merges, I'll be testing it myself, but I just thought I'd drop a friendly note that probably people will be inquiring here as to whether ESLint 7 is supported soon.

It may very well be already supported! There weren't a ton of breaking changes in ESLint 7 or anything. If so, it'd be nice to say that ESLint 7 is supported on the main README

Hey,
I don't want this plugin to detect strings with entropy less than 4.3 (because those are usually not secrets for my project). How can I get that done?

Could you upgrade dependencies?

btw. I checked require("eslint/lib/testers/rule-tester") works for eslint@5 but doesn't for eslint@6

IMO Shannon entropy isn't a good measurement because a given string repeated 100 times has the same entropy as repeated only once.
Of course, repeating the same sequence doesn't increase much the amount of information but in some level increases.

IMO:

• abcd -> log_2 (4) which gives 2
• abcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd (abcd repeated 100 times) -> log_2 (4 + log_2 (100)) = 3.41

https://www.shannonentropy.netmark.pl/calculate

I get the following error when I have this package and eslint-plugin-json installed.

/dev/eslint-config-adjunct/package.json
  1:1  error  Unexpected token v

Downgrading to version 0.5.4 fixes the issue

Thank you for your work on this great plugin. I use it in https://github.com/dimitropoulos/eslint-config-intense

I'm updating dependencies on my config today and can't seem to find a changelog to see what changed between 0.3.4 and 0.6.8. Apologies if I just missed it somewhere.

Currently, if a given string contains many words delimited with a space, each word has a separate entropy calculated.

I want to be able to specify other delimiters as well e.g. _, -, @.