Secret Detection double quoted environment variables false positives
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
When running the gitleaks scanner of thesecret detection tool, strings like postgres://"${POSTGRES_USER}":"${POSTGRES_PASSWORD}"@Something are flagged ascritical by the Password in URL rule. On the other hand postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@Something is fine, but it is good practice to have the double quotes here. See
- SC2086: Double quote to prevent globbing and word splitting. (variable)
- SC2046: Quote this to prevent word splitting. (subshell)
Steps to reproduce
Run the secret detection job while using double quoted environment variables in an URL. Examples
https://gitlab-ci-token:"${CI_JOB_TOKEN}"@"${CI_SERVER_HOST}"postgres://$POSTGRES_USER:$POSTGRES_PASSWORD@$CI_ENVIRONMENT_SLUG-postgres:1111/$POSTGRES_DB
See https://regex101.com/r/RYfYAK/1
What is the current bug behavior?
These double quoted environment variables are flagged as critical by the Password in URL rule of the gitleaks scanner.
Without double quotes they are not flagged.
What is the expected correct behavior?
These double quoted environment variables should not be flagged, because of SC2086 and SC2046. Without double quotes they should not flagged either.
Possible fixes
Update the regex here: https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/blob/master/gitleaks.toml#L232-237
Include the option to have quotation marks in front of the $.
This should do the trick:
- `regex = '''`[a-zA-Z]{3,10}:\/\/[^$][^:@\/\n]{3,20}:[^$][^:@\n\/]{3,40}@.{1,100}`'''`
+ `regex = '''[a-zA-Z]{3,10}:\/\/(?!\"\$|\$)[^:@\/\n]{3,20}:(?!\"\$|\$)[^:@\n\/]{3,40}@.{1,100}'''`See https://regex101.com/r/o8lec4/1
Related issues
This issue is regarding the same regex: #404632 This may also be highly relevant: #351947