lib/contrast/agent/assess/rule/provider/hardcoded_password.rb in contrast-agent-6.1.0 vs lib/contrast/agent/assess/rule/provider/hardcoded_password.rb in contrast-agent-6.1.1
- old
+ new
@@ -13,16 +13,13 @@
# 3) the value is a String
# 4) the value is not solely alphanumeric and '.' or '_' * note that
# mixing the characters counts as a violation of this rule
class HardcodedPassword
include Contrast::Agent::Assess::Rule::Provider::HardcodedValueRule
-
NAME = 'hardcoded-password'
- def rule_id
- NAME
- end
-
+ REDACTED_MARKER = ' = "**REDACTED**"'
+ PROPERTY_NAME_PATTERN = /^[a-z]+[._][._a-z]*[a-z]+$/.cs__freeze
# These are names, determined by the security team (Matt & Ar), that
# indicate a field is likely to be a password or secret token of some
# sort.
PASSWORD_FIELD_NAMES = %w[PASSWORD PASSKEY PASSPHRASE SECRET].cs__freeze
@@ -32,10 +29,14 @@
NON_PASSWORD_PARTIAL_NAMES = %w[
DATE FORGOT FORM ENCODE PATTERN PREFIX PROP SUFFIX URL BASE FILE
URI
].cs__freeze
+ def rule_id
+ NAME
+ end
+
# If the constant looks like a password and it doesn't look like a
# password descriptor, it passes for this rule
def name_passes? constant_string
PASSWORD_FIELD_NAMES.any? { |name| constant_string.index(name) } &&
NON_PASSWORD_PARTIAL_NAMES.none? { |name| constant_string.index(name) }
@@ -60,15 +61,13 @@
# placeholders will be any non-empty String conforming to the patterns
# below. We do combine the patterns with [\._] as in Ruby these two
# characters are probably more likely to appear together in a
# default placeholder than in a password. Note this is opposite of
# the behavior in Java
- PROPERTY_NAME_PATTERN = /^[a-z]+[._][._a-z]*[a-z]+$/.cs__freeze
def probably_property_name? value
value.match?(PROPERTY_NAME_PATTERN)
end
- REDACTED_MARKER = ' = "**REDACTED**"'
def redacted_marker
REDACTED_MARKER
end
end
end