Extend allowlist & handle extend when validating #1524
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment was marked as outdated.
This comment was marked as outdated.
d825dd8 to
3e99a86
Compare
3e99a86 to
87bec7b
Compare
zricethezav
reviewed
Sep 25, 2024
| c.OrderedRules = append(c.OrderedRules, ruleID) | ||
| } else { | ||
| // Rule exists, merge our changes into the base. |
There was a problem hiding this comment.
Do you think there are any other fields we should append or overwrite?
There was a problem hiding this comment.
I would suggest adding RegexTarget as well:
diff --git a/config/config.go b/config/config.go
index caea22f..34e5f98 100644
--- a/config/config.go
+++ b/config/config.go
@@ -252,6 +252,7 @@ func (c *Config) extend(extensionConfig Config) {
baseRule.Allowlist.Commits = append(baseRule.Allowlist.Commits, currentRule.Allowlist.Commits...)
baseRule.Allowlist.Paths = append(baseRule.Allowlist.Paths, currentRule.Allowlist.Paths...)
baseRule.Allowlist.Regexes = append(baseRule.Allowlist.Regexes, currentRule.Allowlist.Regexes...)
+ baseRule.Allowlist.RegexTarget = currentRule.Allowlist.RegexTarget
baseRule.Allowlist.StopWords = append(baseRule.Allowlist.StopWords, currentRule.Allowlist.StopWords...)
delete(c.Rules, ruleID)I have a case where I must use line and the change above would enable extend for us.
There was a problem hiding this comment.
I just made #1536 to cover that case
There was a problem hiding this comment.
I'm surprised this didn't get caught earlier; I believe this makes it impossible to use most of the rule attributes documented in the README:
# An array of tables that contain information that define instructions
# on how to detect secrets
[[rules]]
# Unique identifier for this rule
id = "awesome-rule-1"
# Short human readable description of the rule.
description = "awesome rule 1"
# Golang regular expression used to detect secrets. Note Golang's regex engine
# does not support lookaheads.
regex = '''one-go-style-regex-for-this-rule'''
# Golang regular expression used to match paths. This can be used as a standalone rule or it can be used
# in conjunction with a valid `regex` entry.
path = '''a-file-path-regex'''
# Array of strings used for metadata and reporting purposes.
tags = ["tag","another tag"]
# Int used to extract secret from regex match and used as the group that will have
# its entropy checked if `entropy` is set.
secretGroup = 3
# Float representing the minimum shannon entropy a regex group must have to be considered a secret.
entropy = 3.5https://github.com/gitleaks/gitleaks?tab=readme-ov-file#configuration
|
Hello, this broke the ability to override the entropy of rules. With [extend]
useDefault = true
[[rules]]
id = "finicity-client-secret"
entropy = 4 |
Hey @9999years, can you elaborate on what you expect to happen and which version you upgraded from? As far as I'm aware, that would have never worked. Prior this this PR,
https://github.com/gitleaks/gitleaks/blob/v8.19.2/config/config.go#L237 Edit: prior to v8.19.3, the example you provided makes "finicity-client-secret": {
RuleID: "finicity-client-secret",
- Description: "Identified a Finicity Client Secret, which could lead to compromised financial service integrations and data breaches.",
+ Description: "",
- Regex: s`(?i)(?:finicity)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]`...,
- Regex: nil.
+ Entropy: 4,
- Keywords: []string{"finicity"},
+ Keywords: []string{},
}, |
|
@rgmz Just a minimal example. Our actual configuration looks like this: [[rules]]
description = "Finicity Client Secret"
id = "finicity-client-secret"
regex = '''(?i)(?:finicity)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:{1,3}=|\|\|:|<=|=>|:|\?=)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{20})(?:['|\"|\n|\r|\s|\x60|;]|$)'''
secretGroup = 1
entropy = 4
keywords = ["finicity"] |
9999years
added a commit
to 9999years/gitleaks
that referenced
this pull request
Oct 9, 2024
PR gitleaks#1524 broke the ability to specify a `[[rules]]` with the same ID as a built-in rule in order to extend the default configuration. This PR restores this ability, but merges the provided configuration with the default rule instead of overwriting the default rule wholesale.
zricethezav
pushed a commit
that referenced
this pull request
Oct 10, 2024
* Reimplement the ability to override built-in rules PR #1524 broke the ability to specify a `[[rules]]` with the same ID as a built-in rule in order to extend the default configuration. This PR restores this ability, but merges the provided configuration with the default rule instead of overwriting the default rule wholesale. * Add tests * Append keywords and tags
alayne222
pushed a commit
to alayne222/gitleaks
that referenced
this pull request
May 28, 2025
alayne222
pushed a commit
to alayne222/gitleaks
that referenced
this pull request
May 28, 2025
* Reimplement the ability to override built-in rules PR gitleaks#1524 broke the ability to specify a `[[rules]]` with the same ID as a built-in rule in order to extend the default configuration. This PR restores this ability, but merges the provided configuration with the default rule instead of overwriting the default rule wholesale. * Add tests * Append keywords and tags
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
This fixes #1523.
Checklist: