Git Product home page Git Product logo

Comments (4)

Sherlock-Holo avatar Sherlock-Holo commented on July 22, 2024

the alkfjlaf^*flkajlfkay7782085ljafg is just I press the keyboard randomly to generate some string :)

from ripsecrets.

sirwart avatar sirwart commented on July 22, 2024

I investigated and a regression was recently introduced that didn't detect secrets assigned with the := operator, but I just pushed a fix for that.

Even with that change though it still doesn't detect that as a secret though for 2 reasons:

  1. ^ and * are not considered characters that are normally part of secrets
  2. Even without them, the string you typed is not likely to occur randomly. The probability engine gave it only a 0.00000000007% percent chance of happening randomly, which is below our threshold for considering it a secret.

from ripsecrets.

ethanmsl avatar ethanmsl commented on July 22, 2024

To +1 Sherlock-Holo's original point though -- there's no easy way to tell what secrets ripsecrets does support.

e.g. I just tried dropping a yubikey string into a file and running ripsecrets and nothing came up.

As it is the only way to understand what the program does and whether it's useful is to figure out how it works, where the files are, and then decipher the Rust + Regex. It's not ergonomic or safe to use if we don't know whether it can catch what we're trying to protect against.

Seems like a very cool tool, but strangely opaque, given it's security focus.
Even a quick walkthrough in the README on how it works and where in the source file to look woudl be helpful. (It looks like there are a small number of predetermined patterns in find_secrets.rs in predefined_secrets_regexes() and then the rest comes down to a "randomness" estimate in p_random.rs which is using some sort of binomial calculation with a focus on bigrams. But I'm not even sure that's everything. Nor is it immediately obvious how the "randomness" calculator works.

Again, awesome work -- but there are a lot of decisions and judgements and not much transparency.
Inviting the user to the inner workings would be apprciated.

from ripsecrets.

sirwart avatar sirwart commented on July 22, 2024

@ethanmsl I added a "How it works" section to the README to address your feedback: https://github.com/sirwart/ripsecrets#how-it-works. I hope it helps!

from ripsecrets.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    πŸ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. πŸ“ŠπŸ“ˆπŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❀️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.