Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT Detector Plugin #239

Merged
merged 3 commits into from
Sep 17, 2019
Merged

JWT Detector Plugin #239

merged 3 commits into from
Sep 17, 2019

Conversation

gdemarcsek
Copy link
Contributor

@gdemarcsek gdemarcsek commented Sep 10, 2019
edited
Loading

New plugin checking for JWTs

Motivation

The current high entropy base64 string checker would not find JWTs because they contain dots too. JWTs are more and more widespread - one very good example is Kubernetes API server tokens. The following very typical way of using detect-secrets for example would not detect a kubeconfig file committed in the codebase:

detect-secrets scan --use-all-plugins --no-keyword-scan

Of course, Kubernetes is not the only use case and because JWTs have an easy-to-validate format, I thought it would be worth checking for them as well - I think it's reasonable to expect low false positive ratio from this plugin.

How does it work?

I have implemented a simple regex based plugin that first filters for potential tokens just by looking at the character set and format (see https://tools.ietf.org/html/rfc7519 for details). Then it refines the search by validating the JWT format and encoding (base64url+json). I choose not to include a full JWT library just for this as I do not need to support signature validation or expiry checking here - I only intend to check that the JWT is formally correct. It shouldn't want to be too smart anyways. It is generally not possible to know where that JWT is accepted just by looking at it, so verification by network call is not supported by this plugin.

Test cases are documented in the source code for easier review.

@KevinHock KevinHock self-requested a review September 16, 2019 20:30
KevinHock
KevinHock approved these changes Sep 16, 2019
View reviewed changes
Copy link
Collaborator

@KevinHock KevinHock left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great to me! 🎈 ⚡️

Just one regex change I think

detect_secrets/plugins/jwt.py

@staticmethod
def is_formally_valid(token):
parts = token.split('.')
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noting for posterity the spec at https://tools.ietf.org/id/draft-jones-json-web-token-04.html#rfc.appendix.Appendix%20B aligns with this code

(Specifically)

If the length mod 4 is 0, no padding is added;
if the length mod 4 is 2, two '=' padding characters are added;
if the length mod 4 is 3, one '=' padding character is added;
if the length mod 4 is 1, the input is malformed.

detect_secrets/plugins/jwt.py Outdated
class JwtTokenDetector(RegexBasedDetector):
secret_type = 'JSON Web Token'
denylist = [
re.compile(r'eyJ[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*'),
Copy link
Collaborator

@KevinHock KevinHock Sep 16, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a ? after the *? I believe this will make it non-greedy i.e. more efficient.

In other words

re.compile(r'eyJ[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*?'),

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@KevinHock Absolutely, and thanks for pointing it out.

@KevinHock KevinHock merged commit 2648962 into Yelp:master Sep 17, 2019
killuazhu pushed a commit to IBM/detect-secrets that referenced this pull request May 28, 2020
fix: auto fix ibm_db import issue (Yelp#239)
47e1778 
* fix: auto fix ibm_db import issue

Supports https://github.ibm.com/git-defenders/detect-secrets-discuss/issues/306

* fix: support python 2

* fix: cov
killuazhu pushed a commit to IBM/detect-secrets that referenced this pull request Jul 9, 2020
@justineyster
fix: auto fix ibm_db import issue (Yelp#239)
3fe9ced 
* fix: auto fix ibm_db import issue

Supports https://github.ibm.com/git-defenders/detect-secrets-discuss/issues/306

* fix: support python 2

* fix: cov
killuazhu pushed a commit to IBM/detect-secrets that referenced this pull request Sep 17, 2020
@justineyster
DB2 exception
e28a7f8 
Remove will_be_mocked

fix: auto fix ibm_db import issue (Yelp#239)

Supports https://github.ibm.com/git-defenders/detect-secrets-discuss/issues/306

* fix: support python 2

* fix: cov
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KevinHock KevinHock KevinHock approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gdemarcsek @KevinHock