From 92b13be668bd20f8e9dac2f0cb8e5a2708b9b3b5 Mon Sep 17 00:00:00 2001
From: afdesk <work@afdesk.com>
Date: Tue, 23 Jul 2024 16:59:39 +0600
Subject: [PATCH] fix(secret): trim excessively long lines (#7192)

---
 pkg/fanal/secret/scanner.go             | 14 ++++++--
 pkg/fanal/secret/scanner_test.go        | 46 ++++++++++++++++++++-----
 pkg/fanal/secret/testdata/obfuscated.js |  1 +
 3 files changed, 51 insertions(+), 10 deletions(-)
 create mode 100644 pkg/fanal/secret/testdata/obfuscated.js

diff --git a/pkg/fanal/secret/scanner.go b/pkg/fanal/secret/scanner.go
index cc022bb82db4..c006a38b63a1 100644
--- a/pkg/fanal/secret/scanner.go
+++ b/pkg/fanal/secret/scanner.go
@@ -476,7 +476,10 @@ func toFinding(rule Rule, loc Location, content []byte) types.SecretFinding {
 	}
 }
 
-const secretHighlightRadius = 2 // number of lines above + below each secret to include in code output
+const (
+	secretHighlightRadius = 2   // number of lines above + below each secret to include in code output
+	maxLineLength         = 100 // all lines longer will be cut off
+)
 
 func findLocation(start, end int, content []byte) (int, int, types.Code, string) {
 	startLineNum := bytes.Count(content[:start], lineSep)
@@ -511,9 +514,16 @@ func findLocation(start, end int, content []byte) (int, int, types.Code, string)
 	rawLines := lines[codeStart:codeEnd]
 	var foundFirst bool
 	for i, rawLine := range rawLines {
-		strRawLine := string(rawLine)
 		realLine := codeStart + i
 		inCause := realLine >= startLineNum && realLine <= endLineNum
+
+		var strRawLine string
+		if len(rawLine) > maxLineLength {
+			strRawLine = lo.Ternary(inCause, matchLine, string(rawLine[:maxLineLength]))
+		} else {
+			strRawLine = string(rawLine)
+		}
+
 		code.Lines = append(code.Lines, types.Line{
 			Number:      codeStart + i + 1,
 			Content:     strRawLine,
diff --git a/pkg/fanal/secret/scanner_test.go b/pkg/fanal/secret/scanner_test.go
index 04f1f08fc1b2..e5b8f68f943d 100644
--- a/pkg/fanal/secret/scanner_test.go
+++ b/pkg/fanal/secret/scanner_test.go
@@ -353,8 +353,8 @@ func TestSecretScanner(t *testing.T) {
 			Lines: []types.Line{
 				{
 					Number:      1,
-					Content:     "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa GITHUB_PAT=**************************************** bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
-					Highlighted: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa GITHUB_PAT=**************************************** bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
+					Content:     "aaaaaaaaaaaaaaaaaa GITHUB_PAT=**************************************** bbbbbbbbbbbbbbbbbbb",
+					Highlighted: "aaaaaaaaaaaaaaaaaa GITHUB_PAT=**************************************** bbbbbbbbbbbbbbbbbbb",
 					IsCause:     true,
 					FirstCause:  true,
 					LastCause:   true,
@@ -462,8 +462,8 @@ func TestSecretScanner(t *testing.T) {
 			Lines: []types.Line{
 				{
 					Number:      1,
-					Content:     "{\"key\": \"-----BEGIN RSA PRIVATE KEY-----**************************************************************************************************************************-----END RSA PRIVATE KEY-----\\n\"}",
-					Highlighted: "{\"key\": \"-----BEGIN RSA PRIVATE KEY-----**************************************************************************************************************************-----END RSA PRIVATE KEY-----\\n\"}",
+					Content:     "----BEGIN RSA PRIVATE KEY-----**************************************************************************************************************************-----END RSA PRIVATE",
+					Highlighted: "----BEGIN RSA PRIVATE KEY-----**************************************************************************************************************************-----END RSA PRIVATE",
 					IsCause:     true,
 					FirstCause:  true,
 					LastCause:   true,
@@ -483,8 +483,8 @@ func TestSecretScanner(t *testing.T) {
 			Lines: []types.Line{
 				{
 					Number:      1,
-					Content:     "-----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************-----END RSA PRIVATE KEY-----",
-					Highlighted: "-----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************-----END RSA PRIVATE KEY-----",
+					Content:     "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************-----END RSA PRIVATE",
+					Highlighted: "----BEGIN RSA PRIVATE KEY-----****************************************************************************************************************************************************************************************-----END RSA PRIVATE",
 					IsCause:     true,
 					FirstCause:  true,
 					LastCause:   true,
@@ -504,8 +504,8 @@ func TestSecretScanner(t *testing.T) {
 			Lines: []types.Line{
 				{
 					Number:      1,
-					Content:     "-----BEGIN RSA PRIVATE KEY-----**************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE KEY-----",
-					Highlighted: "-----BEGIN RSA PRIVATE KEY-----**************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE KEY-----",
+					Content:     "----BEGIN RSA PRIVATE KEY-----**************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE",
+					Highlighted: "----BEGIN RSA PRIVATE KEY-----**************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END RSA PRIVATE",
 					IsCause:     true,
 					FirstCause:  true,
 					LastCause:   true,
@@ -667,6 +667,27 @@ func TestSecretScanner(t *testing.T) {
 			},
 		},
 	}
+	wantFindingTokenInsideJs := types.SecretFinding{
+		RuleID:    "stripe-publishable-token",
+		Category:  "Stripe",
+		Title:     "Stripe Publishable Key",
+		Severity:  "LOW",
+		StartLine: 1,
+		EndLine:   1,
+		Match:     "){case a.ez.PRODUCTION:return\"********************************\";case a.ez.TEST:cas",
+		Code: types.Code{
+			Lines: []types.Line{
+				{
+					Number:      1,
+					Content:     "){case a.ez.PRODUCTION:return\"********************************\";case a.ez.TEST:cas",
+					Highlighted: "){case a.ez.PRODUCTION:return\"********************************\";case a.ez.TEST:cas",
+					IsCause:     true,
+					FirstCause:  true,
+					LastCause:   true,
+				},
+			},
+		},
+	}
 
 	tests := []struct {
 		name          string
@@ -982,6 +1003,15 @@ func TestSecretScanner(t *testing.T) {
 				Findings: []types.SecretFinding{wantMultiLine},
 			},
 		},
+		{
+			name:          "long obfuscated js code with secrets",
+			configPath:    filepath.Join("testdata", "skip-test.yaml"),
+			inputFilePath: filepath.Join("testdata", "obfuscated.js"),
+			want: types.Secret{
+				FilePath: filepath.Join("testdata", "obfuscated.js"),
+				Findings: []types.SecretFinding{wantFindingTokenInsideJs},
+			},
+		},
 	}
 
 	for _, tt := range tests {
diff --git a/pkg/fanal/secret/testdata/obfuscated.js b/pkg/fanal/secret/testdata/obfuscated.js
new file mode 100644
index 000000000000..f3e1c53be227
--- /dev/null
+++ b/pkg/fanal/secret/testdata/obfuscated.js
@@ -0,0 +1 @@
+"use strict";(self.webpackChunkmattermost_webapp=self.webpackChunkmattermost_webapp||[]).push([[8055],{59713:(e,t,n)=>{n.d(t,{$d:()=>b,DF:()=>G,Du:()=>B,GA:()=>F,Is:()=>M,JJ:()=>J,K6:()=>re,KB:()=>f,KO:()=>x,Md:()=>ae,NB:()=>ce,O$:()=>E,OT:()=>ee,QQ:()=>oe,SP:()=>K,Sm:()=>se,T8:()=>Y,UV:()=>pe,W3:()=>C,X$:()=>X,_9:()=>de,a6:()=>Q,d1:()=>ne,d5:()=>$,dA:()=>te,gY:()=>ie,go:()=>T,h5:()=>z,iB:,n(61418);var a=n(17554),s=n(98644),i=n(80139),r=n(23712);function o(e){return{type:r.MF.NEEDS_LOGGED_IN_LIMIT_REACHED_CHECK,data:e}}function l(e).func,onInputChange:s().func,onInputBlur:s().func,buttonFooter:s().element},M.defaultProps={className:""};const T=M},30736:(e,t,n)=>{n.d(t,{Z:()=>u});var a=n(23615),s=n.n(a),i=(n(48410),n(84390)),r=n.n(i),o=n(72060),l=n(80623),c=n(83398);const d=[{code:"AL",name:"Alabama"},{code:"AK",name:"Alaska"},{code:"AZ",name:"Arizona"},{code:"AR",name:"Arkansas"},{code:"CA",name:"California"},{code:"CO",name:"Colorado"},{code:"CT",name:"Connecticut"},{code:"DE",name:"Delaware"},{code:"DC",name:"District of Columbia"},{code:"FL",name:"Florida"},{code:"GA",name:"Georgia"},{code:"HI",name:"Hawaii"},{code:"ID",name:"Idaho"},{code:"IL",name:"Illinois"},{code:"IN",name:"Indiana"},{code:"IA",name:"Iowa"},{code:"KS",name:"Kansas"},{code:"KY",name:"Kentucky"},{code:"LA",name:"Louisiana"},{code:"ME",name:"Maine"},{code:"MD",name:"Maryland"},{code:"MA",name:"Massachusetts"},{code:"MI",name:"Michigan"},{code:"MN",name:"Minnesota"},{code:"MS",name:"Mississippi"},{code:"MO",name:"Missouri"},{code:"MT",name:"Montana"},{code:"NE",name:"Nebraska"},{code:"NV",name:"Nevada"},{code:"NH",name:"New Hampshire"},{code:"NJ",name:"New Jersey"},{code:"NM",name:"New Mexico"},{code:"NY",name:"New York"},{code:"NC",name:"North Carolina"},{code:"ND",name:"North Dakota"},{code:"OH",name:"Ohio"},{code:"OK",name:"Oklahoma"},{code:"OR",name:"Oregon"},{code:"PA",name:"Pennsylvania"},{code:"PR",name:"Puerto Rico"},{code:"RI",name:"Rhode Island"},{code:"SC",name:"South Carolina"},{code:"SD",name:"South Dakota"},{code:"TN",name:"Tennessee"},{code:"TX",name:"Texas"},{code:"UT",name:"Utah"},{code:"VT",name:"Vermont"},{code:"VA",name:"Virginia"},{code:"WA",name:"Washington"},{code:"WV",name:"West Virginia"},{code:"WI",name:"Wisconsin"},{code:"WY",name:"Wyoming"}],m=[{code:"AB",name:"Alberta"},{code:"BC",name:"British Columbia"},{code:"MB",name:"Manitoba"},{code:"NB",name:"New Brunswick"},{code:"NL",name:"Newfoundland and Labrador"},{code:"NT",name:"Northwest Territories"},{code:"NS",name:"Nova Scotia"},{code:"NU",name:"Nunavut"},{code:"ON",name:"Ontario"},{code:"PE",name:"Prince Edward Island"},{code:"QC",name:"Quebec"},{code:"SK",name:"Saskatchewan"},{code:"YT",name:"Yukon Territory"}];function u(e){const{formatMessage:t}=(0,o.useIntl)(),n=t=>{e.onChange(t.value)};let a=[];if("US"===e.country?a=d:"CA"===e.country&&(a=m),a.length>0){const s={};return e.testId&&(s.testId=e.testId),r().createElement(l.Z,Object.assign({},s,{onChange:n,value:e.state?{value:e.state,label:e.state}:void 0,options:a.map((e=>({value:e.code,label:e.name}))),legend:t({id:"admin.billing.subscription.stateprovince",defaultMessage:"State/Province"}),placeholder:t({id:"admin.billing.subscription.stateprovince",defaultMessage:"State/Province"}),name:"country_dropdown"}))}return r().createElement(c.Z,{name:"state",type:"text",value:e.state,onChange:t=>{e.onChange(t.target.value)},onBlur:e.onBlur,placeholder:t({id:"admin.billing.subscription.stateprovince",defaultMessage:"State/Province"}),required:!0})}u.propTypes={country:s().string.isRequired,state:s().string.isRequired,testId:s().string,onChange:s().func.isRequired,onBlur:s().func}},35154:(e,t,n)=>{n.d(t,{li:()=>r,tt:()=>l,wW:()=>o}),n(61418);var a=n(2507);function s(e){return e}function i(e){return async(e,t,n)=>({setupIntent:{id:"testid",status:"succeeded"}})}const r=e=>e?i:s,o="https://fonts.googleapis.com/css?family=Open+Sans:400,400i,600,600i&display=swap",l=e=>{switch(e.entities.general.config.ServiceEnvironment){case a.ez.PRODUCTION:return"pk_live_xXX1xXXXx1xXxXxxx11x1XXX";case a.ez.TEST:case a.ez.DEV:return""}return""}},21500:(e,t,n)=>{n.r(t),n.d(t,{default:()=>h});var a=n(23615),s=n.n(a),i=(n(61418),n(14078),n(48410),n(92189),n(66726)),r=n.n(i),o=n(84390),l=n.n(o),c=n(47407),d=n(83765),m=n(26337),u=n(41894);function p(e,t,n){return(t=function(e){var t=function(e,t){if("object"!=typeof e||null===e)return e;var n=e[Symbol.toPrimitive];if(void 0!==n){var a=n.call(e,"string");if("object"!=typeof a)return a;throw new TypeError("@@toPrimitive must return a primitive value.")}return String(e)}(e);return"symbol"==typeof t?t:String(t)}(t))in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}class h extends l().PureComponent{constructor(e){super(e),p(this,"parentNode",null),p(this,"pdfCanvasRef",{}),p(this,"downloadFile",(e=>{const t=this.props.fileInfo.link||(0,c.gN)(this.props.fileInfo.id);e.preventDefault(),window.location.href=t})),p(this,"isInViewport",(e=>{var t,n,a,s;const i=e.getBoundingClientRect(),r=null!==(t=null===(n=this.container.current)||void 0===n?void 0:n.scrollTop)&&void 0!==t?t:0,o=r+(null!==(a=null===(s=this.parentNode)||void 0===s?void 0:s.clientHeight)&&void 0!==a?a:0);return i.top>=r&&i.top<=o||i.bottom>=r&&i.bottom<=o||i.top<=r&&i.bottom>=o})),p(this,"renderPDFPage",(async e=>{const t=this.pdfCanvasRef["pdfCanvasRef-".concat(e)].current;if(!t)return;if(e>=3&&!this.isInViewport(t))return;if(this.pdfPagesRendered[e])return;const n=await this.loadPage(this.state.pdf,e),a=t.getContext("2d"),s=n.getViewport({scale:this.props.scale});t.height=s.height,t.width=s.width;const i={canvasContext:a,viewport:s};await n.render(i).promise,this.pdfPagesRendered[e]=!0})),p(this,"getPdfDocument",(async()=>{try{const e=await Promise.all([n.e(7803),n.e(9707)]).then(n.t.bind(n,47803,23)),t=await n.e(5456).then(n.t.bind(n,65456,23));e.GlobalWorkerOptions.workerSrc=t;const a=await e.getDocument({url:this.props.fileUrl,cMapUrl:(0,u.fO)()+"/static/cmaps/",cMapPacked:!0}).promise;this.onDocumentLoad(a)}catch(e){this.onDocumentLoadError(e)}})),p(this,"onDocumentLoad",(e=>{this.setState({pdf:e,numPages:e.numPages});for(let t=0;t<e.numPages;t++)this.pdfCanvasRef["pdfCanvasRef-".concat(t)]=l().createRef();this.setState({loading:!1,success:!0})})),p(this,"onDocumentLoadError",(e=>{console.log("Unable to load PDF preview: "+e),this.setState({loading:!1,success:!1})})),p(this,"loadPage",(async(e,t)=>{if(this.state.pdfPagesLoaded[t])return this.state.pdfPages[t];const n=await e.getPage(t+1),a=Object.assign({},this.state.pdfPages);a[t]=n;)
\ No newline at end of file