-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False Positive for 'Password in URL' regex #216
Comments
I would guess something like this:
|
FWIW I tried fiddling and came to something like this for a partial (though still imperfect) improvement.
|
Hi @mrubino-godaddy, thanks for reporting this! Is there any chance you would be able to take a stab at a PR for an improved regex for this purpose? The regexes are now all contained within the |
The regex might need to be aligned to the standard definition of an URL, see RFC3986 §3.2
where it was previously defined that:
so from all of that, in theory, Even better: don't use regexps to parse URLs (it is tricky). Use a library that will do it properly. From it, it will extract the components, including the |
🐛 Bug Report
The regex for the
Password in URL
produces false positives when attempting to externalize the password.To Reproduce
Have a file with the given text: (in this case a docker file or github actions file. The password is externalized into a variable and then injected into the url.
or
Expected Behavior
The tartufo scan should pass and allow for externalize/parameterized URL auth.
Environment
The text was updated successfully, but these errors were encountered: