To many false positives for private key scanning

benibenj · benibenj · commit 649ca03d4bd2 · 2025-05-16T15:10:11.000+02:00
diff --git a/src/package.ts b/src/package.ts
@@ -2123,6 +2123,10 @@ enum FileExclusionType {
 }
 
 export async function scanFilesForSecrets(files: IFile[], fileExclusion: FileExclusionType, options: IPackageOptions): Promise<void> {
+	if (options.allowPackageAllSecrets && options.allowPackageEnvFile) {
+		return; // No need to scan
+	}
+
 	const onDiskFiles: ILocalFile[] = files.filter(file => !isInMemoryFile(file)) as ILocalFile[];
 	const inMemoryFiles: IInMemoryFile[] = files.filter(file => isInMemoryFile(file)) as IInMemoryFile[];
 
diff --git a/src/secretLint.ts b/src/secretLint.ts
@@ -17,8 +17,18 @@ const lintConfig = {
 			id: "@secretlint/secretlint-rule-preset-recommend",
 			rules: [
 				{
-					"id": "@secretlint/secretlint-rule-basicauth",
-					"allowMessageIds": ["BasicAuth"]
+					id: "@secretlint/secretlint-rule-basicauth",
+					allowMessageIds: ["BasicAuth"]
+				},
+				{
+					id: "@secretlint/secretlint-rule-privatekey",
+					options: {
+						allows: [
+							// Allow all keys which do not start and end with the BEGIN/END PRIVATE KEY and has at least 50 characters in between
+							// https://github.com/microsoft/vscode-vsce/issues/1147
+							"/^(?![\\s\\S]*-----BEGIN .*PRIVATE KEY-----[A-Za-z0-9+/=\\r\\n]{50,}-----END .*PRIVATE KEY-----)[\\s\\S]*$/"
+						]
+					}
 				}
 			]
 		}, {
diff --git a/src/test/fixtures/secrets/LICENSE b/src/test/fixtures/secrets/LICENSE
diff --git a/src/test/fixtures/secrets/README.md b/src/test/fixtures/secrets/README.md
diff --git a/src/test/fixtures/secrets/noSecret1.ts b/src/test/fixtures/secrets/noSecret1.ts
diff --git a/src/test/fixtures/secrets/noSecret1Ignore b/src/test/fixtures/secrets/noSecret1Ignore
@@ -0,0 +1,2 @@
+**secret**
+!noSecret1.ts
diff --git a/src/test/fixtures/secrets/noSecret2.ts b/src/test/fixtures/secrets/noSecret2.ts
@@ -0,0 +1,14 @@
+// https://github.com/microsoft/vscode-vsce/issues/1147
+let privateB64 = '-----BEGIN PRIVATE KEY-----\n';
+privateB64 += 'ABC\n';
+privateB64 += '-----END PRIVATE KEY-----\n';
+
+const description = ` This is some description test
+
+      \`\`\`ini
+      key="-----BEGIN PRIVATE KEY-----\\nXXXX\\nXXXX\\n-----END PRIVATE KEY-----"
+      \`\`\`
+
+      some other text.
+    `;
+
diff --git a/src/test/fixtures/secrets/noSecret2Ignore b/src/test/fixtures/secrets/noSecret2Ignore
@@ -0,0 +1,2 @@
+**secret**
+!noSecret2.ts
diff --git a/src/test/fixtures/secrets/package.json b/src/test/fixtures/secrets/package.json
@@ -4,11 +4,5 @@
 	"version": "1.0.0",
 	"engines": {
 		"vscode": "*"
-	},
-	"files": [
-		"main.ts",
-		"package.json",
-		"LICENSE",
-		"README.md"
-	]
+	}
 }
diff --git a/src/test/fixtures/secrets/secret1.ts b/src/test/fixtures/secrets/secret1.ts
@@ -0,0 +1,10 @@
+export const k = `
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+1zaGEyLW5pc3RwMjU2A564CG5pc3RwMjU2AAAAQQR+598gRY+O8LM7Jk80+etTh+Hi4zUW
+Pj7jrQoOPbvvkLKhPMHPXaVsXScxbFe87++o9Qn0h9AKtp+Rvf4mHSqwAAAAoKDtkvGg7Z
+LxAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAA123bmlzdHAyNTYAAABBBH7n3yBFj47wszsm
+TzT561OH4eLjNRY+PuOtCg49u++QsqE8wc9dpWxdJzFsV7zv76j1CfSH0Aq2n5G9/iYdKr
+AAAAAgNbbtcAGWxT7sR5Rbth6D/4MPQd+LO5ljjbjHQlu9KdUAAAAGbm9uYW1lAQI=
+-----END OPENSSH PRIVATE KEY-----
+`
diff --git a/src/test/fixtures/secrets/secret1Ignore b/src/test/fixtures/secrets/secret1Ignore
@@ -0,0 +1,2 @@
+**secret**
+!secret1.ts
diff --git a/src/test/package.test.ts b/src/test/package.test.ts
@@ -395,18 +395,33 @@ describe('collect', function () {
 	});
 
 	it('should not package file which has a private key', async function () {
-		const cwd = fixture('secret');
-		await processExitExpected(() => pack({ cwd, packagePath: getVisxOutputPath() }), 'Expected package to throw: file which has a private key should not be packaged');
+		const cwd = fixture('secrets');
+		const ignoreFile = path.join(cwd, 'secret1Ignore');
+		await processExitExpected(() => pack({ cwd, packagePath: getVisxOutputPath(), ignoreFile }), 'Expected package to throw: file which has a private key should not be packaged');
 	});
 
 	it('allow packaging file which has a private key with --allow-package-secrets', async function () {
-		const cwd = fixture('secret');
-		await pack({ cwd, allowPackageSecrets: ['privatekey'], packagePath: getVisxOutputPath() });
+		const cwd = fixture('secrets');
+		const ignoreFile = path.join(cwd, 'secret1Ignore');
+		await pack({ cwd, allowPackageSecrets: ['privatekey'], packagePath: getVisxOutputPath(), ignoreFile });
 	});
 
 	it('allow packaging file which has a private key with --allow-package-all-secrets', async function () {
-		const cwd = fixture('secret');
-		await pack({ cwd, allowPackageAllSecrets: true, packagePath: getVisxOutputPath() });
+		const cwd = fixture('secrets');
+		const ignoreFile = path.join(cwd, 'secret1Ignore');
+		await pack({ cwd, allowPackageAllSecrets: true, packagePath: getVisxOutputPath(), ignoreFile });
+	});
+
+	it('private key false positive 1', async function () {
+		const cwd = fixture('secrets');
+		const ignoreFile = path.join(cwd, 'noSecret1Ignore');
+		await pack({ cwd, allowPackageAllSecrets: true, packagePath: getVisxOutputPath(), ignoreFile });
+	});
+
+	it('private key false positive 2', async function () {
+		const cwd = fixture('secrets');
+		const ignoreFile = path.join(cwd, 'noSecret2Ignore');
+		await pack({ cwd, allowPackageAllSecrets: true, packagePath: getVisxOutputPath(), ignoreFile });
 	});
 });
 

Original file line number	Diff line number	Diff line change
`@@ -2123,6 +2123,10 @@ enum FileExclusionType {`
`2123`	`2123`	`}`
`2124`	`2124`
`2125`	`2125`	`export async function scanFilesForSecrets(files: IFile[], fileExclusion: FileExclusionType, options: IPackageOptions): Promise<void> {`
	`2126`	`+ if (options.allowPackageAllSecrets && options.allowPackageEnvFile) {`
	`2127`	`+ return; // No need to scan`
	`2128`	`+ }`
	`2129`	`+`
`2126`	`2130`	`const onDiskFiles: ILocalFile[] = files.filter(file => !isInMemoryFile(file)) as ILocalFile[];`
`2127`	`2131`	`const inMemoryFiles: IInMemoryFile[] = files.filter(file => isInMemoryFile(file)) as IInMemoryFile[];`
`2128`	`2132`