Update sqlserver redaction, deduplication, and URI redaction (#1369)

* Update sqlserver redaction, deduplication, and URI redaction * don't use pointer
2024-09-20 14:42:03 +00:00 · 2023-06-09 11:06:54 -07:00 · 2023-06-09 11:06:54 -07:00 · ca1947291b
commit ca1947291b
parent c28c70b399
4 changed files with 16 additions and 6 deletions
--- a/pkg/detectors/detectors.go
+++ b/pkg/detectors/detectors.go
@ -2,6 +2,7 @@ package detectors

 import (
 	"context"
+	"net/url"
 	"os"
 	"path/filepath"
 	"runtime"
@ -153,3 +154,8 @@ func MustGetBenchmarkData() map[string][]byte {
 		"big":    big,
 	}
 }
+
+func RedactURL(u url.URL) string {
+	u.User = url.UserPassword(u.User.Username(), "********")
+	return strings.TrimSpace(strings.Replace(u.String(), "%2A", "*", -1))
+}
--- a/pkg/detectors/sqlserver/sqlserver.go
+++ b/pkg/detectors/sqlserver/sqlserver.go
@ -31,22 +31,24 @@ func (s Scanner) Keywords() []string {
 func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
 	matches := pattern.FindAllStringSubmatch(string(data), -1)
 	for _, match := range matches {
-		params, _, err := msdsn.Parse(match[1])
+		paramsUnsafe, _, err := msdsn.Parse(match[1])
 		if err != nil {
 			continue
 		}

-		if params.Password == "" {
+		if paramsUnsafe.Password == "" {
 			continue
 		}

 		detected := detectors.Result{
 			DetectorType: detectorspb.DetectorType_SQLServer,
-			Raw:          []byte(params.Password),
+			Raw:          []byte(paramsUnsafe.Password),
+			RawV2:        []byte(paramsUnsafe.URL().String()),
+			Redacted:     detectors.RedactURL(*paramsUnsafe.URL()),
 		}

 		if verify {
-			verified, err := ping(params)
+			verified, err := ping(paramsUnsafe)
 			if err != nil {
 			} else {
 				detected.Verified = verified
--- a/pkg/detectors/sqlserver/sqlserver_test.go
+++ b/pkg/detectors/sqlserver/sqlserver_test.go
@ -45,6 +45,7 @@ func TestSQLServer_FromChunk(t *testing.T) {
 			want: []detectors.Result{
 				{
 					DetectorType: detectorspb.DetectorType_SQLServer,
+					Redacted:     "sqlserver://sa:********@localhost?database=Demo&disableRetry=false",
 					Verified:     true,
 				},
 			},
@ -66,6 +67,7 @@ func TestSQLServer_FromChunk(t *testing.T) {
 			want: []detectors.Result{
 				{
 					DetectorType: detectorspb.DetectorType_SQLServer,
+					Redacted:     "sqlserver://sa:********@localhost?disableRetry=false",
 					Verified:     false,
 				},
 			},
@ -103,6 +105,7 @@ func TestSQLServer_FromChunk(t *testing.T) {
 			want: []detectors.Result{
 				{
 					DetectorType: detectorspb.DetectorType_SQLServer,
+					Redacted:     "sqlserver://username:********@server_name?database=testdb&disableRetry=false",
 					Verified:     true,
 				},
 			},
--- a/pkg/detectors/uri/uri.go
+++ b/pkg/detectors/uri/uri.go
@ -69,13 +69,12 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 		rawURLStr := rawURL.String()
 		// Removing the path causes possible deduplication issues if some paths have basic auth and some do not.
 		rawURL.Path = ""
-		redact := strings.TrimSpace(strings.Replace(rawURL.String(), password, "********", -1))

 		s := detectors.Result{
 			DetectorType: detectorspb.DetectorType_URI,
 			Raw:          []byte(rawURL.String()),
 			RawV2:        []byte(rawURLStr),
-			Redacted:     redact,
+			Redacted:     detectors.RedactURL(*rawURL),
 		}

 		if verify {