sanitize value for \n \r

Samsung · Jul 12, 2024 · 643dc1c · 643dc1c
1 parent 7063dce
commit 643dc1c
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 1 deletion.
diff --git a/credsweeper/common/constants.py b/credsweeper/common/constants.py
@@ -5,7 +5,7 @@
 
 class KeywordPattern:
     """Pattern set of keyword types"""
-    key_left = r"(?P<variable>(([`'\"]+[^:='\"`}<>\\/&?]*|[^:='\"`}<>\s()\\/&?]*)" \
+    key_left = r"(\\{1,80}[nrt])*(?P<variable>(([`'\"]+[^:='\"`}<>\\/&?]*|[^:='\"`}<>\s()\\/&?]*)" \
                r"(?P<keyword>"
     # there will be inserted a keyword
     key_right = r")" \

diff --git a/credsweeper/credentials/line_data.py b/credsweeper/credentials/line_data.py
@@ -32,6 +32,7 @@ class LineData:
     quotation_marks = ('"', "'", '`')
     comment_starts = ("//", "* ", "#", "/*", "<!––", "%{", "%", "...", "(*", "--", "--[[", "#=")
     bash_param_split = re.compile("\\s+(\\-|\\||\\>|\\w+?\\>|\\&)")
+    line_endings = re.compile(r"\\{1,80}[nr]")
     url_param_split = re.compile(r"(%|\\u(00){0,2})(26|3f)", flags=re.IGNORECASE)
     # some symbols e.g. double quotes cannot be in URL string https://www.ietf.org/rfc/rfc1738.txt
     # \ - was added for case of url in escaped string \u0026amp; - means escaped & in HTML
@@ -181,6 +182,12 @@ def clean_bash_parameters(self) -> None:
             #  and value can be split by bash special characters
             if len(value_spl) > 1:
                 self.value = value_spl[0]
+        if ' ' not in self.value and ("\\n" in self.value or "\\r" in self.value):
+            value_spl = self.line_endings.split(self.value)
+            # If variable name starts with `-` (usual case for args in CLI)
+            #  and value can be split by bash special characters
+            if len(value_spl) > 1:
+                self.value = value_spl[0]
 
     def sanitize_variable(self) -> None:
         """Remove trailing spaces, dashes and quotations around the variable. Correct position."""

diff --git a/tests/test_main.py b/tests/test_main.py
@@ -802,6 +802,8 @@ def test_param_n(self) -> None:
     def test_param_p(self) -> None:
         # internal parametrized tests for quick debug
         items = [  #
+            ("log.txt", b'json\\nAuthorization: Basic jfhlksadjiu9813ryiuhdfskadjlkjh34\\n\\u003c/code\\u003e\\u003c/pre\\u003e"',
+             "Authorization", "jfhlksadjiu9813ryiuhdfskadjlkjh34"),
             ("pwd.py", b'password = "ji3_8iKgaW_R~0/8"', "password", "ji3_8iKgaW_R~0/8"),
             ("pwd.py", b'password = "/_tcTz<D8sWXsW<E"', "password", "/_tcTz<D8sWXsW<E"),
             ("pwd.py", b'password = "I:FbCnXQc/9E02Il"', "password", "I:FbCnXQc/9E02Il"),