Description
Mago reports a false positive:
error[no-literal-password]: Literal passwords or sensitive data should not be stored in code.
┌─ types/tic/tic_perm_modify.event.php:23:5
│
23 │ $has_token = 0;
│ ^^^^^^^^^^ - Literal value used here.
│ │
│ Sensitive item found here.
│
= Storing passwords or sensitive information as literals in code is a security risk.
= This can lead to accidental exposure of sensitive data in version control or logs.
= Help: Use environment variables or secure configuration management instead.
The reason for that is the overly simple / aggressive password detection in crates/linter/src/rule/utils/security.rs quoted below.
btw: IIUC then you don't need the starts_with $/get related code.
pub fn is_password(mut str: &str) -> bool {
// cli flags, e.g `$foo === '--password'` -> ignore
if str.starts_with("--") {
return false;
}
if str.starts_with('$') {
str = &str[1..];
}
if str.starts_with("get") {
str = &str[3..];
if str.starts_with('_') {
str = &str[1..];
}
}
let lower = str.to_lowercase();
if lower.ends_with("password")
|| lower.ends_with("token")
|| lower.ends_with("secret")
|| lower.ends_with("apikey")
|| lower.ends_with("api_key")
{
return true;
}
false
}
Playground Link
https://mago.carthage.software/playground#019d2448-15b5-82d5-ae6f-eaa4266bb001
Reproduction
No response
Environment
linux, though it doesn't matter.
Description
Mago reports a false positive:
The reason for that is the overly simple / aggressive password detection in crates/linter/src/rule/utils/security.rs quoted below.
btw: IIUC then you don't need the starts_with $/get related code.
Playground Link
https://mago.carthage.software/playground#019d2448-15b5-82d5-ae6f-eaa4266bb001
Reproduction
No response
Environment
linux, though it doesn't matter.