Fix key-chain key ID false positive in password anonymization#247
Conversation
dhalperi
left a comment
dhalperi
left a comment
There was a problem hiding this comment.
@dhalperi reviewed 2 files and all commit messages, and made 1 comment.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on manonfgoo).
netconan/default_pwd_regexes.py line 90 at r1 (raw file):
# Require 7+ chars to avoid false positives on short values like key-chain # key IDs (e.g. "key 10" in Juniper authentication-key-chains). [(r"(?P<prefix>key( \d| hexadecimal)? )(\S{7,})", 3)],
I get the problem, but this feels too risky to me. Netconan doesn't try to have perfect output configs, privacy is more important than avoiding manual cleanups. (False positives better than False negatives).
If you make it 3+/4+, I'm game.
|
Reduced the minimum length threshold from 7+ to 3+ characters, per your feedback. |
|
Something went wrong here. It's no longer either a merge or rebase on master. Can you take a look? |
Require 3+ chars after 'key' to avoid anonymizing short key-chain key IDs (e.g. "key 10"). Also narrow the ikev1 pre-shared-key regex to not over-match plain 'key' lines.
manonfgoo
force-pushed
the
fix/key-chain-false-positive
branch
from
38ac018 to
f4bcc49
Compare
pls try again |
dhalperi
left a comment
dhalperi
left a comment
There was a problem hiding this comment.
@dhalperi reviewed 20 files and all commit messages, and resolved 1 discussion.
Reviewable status:complete! all files reviewed, all discussions resolved.
2 participants
The generic
keyregex matched Juniper key-chain key IDs (e.g. "key 10" in authentication-key-chains) and either anonymized them into huge invalid numbers or scrubbed the entire line.Two fixes:
The minimum-length pattern was evaluated for broader application across all password regexes but is not needed elsewhere: the other regexes have specific prefixes (password, secret, pre-shared-key, etc.) that already prevent false positives on short values.
This change is