fix(dlp): skip projection passes when exact variant is safe-listed
When a supervisor-approved safe-token exactly matched an env secret (Pass 1), Passes 2 & 3 (alnum projection) still ran and re-blocked on the same value. Track whether any variant was found-and-approved and skip the projection passes for that secret in that case.
This commit is contained in:
@@ -222,6 +222,7 @@ def scan_known_secrets(
|
|||||||
continue
|
continue
|
||||||
|
|
||||||
# Pass 1: exact match across encoded variants (original behaviour).
|
# Pass 1: exact match across encoded variants (original behaviour).
|
||||||
|
approved_exact = False
|
||||||
for variant in _encoded_variants(value):
|
for variant in _encoded_variants(value):
|
||||||
pos = text.find(variant)
|
pos = text.find(variant)
|
||||||
if pos >= 0:
|
if pos >= 0:
|
||||||
@@ -229,6 +230,7 @@ def scan_known_secrets(
|
|||||||
# (PRD 0062); a different encoding of the same secret is a
|
# (PRD 0062); a different encoding of the same secret is a
|
||||||
# fresh block.
|
# fresh block.
|
||||||
if safe_tokens is not None and variant in safe_tokens:
|
if safe_tokens is not None and variant in safe_tokens:
|
||||||
|
approved_exact = True
|
||||||
continue
|
continue
|
||||||
return ScanResult(
|
return ScanResult(
|
||||||
severity="block",
|
severity="block",
|
||||||
@@ -237,6 +239,10 @@ def scan_known_secrets(
|
|||||||
context=_snippet(text, pos, pos + len(variant)),
|
context=_snippet(text, pos, pos + len(variant)),
|
||||||
matched=variant,
|
matched=variant,
|
||||||
)
|
)
|
||||||
|
if approved_exact:
|
||||||
|
# Exact match was found and approved; projection passes would
|
||||||
|
# fire on the same value, so skip them for this secret.
|
||||||
|
continue
|
||||||
|
|
||||||
# Pass 2 & 3: fragmentation-resistant projection checks.
|
# Pass 2 & 3: fragmentation-resistant projection checks.
|
||||||
secret_alnum = _alnum_projection(value)
|
secret_alnum = _alnum_projection(value)
|
||||||
|
|||||||
Reference in New Issue
Block a user