feat(plugin-npm): support any length of npm token e.g. gitlab token

Yelp · Mar 31, 2023 · 1cbac9a · 1cbac9a
1 parent 5c9830a
commit 1cbac9a
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/detect_secrets/plugins/npm.py b/detect_secrets/plugins/npm.py
@@ -13,5 +13,5 @@ class NpmDetector(RegexBasedDetector):
  denylist = [
  # npmrc authToken
  # ref. https://stackoverflow.com/questions/53099434/using-auth-tokens-in-npmrc
- re.compile(r'\/\/.+\/:_authToken=\s*((npm_.+)|([A-Fa-f0-9-]{36})).*'),
+ re.compile(r'\/\/.+\/:_authToken=\s*(?!\$\{[A-Z_]+\})((npm_.+)|\S+).*'),
  ]
diff --git a/tests/plugins/npm_test.py b/tests/plugins/npm_test.py
@@ -18,6 +18,8 @@ class TestNpmDetector:
  ('_authToken=743b294a-cd03-11ec-9d64-0242ac120002', False),
  ('foo', False),
  ('//registry.npmjs.org/:_authToken=${NPM_TOKEN}', False),
+ ('//gitlab.com/api/v4/projects/1347/packages/npm/:_authToken=glpat-a8r3xUFrtP-isd1DLK_r', True),
+ ('//gitlab.com/api/v4/projects/1347/packages/npm/:_authToken=${CI_JOB_TOKEN}', False),
  ],
  )
  def test_analyze(self, payload, should_flag):