feat: allow to scan secrets without buffering whole lines

Author: pieh

packages/build/src/plugins_core/secrets_scanning/index.ts

@@ -30,6 +30,7 @@ const coreStep: CoreStepFunction = async function ({
   netlifyConfig,
   explicitSecretKeys,
   enhancedSecretScan,
+  featureFlags,
   systemLog,
   deployId,
   api,
@@ -38,6 +39,7 @@ const coreStep: CoreStepFunction = async function ({
 
   const passedSecretKeys = (explicitSecretKeys || '').split(',')
   const envVars = netlifyConfig.build.environment as Record<string, unknown>
+  const useMinimalChunks = featureFlags?.secret_scanning_minimal_chunks
 
   systemLog?.({ passedSecretKeys, buildDir })
 
@@ -109,6 +111,7 @@ const coreStep: CoreStepFunction = async function ({
         filePaths,
         enhancedScanning: enhancedSecretScan && enhancedScanningEnabledInEnv,
         omitValuesFromEnhancedScan: getOmitValuesFromEnhancedScanForEnhancedScanFromEnv(envVars),
+        useMinimalChunks,
       })
 
       secretMatches = scanResults.matches.filter((match) => !match.enhancedMatch)

packages/build/src/plugins_core/secrets_scanning/utils.ts

@@ -19,6 +19,7 @@ interface ScanArgs {
   filePaths: string[]
   enhancedScanning?: boolean
   omitValuesFromEnhancedScan?: unknown[]
+  useMinimalChunks: boolean
 }
 
 interface MatchResult {
@@ -146,54 +147,49 @@ const likelySecretRegex = new RegExp(
 )
 
 /**
- * Checks a line of text for likely secrets based on known prefixes and patterns.
+ * Checks a chunk of text for likely secrets based on known prefixes and patterns.
  * The function works by:
- * 1. Splitting the line into tokens using quotes, whitespace, equals signs, colons, and commas as delimiters
+ * 1. Splitting the chunk into tokens using quotes, whitespace, equals signs, colons, and commas as delimiters
  * 2. For each token, checking if it matches our secret pattern:
  *    - Must start (^) with one of our known prefixes (e.g. aws_, github_pat_, etc)
  *    - Must be followed by at least MIN_CHARS_AFTER_PREFIX non-whitespace characters
  *    - Must extend to the end ($) of the token
  *
- * For example, given the line: secretKey='aws_123456789012345678'
+ * For example, given the chunk: secretKey='aws_123456789012345678'
  * 1. It's split into tokens: ['secretKey', 'aws_123456789012345678']
  * 2. Each token is checked against the regex pattern:
  *    - 'secretKey' doesn't match (doesn't start with a known prefix)
  *    - 'aws_123456789012345678' matches (starts with 'aws_' and has sufficient length)
  *
- * @param line The line of text to check
- * @param file The file path where this line was found
- * @param lineNumber The line number in the file
- * @param omitValuesFromEnhancedScan Optional array of values to exclude from matching
- * @returns Array of matches found in the line
  */
 export function findLikelySecrets({
-  line,
-  file,
-  lineNumber,
+  chunk,
   omitValuesFromEnhancedScan = [],
 }: {
-  line: string
-  file: string
-  lineNumber: number
+  /**
+   * The chunk of text to check
+   */
+  chunk: string
+  /**
+   * Optional array of values to exclude from matching
+   */
   omitValuesFromEnhancedScan?: unknown[]
-}): MatchResult[] {
-  if (!line) return []
+}): { index: number; prefix: string }[] {
+  if (!chunk) return []
 
-  const matches: MatchResult[] = []
+  const matches: ReturnType<typeof findLikelySecrets> = []
   let match: RegExpExecArray | null
   const allOmittedValues = [...omitValuesFromEnhancedScan, ...SAFE_LISTED_VALUES]
 
-  while ((match = likelySecretRegex.exec(line)) !== null) {
+  while ((match = likelySecretRegex.exec(chunk)) !== null) {
     const token = match.groups?.token
     const prefix = match.groups?.prefix
     if (!token || !prefix || allOmittedValues.includes(token)) {
       continue
     }
     matches.push({
-      file,
-      lineNumber,
-      key: prefix,
-      enhancedMatch: true,
+      prefix,
+      index: match.index,
     })
   }
 
@@ -279,6 +275,7 @@ export async function scanFilesForKeyValues({
   base,
   enhancedScanning,
   omitValuesFromEnhancedScan = [],
+  useMinimalChunks = false,
 }: ScanArgs): Promise<ScanResults> {
   const scanResults: ScanResults = {
     matches: [],
@@ -309,6 +306,8 @@ export async function scanFilesForKeyValues({
 
   let settledPromises: PromiseSettledResult<MatchResult[]>[] = []
 
+  const searchStream = useMinimalChunks ? searchStreamMinimalChunks : searchStreamReadline
+
   // process the scanning in batches to not run into memory issues by
   // processing all files at the same time.
   while (filePaths.length > 0) {
@@ -333,19 +332,24 @@ export async function scanFilesForKeyValues({
   return scanResults
 }
 
-const searchStream = ({
-  basePath,
-  file,
-  keyValues,
-  enhancedScanning,
-  omitValuesFromEnhancedScan = [],
-}: {
+type SearchStreamOptions = {
   basePath: string
   file: string
   keyValues: Record<string, string[]>
   enhancedScanning?: boolean
   omitValuesFromEnhancedScan?: unknown[]
-}): Promise<MatchResult[]> => {
+}
+
+/**
+ * Search stream implementation using node:readline
+ */
+const searchStreamReadline = ({
+  basePath,
+  file,
+  keyValues,
+  enhancedScanning,
+  omitValuesFromEnhancedScan = [],
+}: SearchStreamOptions): Promise<MatchResult[]> => {
   return new Promise((resolve, reject) => {
     const filePath = path.resolve(basePath, file)
 
@@ -382,7 +386,14 @@ const searchStream = ({
       lineNumber++
       if (typeof line === 'string') {
         if (enhancedScanning) {
-          matches.push(...findLikelySecrets({ line, file, lineNumber, omitValuesFromEnhancedScan }))
+          matches.push(
+            ...findLikelySecrets({ chunk: line, omitValuesFromEnhancedScan }).map(({ prefix }) => ({
+              key: prefix,
+              file,
+              lineNumber,
+              enhancedMatch: true,
+            })),
+          )
         }
         if (maxMultiLineCount > 1) {
           lines.push(line)
@@ -472,6 +483,160 @@ const searchStream = ({
   })
 }
 
+/**
+ * Search stream implementation using just read stream that allows to buffer less content
+ */
+const searchStreamMinimalChunks = ({
+  basePath,
+  file,
+  keyValues,
+  enhancedScanning,
+  omitValuesFromEnhancedScan = [],
+}: SearchStreamOptions): Promise<MatchResult[]> => {
+  return new Promise((resolve, reject) => {
+    const filePath = path.resolve(basePath, file)
+
+    const inStream = createReadStream(filePath)
+    const matches: MatchResult[] = []
+
+    const keyVals: string[] = ([] as string[]).concat(...Object.values(keyValues))
+
+    // determine longest value that we will search for - needed to determine minimal size of our buffer
+    const maxValLength = Math.max(
+      0,
+      // explicit secrets
+      ...keyVals.map((v) => v.length),
+      ...(enhancedScanning
+        ? [
+            // omitted likely secrets (after finding likely secret we check if it should be omitted, so we need to capture at least size of omitted values)
+            ...omitValuesFromEnhancedScan.map((v) => (typeof v === 'string' ? v.length : 0)),
+            // minimum length needed to find likely secret
+            ...LIKELY_SECRET_PREFIXES.map((v) => v.length + MIN_CHARS_AFTER_PREFIX),
+          ]
+        : []),
+    )
+
+    if (maxValLength === 0) {
+      // no non-empty values to scan for
+      return matches
+    }
+
+    const minValLength = Math.min(...keyVals.map((v) => v.length))
+
+    function getKeyForValue(val) {
+      let key = ''
+      for (const [secretKeyName, valuePermutations] of Object.entries(keyValues)) {
+        if (valuePermutations.includes(val)) {
+          key = secretKeyName
+        }
+      }
+      return key
+    }
+
+    let buffer = ''
+
+    function getCurrentBufferNewLineIndexes() {
+      const newLinesIndexesInCurrentBuffer = [] as number[]
+      let newLineIndex = -1
+      while ((newLineIndex = buffer.indexOf('\n', newLineIndex + 1)) !== -1) {
+        newLinesIndexesInCurrentBuffer.push(newLineIndex)
+      }
+
+      return newLinesIndexesInCurrentBuffer
+    }
+    let fileIndex = 0
+    let processedLines = 0
+    const foundIndexes = new Map<string, Set<number>>()
+    const foundLines = new Map<string, Set<number>>()
+    inStream.on('data', function (chunk) {
+      const newChunk = chunk.toString()
+
+      buffer += newChunk
+
+      let newLinesIndexesInCurrentBuffer = null as null | number[]
+
+      if (buffer.length > minValLength) {
+        for (const valVariant of keyVals) {
+          let valVariantIndex = -1
+          while ((valVariantIndex = buffer.indexOf(valVariant, valVariantIndex + 1)) !== -1) {
+            const pos = fileIndex + valVariantIndex
+            let foundIndexesForValVariant = foundIndexes.get(valVariant)
+            if (!foundIndexesForValVariant?.has(pos)) {
+              if (newLinesIndexesInCurrentBuffer === null) {
+                newLinesIndexesInCurrentBuffer = getCurrentBufferNewLineIndexes()
+              }
+
+              let lineNumber = processedLines + 1
+              for (const newLineIndex of newLinesIndexesInCurrentBuffer) {
+                if (valVariantIndex > newLineIndex) {
+                  lineNumber++
+                } else {
+                  break
+                }
+              }
+
+              let foundLinesForValVariant = foundLines.get(valVariant)
+              if (!foundLinesForValVariant?.has(lineNumber)) {
+                matches.push({
+                  file,
+                  lineNumber,
+                  key: getKeyForValue(valVariant),
+                  enhancedMatch: false,
+                })
+
+                if (!foundLinesForValVariant) {
+                  foundLinesForValVariant = new Set<number>()
+                  foundLines.set(valVariant, foundLinesForValVariant)
+                }
+                foundLinesForValVariant.add(lineNumber)
+              }
+
+              if (!foundIndexesForValVariant) {
+                foundIndexesForValVariant = new Set<number>()
+                foundIndexes.set(valVariant, foundIndexesForValVariant)
+              }
+              foundIndexesForValVariant.add(pos)
+            }
+          }
+        }
+      }
+
+      if (buffer.length > maxValLength) {
+        const lengthDiff = buffer.length - maxValLength
+        fileIndex += lengthDiff
+        if (newLinesIndexesInCurrentBuffer === null) {
+          newLinesIndexesInCurrentBuffer = getCurrentBufferNewLineIndexes()
+        }
+
+        // advanced processed lines
+        for (const newLineIndex of newLinesIndexesInCurrentBuffer) {
+          if (newLineIndex < lengthDiff) {
+            processedLines++
+          } else {
+            break
+          }
+        }
+
+        // Keep the last part of the buffer to handle split values across chunks
+        buffer = buffer.slice(-maxValLength)
+      }
+    })
+
+    inStream.on('error', function (error: any) {
+      if (error?.code === 'EISDIR') {
+        // file path is a directory - do nothing
+        resolve(matches)
+      } else {
+        reject(error)
+      }
+    })
+
+    inStream.on('close', function () {
+      resolve(matches)
+    })
+  })
+}
+
 /**
  * ScanResults are all of the finds for all keys and their disparate locations. Scanning is
  * async in streams so order can change a lot. Some matches are the result of an env var explictly being marked as secret,