Secrets detection should not skip *.pyc #7170

fproulx-boostsecurity · 2024-07-15T15:48:41Z

fproulx-boostsecurity
Jul 15, 2024

Description

As demonstrated in this incident report https://blog.pypi.org/posts/2024-07-08-incident-report-leaked-admin-personal-access-token/ . Secrets in Docker images could very well be part of *.pyc. At the moment, Trivy's secret detection appears to skip / ignore those files (

trivy/pkg/fanal/analyzer/secret/secret.go

Line 57 in 2a577a7

".pyc",

)

Target

Container Image

Scanner

Secret

knqyf263 · 2024-07-16T03:37:59Z

knqyf263
Jul 16, 2024
Maintainer

Thanks for sharing. It makes a lot of sense. The .pyc code is in byte code format as I understand it, but do the string literals, etc. remain intact? Do we need to decode them first?

We'll play with .pyc when we have time, but if anyone is already familiar with it, we'd appreciate it if you could let us know.

2 replies

fproulx-boostsecurity Jul 19, 2024
Author

@knqyf263

Below you'll see that the string literal remain intact in the binary. And the byte 0xda, followed by the length of the string (like 0x0c, 0x0d, 0x0e) for strings up to 255 characters, past that size it looks like they are prefixed with 0xc1`, followed by 4 bytes for the length (32 bits max string I guess)

$ cat secret.py
secret1 = "FLAG_secret1"   # 12 bytes long (0x0c)
secret2 = "FLAG_secret22"  # 13 bytes long (0x0d)
secret3 = "FLAG_secret333" # 14 bytes long (0x0e)
secret4 = "AAAAAAAAAA"*26  # 260 bytes long (???)
print(secret1 + secret2 + secret3 + secret4)

$ python -m compileall . # Force compiling
Listing '.'...
Compiling './secret.py'...

$ xxd -g1 -c10 __pycache__/secret.cpython-312.pyc
xxd -g1 -c10 __pycache__/secret.cpython-312.pyc
00000000: cb 0d 0d 0a 00 00 00 00 8c eb  ..........
0000000a: 9a 66 f5 00 00 00 e3 00 00 00  .f........
00000014: 00 00 00 00 00 00 00 00 00 04  ..........
0000001e: 00 00 00 00 00 00 00 f3 36 00  ........6.
00000028: 00 00 97 00 64 00 5a 00 64 01  ....d.Z.d.
00000032: 5a 01 64 02 5a 02 64 03 5a 03  Z.d.Z.d.Z.
0000003c: 02 00 65 04 65 00 65 01 7a 00  ..e.e.e.z.
00000046: 00 00 65 02 7a 00 00 00 65 03  ..e.z...e.
00000050: 7a 00 00 00 ab 01 00 00 00 00  z.........
0000005a: 00 00 01 00 79 04 29 05 da 0c  ....y.)...
00000064: 46 4c 41 47 5f 73 65 63 72 65  FLAG_secre
0000006e: 74 31 da 0d 46 4c 41 47 5f 73  t1..FLAG_s
00000078: 65 63 72 65 74 32 32 da 0e 46  ecret22..F
00000082: 4c 41 47 5f 73 65 63 72 65 74  LAG_secret
0000008c: 33 33 33 c1 04 01 00 00 41 41  333.....AA
00000096: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
000000a0: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
000000aa: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
000000b4: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
000000be: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
000000c8: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
000000d2: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
000000dc: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
000000e6: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
000000f0: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
000000fa: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
00000104: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
0000010e: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
00000118: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
00000122: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
0000012c: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
00000136: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
00000140: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
0000014a: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
00000154: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
0000015e: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
00000168: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
00000172: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
0000017c: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
00000186: 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAA
00000190: 41 41 41 41 41 41 41 41 4e 29  AAAAAAAAN)
0000019a: 05 da 07 73 65 63 72 65 74 31  ...secret1
000001a4: da 07 73 65 63 72 65 74 32 da  ..secret2.
000001ae: 07 73 65 63 72 65 74 33 da 07  .secret3..
000001b8: 73 65 63 72 65 74 34 da 05 70  secret4..p
000001c2: 72 69 6e 74 a9 00 f3 00 00 00  rint......
000001cc: 00 fa 0b 2e 2f 73 65 63 72 65  ..../secre
000001d6: 74 2e 70 79 fa 08 3c 6d 6f 64  t.py..<mod
000001e0: 75 6c 65 3e 72 0e 00 00 00 01  ule>r.....
000001ea: 00 00 00 73 30 00 00 00 f0 03  ...s0.....
000001f4: 01 01 01 d8 0a 18 80 07 d8 0a  ..........
000001fe: 19 80 07 d8 0a 1a 80 07 d8 0a  ..........
00000208: 19 80 07 d9 00 05 80 67 90 07  .......g..
00000212: d1 06 17 98 27 d1 06 21 a0 47  ....'..!.G
0000021c: d1 06 2b d5 00 2c 72 0c 00 00  ..+..,r...

knqyf263 Jul 22, 2024
Maintainer

Thanks for your input! It is really helpful. I've opened an issue for this enhancement.
#7204

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Secrets detection should not skip *.pyc #7170

{{title}}

Replies: 1 comment 2 replies

{{title}}

{{title}}

{{title}}

Select a reply

Secrets detection should not skip *.pyc #7170

fproulx-boostsecurity Jul 15, 2024

Description

Target

Scanner

Replies: 1 comment · 2 replies

knqyf263 Jul 16, 2024 Maintainer

fproulx-boostsecurity Jul 19, 2024 Author

knqyf263 Jul 22, 2024 Maintainer

fproulx-boostsecurity
Jul 15, 2024

Replies: 1 comment 2 replies

knqyf263
Jul 16, 2024
Maintainer

fproulx-boostsecurity Jul 19, 2024
Author

knqyf263 Jul 22, 2024
Maintainer