fix(review): detect cross-line split credentials in gate secret scan (#2454)#2898
fix(review): detect cross-line split credentials in gate secret scan (#2454)#2898RealDiligent wants to merge 1 commit into
Conversation
…SONbored#2454) The unconditional secret_leak hard blocker scanned added lines in isolation, so credentials split across adjacent added string literals evaded every per-line regex while REES enrichment already joined them (JSONbored#2454). Add scanPrDiffForSecretKinds with bounded cross-line literal join, hunk/context boundaries, consecutive-run generic assignment detection, and in-hunk +++ content handling. Wire secretLeakFinding through the new walker. Only skip the cross-line join when the current line matched a gate-blocking kind on its own — a soft heuristic alone (e.g. coldkey:) must not suppress joining literals that complete a split concrete credential (JSONbored#2877 review blocker). Export GATE_BLOCKING_SECRET_KINDS as the single source of truth shared between the diff walker and secretLeakFinding filter. Supersedes closed JSONbored#2877. Co-authored-by: Cursor <cursoragent@cursor.com>
cc600c5 to
75625f8
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2898 +/- ##
=======================================
Coverage 96.02% 96.03%
=======================================
Files 259 259
Lines 28406 28469 +63
Branches 10339 10354 +15
=======================================
+ Hits 27278 27341 +63
Misses 491 491
Partials 637 637
🚀 New features to boost your workflow:
|
|
Caution 🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥 🛑 Gittensory review result - reject/close recommendedReview updated: 2026-07-04 05:03:27 UTC
🛑 Suggested Action - Reject/Close
Review summary Blockers
Nits — 5 non-blocking
Why this is blocked
Review context
Contributor next steps
Signal definitions
🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
|
Gittensory is closing this pull request on the maintainer's behalf (AI reviewers agree on a likely critical defect: src/review/secrets-scan.ts:197 rescans `addedRun.join("\n")` after every added line, so a large generated all-added hunk triggers quadratic string building and regex scanning on the unconditional secret gate path; track only the previous/current generic-assignment window or scan the run once at boundaries instead.; Possible leaked secret in the diff (generic_secret_assignment)). This is an automated maintenance action — to pursue this change, please open a new pull request with the issues resolved. Closed PRs are re-reviewed automatically, so an inaccurate close may be reopened, but that does not guarantee it can merge (e.g. if conflicts or failing CI remain). |
Summary
The unconditional
secret_leakhard blocker scanned added diff lines in isolation. A credential split across two adjacent added string literals (e.g.const a = "AKIA…";+const b = "REST";) evaded every per-line regex — exactly the #2454 evasion class REES enrichment already closes, but the gate path did not.This PR adds
scanPrDiffForSecretKindsand wiressecretLeakFindingthrough it:+++content handling and/dev/nullheader regex escape#2877 review blocker fix
Closed #2877 skipped the cross-line join whenever any scanner kind matched the line — including soft heuristics (
bittensor_key,seed_or_mnemonic) thatsecretLeakFindingfilters out. A split credential whose second line also containedcoldkey = "…"would pass unblocked.Fix: only skip the join when the line matched a gate-blocking kind on its own. Export
GATE_BLOCKING_SECRET_KINDSas the single source of truth shared by the walker and thesecretLeakFindingfilter.Test plan
npm run typechecknpx vitest run test/unit/secrets-scan.test.ts test/unit/safety-wiring.test.ts(70/70)coldkey =on second line blocks via join (fix(review): detect cross-line split credentials in gate secret scan (#2454) #2877)Related
review-enrichment/src/analyzers/secret-scan.ts