04f1593df3
The v7.0.0 entropy-scanner ran rules 11-13 (GLSL/CSS-in-JS/inline-markup
line-proximity suppressions) for every line regardless of file type. A
polyglot `.ts` file with an embedded fragment-shader template literal
could therefore mask a real high-entropy credential when the credential
literal happened to share a line with a GLSL keyword. Critical-review
B5 documented the false-negative class.
Refactor:
* New `classifyFileContext(absPath, lines)` returns
`'shader-dominant' | 'markup-dominant' | 'code-dominant' | 'mixed'`,
keyed off file extension with a content-density fallback for
code-extension files (≥50% of sampled non-blank lines matching
GLSL/inline-markup → downgrade to `mixed`).
* `isFalsePositive(str, line, absPath, context)` gates rules 11-13
on `context !== 'code-dominant'`. Rules 1-10 and 14-19 still run
unconditionally, so URL/path/test-fixture/ffmpeg/UA/SQL/error-
template suppression behaves identically.
* `scanFileContent` computes `fileContext` once per file and threads
it through every per-string suppression check.
Conservative defaults to keep the regression surface minimal:
* Files with `<5` sampled non-blank lines fall back to `mixed`
(preserves the existing rule-11/12/13 behaviour for the single-
line .js fixtures used by entropy-context.test.mjs).
* Unknown extensions fall back to `mixed`.
* Code-extension files densely populated with shader/markup
content fall back to `mixed`.
Net effect: a `.ts` file with an embedded GLSL block but mostly TS
code on the surrounding lines now surfaces credentials that the
v7.0.0 line-proximity heuristic suppressed. Pure shader/markup
files are unaffected (extension skip / mixed default).
New fixture: tests/fixtures/entropy/polyglot-ts-with-glsl.ts (with
runtime placeholder so it does not commit a high-entropy literal).
+3 tests in tests/scanners/entropy-context.test.mjs (26 → 29).
Existing entropy.test.mjs and entropy-context.test.mjs all remain
green. Full suite 1658 → 1661.
Refs: Batch B Wave 5 / Step 12 / v7.2.0
critical-review-2026-04-20.md §B5
32 lines
1.3 KiB
TypeScript
32 lines
1.3 KiB
TypeScript
// Polyglot TypeScript fixture for the entropy-scanner B5 regression.
|
|
//
|
|
// Pre-B5 behaviour: rule 11 (GLSL_KEYWORDS line-proximity) suppressed any
|
|
// high-entropy string that happened to share a line with shader keywords.
|
|
// In a `.ts` file with an embedded fragment-shader template literal, a real
|
|
// credential on the closing brace line would be silently dismissed.
|
|
//
|
|
// Post-B5 behaviour: classifyFileContext returns 'code-dominant' for `.ts`
|
|
// files (unless the file is overwhelmingly shader/markup), which disables
|
|
// rules 11-13. The credential below is therefore detected.
|
|
//
|
|
// The placeholder __ENTROPY_PAYLOAD_PLACEHOLDER__ is replaced at test time
|
|
// with a randomly generated high-entropy string. The static fixture stays
|
|
// out of the pre-edit-secrets hook because no real high-entropy literal is
|
|
// committed to disk.
|
|
|
|
const fragmentShader = `
|
|
precision highp float;
|
|
uniform vec3 u_resolution;
|
|
uniform float u_time;
|
|
varying vec2 v_uv;
|
|
void main() {
|
|
vec3 color = vec3(v_uv, sin(u_time));
|
|
gl_FragColor = vec4(color, 1.0);
|
|
}
|
|
`;
|
|
|
|
// The next line ends a uniform vec3 declaration AND carries the placeholder
|
|
// — exactly the kind of GLSL-adjacent line that rule 11 used to suppress.
|
|
const placeholder = "__ENTROPY_PAYLOAD_PLACEHOLDER__"; // uniform vec3 normal;
|
|
|
|
export { fragmentShader, placeholder };
|