From ec75572dd3691cb096a5738aa469b59bb43252a0 Mon Sep 17 00:00:00 2001
From: George Tsigourakos <gtsigourakos@skroutz.gr>
Date: Tue, 16 Jul 2024 18:35:31 +0300
Subject: [PATCH 1/2] [Fix] Square brackets bypass Issue #857

---
 detect_secrets/filters/heuristic.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/detect_secrets/filters/heuristic.py b/detect_secrets/filters/heuristic.py
index 7fb078181..d7a3e5f12 100644
--- a/detect_secrets/filters/heuristic.py
+++ b/detect_secrets/filters/heuristic.py
@@ -197,7 +197,15 @@ def _get_indirect_reference_regex() -> Pattern:
     #       [^\v]*      ->  Something except line breaks
     #       [\]\)]      ->  End of indirect reference: ] or )
     #   )
-    return re.compile(r'([^\v=!:]*)\s*(:=?|[!=]{1,3})\s*([\w.-]+[\[\(][^\v]*[\]\)])')
+    return re.compile(
+        r'([^\v=!:"<%>]*)\s*(:=?|[!=]{1,3}|\|\|)\s*('
+        r'[\w.-]+[\[\(][^\v]*[\]\)]'    # Matches ENV[...] or similar references
+        r'|'
+        r'\'[^\']*\''                   # Matches single-quoted strings
+        r'|'
+        r'"[^"]*"'                      # Matches double-quoted strings
+        r')'
+    )
 
 
 def is_lock_file(filename: str) -> bool:

From c4210a1a664310f439d6f8adda97a6c06913a515 Mon Sep 17 00:00:00 2001
From: George Tsigourakos <gtsigourakos@skroutz.gr>
Date: Tue, 1 Oct 2024 11:06:01 +0300
Subject: [PATCH 2/2] [Test] Add test case for issue #857

---
 tests/filters/heuristic_filter_test.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tests/filters/heuristic_filter_test.py b/tests/filters/heuristic_filter_test.py
index 90e1eb0de..2b7d691ca 100644
--- a/tests/filters/heuristic_filter_test.py
+++ b/tests/filters/heuristic_filter_test.py
@@ -139,6 +139,15 @@ def test_is_prefixed_with_dollar_sign(secret, result):
         ('secret = get_secret_key()', True),
         ('secret = request.headers["apikey"]', True),
         ('secret = hunter2', False),
+        ("<%= ENV['CLIENT_ACCESS_KEY_ID'].presence || 'AKIA123456789ABCDEF1' %>", True), # Erb template with intermediate method
+        ("<%= ENV['CLIENT_ACCESS_KEY_ID'] || 'AKIA123456789ABCDEF1' %>", True),          # Erb template without intermediate method
+        ("ENV['CLIENT_ACCESS_KEY_ID'].presence || 'AKIA123456789ABCDEF1'", True),        # Ruby with intermediate method
+        ("ENV['CLIENT_ACCESS_KEY_ID'] || 'AKIA123456789ABCDEF1'", True),                 # Ruby without intermediate method
+        ('not_a_secret ||= something_else', False),                                      # Ruby assignment
+        ('not_a_secret || something_else', False),                                       # Ruby truthy validation
+        ('api_key = ENV["API_KEY"].get() || "default_key"', True),                       # Ruby with intermediate method with assignment
+        ('token = ENV["TOKEN"] || default_token', True),                                 # Ruby without intermediate method with assignment
+        ('api_key ||= fetch_api_key()', True),                                           # Ruby without intermediate method with assignment
     ),
 )
 def test_is_indirect_reference(line, result):