8000 external repo file support by zricethezav · Pull Request #57 · gitleaks/gitleaks · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

external repo file support #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 10, 2018
Merged

external repo file support #57

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 9 additions & 9 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,10 @@
![Alt Text](https://github.com/zricethezav/gifs/blob/master/gitleaks1.png) [![Build Status](https://travis-ci.org/zricethezav/gitleaks.svg?branch=master)](https://travis-ci.org/zricethezav/gitleaks)
<p align="center">
<img alt="gitleaks" src="https://raw.githubusercontent.com/zricethezav/gifs/master/gitleaks4.png" height="140" />
<p align="center">
<a href="https://travis-ci.org/zricethezav/gitleaks"><img alt="Travis" src="https://img.shields.io/travis/zricethezav/gitleaks/master.svg?style=flat-square"></a>
</p>
</p>

## Audit git repos for secrets and keys

#### Installing
Expand Down Expand Up @@ -31,6 +37,7 @@ Options:
--report-path=<STR> Save report to path, gitleaks default behavior is to save report to pwd
--clone-path=<STR> Gitleaks will clone repos here, default pwd
--concurrency=<INT> Upper bound on concurrent diffs
--regex-file=<STR> Path to regex file for external regex matching
--since=<STR> Commit to stop at
--b64Entropy=<INT> Base64 entropy cutoff (default is 70)
--hexEntropy=<INT> Hex entropy cutoff (default is 40)
Expand Down Expand Up @@ -97,13 +104,6 @@ docker build -t gitleaks .
docker run --rm --name=gitleaks gitleaks https://github.com/zricethezav/gitleaks
```

### cypherphunky
##### Support
BTC: 1H2rSXDJZxWcTk2Ugr5P9r9m93m2NhL4xj

BCH: qp4mdaef04g5d0xpgecx78fmruk6vgl4pgqtetrl9h

ETH: 0xe48b4Fce6A1C1a9C780376032895b06b1709AddF

LTC: LRhDzMyGos5CtZMoSTEx5rdLksPUwSrtuz

s/o to @jlakowski for the gimp skillz
26 changes: 25 additions & 1 deletion checks.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ func doChecks(diff string, commit Commit, repo *Repo) []Leak {
file = line[idx[1]:]
}
}

for leakType, re := range regexes {
match = re.FindString(line)
if len(match) == 0 ||
Expand All @@ -44,6 +43,31 @@ func doChecks(diff string, commit Commit, repo *Repo) []Leak {
}
leaks = append(leaks, leak)
}

// Check for external regex matches
if externalRegex != nil {
for _, re := range externalRegex {
match = re.FindString(line)
if len(match) == 0 ||
(opts.Strict && containsStopWords(line)) ||
(opts.Entropy && !checkShannonEntropy(line, opts)) {
continue
}

leak = Leak{
Line: line,
Commit: commit.Hash,
Offender: match,
Reason: "match: " + re.String(),
Msg: commit.Msg,
Time: commit.Time,
Author: commit.Author,
File: file,
RepoURL: repo.url,
}
leaks = append(leaks, leak)
}
}
}
return leaks

Expand Down
29 changes: 29 additions & 0 deletions checks_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ package main

import (
"testing"
"os"
"bufio"
"fmt"
)

func TestCheckRegex(t *testing.T) {
Expand Down Expand Up @@ -29,6 +32,32 @@ func TestCheckRegex(t *testing.T) {
}
}

func TestExternalRegex(t *testing.T) {
opts, err := defaultOptions()
if err != nil {
t.Error()
}
file, err := os.Create("testregex.txt")
if err != nil {
t.Error()
}
defer file.Close()

w := bufio.NewWriter(file)
fmt.Fprintln(w, "AKIA[0-9A-Z]{16}")
w.Flush()

opts.RegexFile = "testregex.txt"
opts.loadExternalRegex()
leaks := doChecks("aws=\"AKIALALEMEL33243OLIAE",
Commit{}, &Repo{url:"someurl"})
if len(leaks) != 2 {
// leak from default regex, leak from external
t.Error()
}
os.Remove("testregex.txt")
}

func TestEntropy(t *testing.T) {
var enoughEntropy bool
opts := &Options{
Expand Down
3 changes: 2 additions & 1 deletion main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ const ExitLeaks = 2
// package globals
var (
regexes map[string]*regexp.Regexp
externalRegex []*regexp.Regexp
stopWords []string
base64Chars string
hexChars string
Expand All @@ -38,7 +39,7 @@ func init() {
regexes = map[string]*regexp.Regexp{
"PKCS8": regexp.MustCompile("-----BEGIN PRIVATE KEY-----"),
"RSA": regexp.MustCompile("-----BEGIN RSA PRIVATE KEY-----"),
"DSA": regexp.MustCompile("-----BEGIN DSA PRIVATE KEY-----"),
"DSA": regexp.MustCompile("-----BEGIN DSA PRIVATE KEY-----"),
"SSH": regexp.MustCompile("-----BEGIN OPENSSH PRIVATE KEY-----"),
"Facebook": regexp.MustCompile("(?i)facebook.*['\"][0-9a-f]{32}['\"]"),
"Twitter": regexp.MustCompile("(?i)twitter.*['\"][0-9a-zA-Z]{35,44}['\"]"),
Expand Down
30 changes: 28 additions & 2 deletions options.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"regexp"
"strconv"
"strings"
"bufio"
)

const usage = `
Expand Down Expand Up @@ -52,6 +53,7 @@ type Options struct {
Tmp bool
Token string
Verbose bool
RegexFile string
}

// help prints the usage string and exits
Expand Down Expand Up @@ -174,6 +176,8 @@ func (opts *Options) parseOptions(args []string) error {
opts.HexEntropyCutoff = value
} else if match, value := opts.optInt(arg, "--concurrency="); match {
opts.Concurrency = value
} else if match, value := opts.optString(arg, "--regex-file="); match {
opts.RegexFile = value
} else if i == len(args)-1 {
if opts.LocalMode {
opts.RepoPath = filepath.Clean(args[i])
Expand All @@ -192,7 +196,14 @@ func (opts *Options) parseOptions(args []string) error {
}
}

// TODO cleanup this logic
if opts.RegexFile != "" {
err := opts.loadExternalRegex()
if err != nil {
return fmt.Errorf("unable to load regex from file %s: %v",
opts.RegexFile, err)
}
}

if !opts.RepoMode && !opts.UserMode && !opts.OrgMode && !opts.LocalMode {
if opts.URL != "" {
opts.RepoMode = true
Expand Down Expand Up @@ -223,6 +234,22 @@ func (opts *Options) parseOptions(args []string) error {
return err
}

// loadExternalRegex
func (opts *Options) loadExternalRegex() error {
file, err := os.Open(opts.RegexFile)
if err != nil {
return err
}
defer file.Close()

scanner := bufio.NewScanner(file)
for scanner.Scan() {
externalRegex = append(externalRegex, regexp.MustCompile(scanner.Text()))
}

return nil
}

// failF prints a failure message out to stderr, displays help
// and exits with a exit code 2
func (opts *Options) failF(format string, args ...interface{}) {
Expand Down Expand Up @@ -251,7 +278,6 @@ func (opts *Options) guards() error {
} else if opts.ClonePath != "" && opts.Tmp {
return fmt.Errorf("Cannot run Gitleaks with --clone-path set and temporary repo\n")
}

return nil
}

Expand Down
5 changes: 3 additions & 2 deletions owner_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,12 @@ func TestOwnerPath(t *testing.T) {
if pwd != p {
t.Error()
}
opts.ClonePath = "test"
opts.ClonePath = "gitleaksTestClonePath"
p, err = ownerPath("nameToIgnore")
if p != "test" {
if p != "gitleaksTestClonePath" {
t.Error()
}
os.Remove("gitleaksTestClonePath")
}

func TestNewOwner(t *testing.T) {
Expand Down
0