-
-
Save czardoz/b8bb58ad10f4063209bd to your computer and use it in GitHub Desktop.
#!/usr/bin/env bash | |
if git rev-parse --verify HEAD >/dev/null 2>&1 | |
then | |
against=HEAD | |
else | |
# Initial commit: diff against an empty tree object | |
EMPTY_TREE=$(git hash-object -t tree /dev/null) | |
against=$EMPTY_TREE | |
fi | |
# Redirect output to stderr. | |
exec 1>&2 | |
# Check changed files for an AWS keys | |
FILES=$(git diff --cached --name-only $against) | |
if [ -n "$FILES" ]; then | |
KEY_ID=$(grep -E --line-number '[^A-Z0-9][A-Z0-9]{20}[^A-Z0-9]' $FILES) | |
KEY=$(grep -E --line-number '[^A-Za-z0-9/+=][A-Za-z0-9/+=]{40}[^A-Za-z0-9/+=]' $FILES) | |
if [ -n "$KEY_ID" ] || [ -n "$KEY" ]; then | |
exec < /dev/tty # Capture input | |
echo "=========== Possible AWS Access Key IDs ===========" | |
echo "${KEY_ID}" | |
echo "" | |
echo "=========== Possible AWS Secret Access Keys ===========" | |
echo "${KEY}" | |
echo "" | |
while true; do | |
read -p "[AWS Key Check] Possible AWS keys found. Commit files anyway? (y/N) " yn | |
if [ "$yn" = "" ]; then | |
yn='N' | |
fi | |
case $yn in | |
[Yy] ) exit 0;; | |
[Nn] ) exit 1;; | |
* ) echo "Please answer y or n for yes or no.";; | |
esac | |
done | |
exec <&- # Release input | |
fi | |
fi | |
# Normal exit | |
exit 0 |
@smclauch, the KEY_ID
regex you have only matches 20 characters, right?
Yes - the problem with the orignal regex is that [^A-Z0-9] doesn't match EOL (at least not on Windows).
great! but it fails when you try to hide credentials for example AKIA4GQAF5DFSF2MM you add 112312312 at the end of the keyid add numbers and it fails.
This come up for me on google, but the KEY
regexp doesn't really work well for me -- even if you get it not false-negativing too much, just 40 chars in a row of [A-Za-z0-9/+=]
was matching on lots of false positives in my source, like URLs that happened to have components of the right length and such.
So.... I went and looked what git-secrets does. I didn't really want to use git-secrets, I just wanted a simple little script... so I kind of mashed the regexp git-secrets uses by default for AWS_SECRET_KEY_ID -- which looks for the variable name on the line too -- with this script, and did this:
(per 1311543 above, that's not a use-case I care about. This is for preventing devs from accidentally committing keys, not catching people "trying to hide" them).
I had some problems with this using Git under Windows - the problem turned out to be that the regex wasn't matching a key that ended with an end-of-line (which I imagine is fairly common). I got it working by changing the regexes as follows: