Skip to content

Instantly share code, notes, and snippets.

@kuritka

kuritka/commit-msg.MD

Last active February 1, 2022 16:22
Show Gist options
  • Save kuritka/bda4358c46bb7c4561c3c15884576acf to your computer and use it in GitHub Desktop.
Save kuritka/bda4358c46bb7c4561c3c15884576acf to your computer and use it in GitHub Desktop.
Download ZIP
commit-msg preventing commit having sensitive information in commit message
Raw
commit-msg.MD

preventing commit having sensitive information in commit message

Sometimes it happens that people accidentally push information from inside the organization to the public github repository. It could be hostname, ip address, proxy etc... This information could be somewhere in commit mesage and if reviewers see it, it's too late.

For this reason, I created a GitHook protection (short snippet running locally in your project) that warns you if it finds vulnerable information before you commit.

See the vulnerable commit message

Vulnerable commit

I'm setting proxy to proxy.cloud.aws.cto00.co.uk:3128
We need to connect into 10.0.0.128 (cloud.net.something.co.za) from my POD.

Here s what I'm expecting: Screen Shot 2022-02-01 at 13 47 04

All I need is to create a git hook in the cloned project I want to protect and add execution persmission to it:

cat <<'EOF' > ./.git/hooks/commit-msg
#!/bin/bash

YELLOW="\033[1;93m"
CYAN="\033[0;96m"
WHITE="\033[0;97m"
NC="\033[0m"

INPUT_FILE_PATH=$1
IPADDR=$(cat "$INPUT_FILE_PATH" | grep -oE "\b(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\b")
HOSTNAME=$(cat "$INPUT_FILE_PATH"  | grep -iwo "\b[\.a-z0-9-]*.co.za\b")
PROXY_3128=$(cat "$INPUT_FILE_PATH" | grep -iwo "\b[\.a-z0-9-]*:3128\b")
PROXY_8080=$(cat "$INPUT_FILE_PATH" | grep -iwo "\b[\.a-z0-9-]*:8080\b")
if [[ $IPADDR != "" ]] || [[ $HOSTNAME != "" ]] || [[ $PROXY_3128 != "" ]] || [[ $PROXY_8080 != "" ]]
then
    echo -e "$YELLOW Sensitive information found: $NC"
    echo -e "$CYAN - $IPADDR $HOSTNAME $PROXY_3128 $PROXY_3128 $YELLOW"
    read -e -p " You're about to COMMIT, is that what you intended? [y|n]" -n 1 -r < /dev/tty
    echo -e "$NC"
    if echo $REPLY | grep -E '^[Yy]$' > /dev/null
    then
        exit 0 # commit will execute
    fi
    echo -e "$WHITE The message of canceled commit can be found in the $CYAN$1$WHITE file$NC"
    exit 1 # commit will not execute
else
    exit 0 # commit will execute
fi
EOF

# don't forget execute permissions
chmod +x ./.git/hooks/commit-msg

shared hooks

some hooks can be shared to work on all projects. Here's how to do it

Because writing to /etc/ requires sudo, but can be stored elsewhere.

mkdir -p /etc/git/hooks
cat <<'EOF' > /etc/git/hooks/commit-msg 
... 
EOF
chmod +x ./.git/hooks/commit-msg
git config --global core.hooksPath /etc/git/hooks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment