Last active
May 29, 2020 12:57
-
-
Save pburkholder/bdffb295bbac4caee4ae86d69671a3be to your computer and use it in GitHub Desktop.
gitleak whitelist commit bug demo
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| REPO_PATH=$(mktemp -d "/tmp/gittest.XXXXXX") | |
| echo ====== using REPO_PATH $REPO_PATH ===== | |
| pushd $REPO_PATH | |
| git init . | |
| git config --local hooks.gitleaks false; # Needed for my local test | |
| echo "SECRET" > README | |
| git add README | |
| git commit -m "Initial commit" | |
| echo "innocuous" >> README | |
| git commit -am "Add something safe" | |
| echo "PASSWORD" >> README | |
| git commit -am "Add another leak" | |
| popd | |
| cat >gitleaks.toml <<END | |
| [[rules]] | |
| description = "generic secret regex" | |
| regex = '''(SECRET|PASSWORD)''' | |
| tags = ["secret", "example"] | |
| END | |
| echo ====== git leaks should find two leaks ===== | |
| gitleaks --repo-path=$REPO_PATH --config=gitleaks.toml | |
| # get first commit | |
| first=$(git --git-dir=$REPO_PATH/.git rev-list --max-parents=0 HEAD) | |
| # get last commit | |
| last=$(git --git-dir=$REPO_PATH/.git rev-list --max-count=1 HEAD) | |
| cat >>gitleaks.toml <<END | |
| [whitelist] | |
| commits = [ | |
| "$first", | |
| "$last" | |
| ] | |
| END | |
| echo ====== git leaks should find zero leaks ===== | |
| gitleaks --repo-path=$REPO_PATH --config=gitleaks.toml --verbose --pretty | |
| rm -rf $REPO_PATH |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ./demo.sh | |
| ====== using REPO_PATH /tmp/gittest.CviCwN ===== | |
| /tmp/gittest.CviCwN ~/tmp/gitleak_bug | |
| Initialized empty Git repository in /private/tmp/gittest.CviCwN/.git/ | |
| [master (root-commit) c60cc34] Initial commit | |
| 1 file changed, 1 insertion(+) | |
| create mode 100644 README | |
| [master 898280b] Add something safe | |
| 1 file changed, 1 insertion(+) | |
| [master daa2527] Add another leak | |
| 1 file changed, 1 insertion(+) | |
| ~/tmp/gitleak_bug | |
| ====== git leaks should find two leaks ===== | |
| WARN[2020-05-29T08:07:26-04:00] 2 leaks detected. 3 commits audited in 2 milliseconds 595 microseconds | |
| ====== git leaks should find zero leaks ===== | |
| { | |
| "line": "SECRET", | |
| "offender": "SECRET", | |
| "commit": "c60cc343f4819d867ef2d6ec0b2b699b0f96e2d6", | |
| "repo": "gittest.CviCwN", | |
| "rule": "generic secret regex", | |
| "commitMessage": "Initial commit\n", | |
| "author": "Peter Burkholder", | |
| "email": "[email protected]", | |
| "file": "README", | |
| "date": "2020-05-29T08:07:26-04:00", | |
| "tags": "secret, example" | |
| } | |
| WARN[2020-05-29T08:07:26-04:00] 1 leaks detected. 2 commits audited in 4 milliseconds 436 microseconds |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment