From 3f070d9ec7d1de056d2bf49c8e773bf6bd3a0cad Mon Sep 17 00:00:00 2001 From: Jeremy Greer Date: Wed, 12 Sep 2018 20:56:25 -0400 Subject: [PATCH] Ignore high-entropy words in whitelist --- index.js | 77 +++++++++++++++++++++++++++++++-------------------- index.test.js | 11 ++++++++ package.json | 6 ++-- whitelist | 1 + 4 files changed, 63 insertions(+), 32 deletions(-) create mode 100644 index.test.js create mode 100644 whitelist diff --git a/index.js b/index.js index bdefd60..4fc67e9 100644 --- a/index.js +++ b/index.js @@ -15,42 +15,59 @@ const simpleEntropy = (str) => { }, 0) } -const file = process.argv[2] -if (!file) { - console.error('You need to provide a file as an argument') - process.exit(1) -} +const whitelist = fs.readFileSync(path.resolve(__dirname, './whitelist'), 'utf8').split('\n') -const fullpath = path.isAbsolute(file) ? file : path.join(process.cwd(), file) -if (path.basename(fullpath).startsWith('.env')) { - console.log('Ignoring file', fullpath) - process.exit() +const isWordASecret = (word) => { + if (whitelist.includes(word)) { + return false + } + const entropy = simpleEntropy(word) + if (entropy > 4) { + return true + } } -try { - const source = fs.readFileSync(fullpath, 'utf8') - const lines = source.split('\n') - if (lines[0] && lines[0].includes('findsecrets-ignore-file')) { + +if (require.main !== module) { + module.exports = { + isWordASecret, + } +} else { + const file = process.argv[2] + if (!file) { + console.error('You need to provide a file as an argument') + process.exit(1) + } + + const fullpath = path.isAbsolute(file) ? file : path.join(process.cwd(), file) + if (path.basename(fullpath).startsWith('.env')) { + console.log('Ignoring file', fullpath) process.exit() } - const errors = lines.reduce((errors, line, lineNumber) => { - if (line.includes('findsecrets-ignore-line')) { - return errors + try { + const source = fs.readFileSync(fullpath, 'utf8') + const lines = source.split('\n') + if (lines[0] && lines[0].includes('findsecrets-ignore-file')) { + process.exit() } - const words = line.split(/\W+/) - words.forEach(word => { - const entropy = simpleEntropy(word) - if (entropy > 4) { - errors.push(` at line ${lineNumber + 1} ${word.substring(0, word.length / 2 + 1)}...`) + const errors = lines.reduce((errors, line, lineNumber) => { + if (line.includes('findsecrets-ignore-line')) { + return errors } - }, false) - return errors - }, []) - if (errors.length > 0) { - console.error('Found secrets in', fullpath) - errors.forEach(error => console.error(error)) + const words = line.split(/\W+/) + words.forEach(word => { + if (isWordASecret(word)) { + errors.push(` at line ${lineNumber + 1} ${word.substring(0, word.length / 2 + 1)}...`) + } + }, false) + return errors + }, []) + if (errors.length > 0) { + console.error('Found secrets in', fullpath) + errors.forEach(error => console.error(error)) + process.exit(1) + } + } catch (err) { + console.error('Error', err.stack || err.message || String(err)) process.exit(1) } -} catch (err) { - console.error('Error', err.stack || err.message || String(err)) - process.exit(1) } diff --git a/index.test.js b/index.test.js new file mode 100644 index 0000000..6a57782 --- /dev/null +++ b/index.test.js @@ -0,0 +1,11 @@ +const app = require('./') + +describe('isWordASecret', () => { + it('should flag these', () => { + expect(app.isWordASecret('ZVyyCKt7i2JMtlaJgnYExjRyBlI1KOHbxiDcseWQ9at5uHFvQl')).toBe(true) + }) + + it('should not flag these', () => { + expect(app.isWordASecret('dangerouslySetInnerHTML')).toBe(false) + }) +}) diff --git a/package.json b/package.json index 54383b5..8408f07 100644 --- a/package.json +++ b/package.json @@ -4,7 +4,7 @@ "description": "Prevent pushing secrets to the repository", "main": "index.js", "scripts": { - "test": "echo \"Error: no test specified\" && exit 1" + "test": "jest" }, "bin": { "findsecrets": "./index.js" @@ -13,5 +13,7 @@ "author": "Alberto Gimeno ", "license": "MIT", "dependencies": {}, - "devDependencies": {} + "devDependencies": { + "jest": "^23.6.0" + } } diff --git a/whitelist b/whitelist new file mode 100644 index 0000000..966af59 --- /dev/null +++ b/whitelist @@ -0,0 +1 @@ +dangerouslySetInnerHTML