8000 add push secrets detector by TheFox0x7 · Pull Request #34226 · go-gitea/gitea · GitHub
[go: up one dir, main page]
Skip to content

add push secrets detector #34226

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 14 commits into
base: main
Choose a base branch
from
Draft

add push secrets detector #34226

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
22739f1
add push secrets detector
TheFox0x7 Apr 15, 2025
bd6ae40
use tag version
TheFox0x7 Apr 16, 2025
e38b675
rework commit change list
TheFox0x7 Apr 18, 2025
b01faea
add global toggle
TheFox0x7 Apr 19, 2025
313c139
update licenses
TheFox0x7 Apr 19, 2025
fc9213f
disable gitleaks logger
TheFox0x7 Apr 20, 2025
9f8d729
add sourcing config from default branch
TheFox0x7 Apr 20, 2025
5a568ff
add feature flag to app.ini example
TheFox0x7 Apr 20, 2025
39adb06
fix new reference scanning
TheFox0x7 Apr 21, 2025
97e74df
fix scanning first commit in default branch
TheFox0x7 Apr 21, 2025
b1cd587
swap command to log for improved performace
TheFox0x7 May 4, 2025
8eb6ad6
fix hanging issue
TheFox0x7 May 4, 2025
86dacce
fix empty config being loaded
TheFox0x7 May 5, 2025
db1500c
Merge branch 'main' into push-secret-protection
TheFox0x7 Jun 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
use tag version 
fix linting
  • Loading branch information
@TheFox0x7
TheFox0x7 committed Apr 16, 2025
commit bd6ae403a12656f811bbf3b66dafcbe2ed4ea69b
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -348,4 +348,4 @@ exclude github.com/goccy/go-json v0.4.11

exclude github.com/satori/go.uuid v1.2.0

replace github.com/zricethezav/gitleaks/v8 => github.com/TheFox0x7/gitleaks/v8 v8.0.0-20250416161107-ce27b3ebd696
replace github.com/zricethezav/gitleaks/v8 => github.com/TheFox0x7/gitleaks/v8 v8.24.4-patch-gitea
4 changes: 2 additions & 2 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,8 +83,8 @@ github.com/RoaringBitmap/roaring v1.9.4 h1:yhEIoH4YezLYT04s1nHehNO64EKFTop/wBhxv
github.com/RoaringBitmap/roaring v1.9.4/go.mod h1:6AXUsoIEzDTFFQCe1RbGA6uFONMhvejWj5rqITANK90=
github.com/SaveTheRbtz/zstd-seekable-format-go/pkg v0.7.3 h1:BP0HiyNT3AQEYi+if3wkRcIdQFHtsw6xX3Kx0glckgA=
github.com/SaveTheRbtz/zstd-seekable-format-go/pkg v0.7.3/go.mod h1:hMNtySovKkn2gdDuLqnqveP+mfhUSaBdoBcr2I7Zt0E=
github.com/TheFox0x7/gitleaks/v8 v8.0.0-20250416161107-ce27b3ebd696 h1:HLdcIxXpEGZ1IrqAiQ+ExvAiUBSVPn1xCcmAmR0zaeI=
github.com/TheFox0x7/gitleaks/v8 v8.0.0-20250416161107-ce27b3ebd696/go.mod h1:D3AhHRLVp0DigFQNxAgHcQks8EbF7wCZanT/UbGd0Jo=
github.com/TheFox0x7/gitleaks/v8 v8.24.4-patch-gitea h1:VMXSHOeB5t4e3Hqet9GSTx5oULskEp7dV2i0/cgEhd4=
github.com/TheFox0x7/gitleaks/v8 v8.24.4-patch-gitea/go.mod h1:D3AhHRLVp0DigFQNxAgHcQks8EbF7wCZanT/UbGd0Jo=
github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0=
github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
github.com/alecthomas/chroma/v2 v2.2.0/go.mod h1:vf4zrexSH54oEjJ7EdB65tGNHmH3pGZmVkgTP5RHvAs=
Expand Down
24 changes: 9 additions & 15 deletions routers/private/hook_pre_receive.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import (
"code.gitea.io/gitea/modules/web"
gitea_context "code.gitea.io/gitea/services/context"
pull_service "code.gitea.io/gitea/services/pull"

"github.com/gitleaks/go-gitdiff/gitdiff"
"github.com/zricethezav/gitleaks/v8/cmd/scm"
gitleaks "github.com/zricethezav/gitleaks/v8/detect"
Expand Down Expand Up @@ -121,7 +122,7 @@ func HookPreReceive(ctx *gitea_context.PrivateContext) {
newCommitID := opts.NewCommitIDs[i]
refFullName := opts.RefFullNames[i]

preReceiveSecrets(ourCtx, oldCommitID, newCommitID, refFullName)
preReceiveSecrets(ourCtx, oldCommitID, newCommitID)
switch {
case refFullName.IsBranch():
preReceiveBranch(ourCtx, oldCommitID, newCommitID, refFullN 1014D ame)
Expand Down Expand Up @@ -542,7 +543,7 @@ func (ctx *preReceiveContext) loadPusherAndPermission() bool {
}

// checks commits for secrets
func preReceiveSecrets(ctx *preReceiveContext, oldCommitID, newCommitID string, refFullName git.RefName) {
func preReceiveSecrets(ctx *preReceiveContext, oldCommitID, newCommitID string) {
detector, err := gitleaks.NewDetectorDefaultConfig()
if err != nil {
ctx.Status(http.StatusTeapot)
Expand All @@ -551,22 +552,20 @@ func preReceiveSecrets(ctx *preReceiveContext, oldCommitID, newCommitID string,

repo := ctx.Repo.Repository
out, _, err := git.NewCommand("diff", "-U0").AddDynamicArguments(oldCommitID, newCommitID).RunStdBytes(ctx, &git.RunOpts{Dir: repo.RepoPath(), Env: ctx.env})
// r, w, err := os.Pipe()
if err != nil {
ctx.Status(http.StatusTeapot)
return
}
log.Info("done with diff")
giteaCmd, err := newPreRecieveDiff(bytes.NewReader(out))
log.Info("crerated cmd!")
giteaCmd, err := newPreReceiveDiff(bytes.NewReader(out))
if err != nil {
log.Info("look! a wild error! %v", err)
ctx.Status(http.StatusTeapot)
return
}
log.Info("running the detector!")
findings, err := detector.DetectGit(giteaCmd, gitleaks.NewRemoteInfo(scm.GitHubPlatform, repo.Website))
log.Info("done!")
if err != nil {
ctx.Status(http.StatusTeapot)
return
}
if len(findings) != 0 {
msg := strings.Builder{}
msg.WriteString("This repository has secret detection enabled! Following secrets were detected:\n\n")
Expand All @@ -578,26 +577,21 @@ func preReceiveSecrets(ctx *preReceiveContext, oldCommitID, newCommitID string,
}

ctx.JSON(http.StatusForbidden, private.Response{UserMsg: msg.String()})

}
return

}

type giteacmd struct {
diffCh <-chan *gitdiff.File
errCh <-chan error
}

func newPreRecieveDiff(r io.Reader) (*giteacmd, error) {
func newPreReceiveDiff(r io.Reader) (*giteacmd, error) {
diffCh, err := gitdiff.Parse(r)
if err != nil {
return nil, err
}
return &giteacmd{
diffCh: diffCh,
}, nil

}

// DiffFilesCh implements sources.Git.
Expand Down
Loading
0