Dotgit bug (#488)

* fix allowlist bug

* Adding new repo for testing allowlisting

* adding additional constraints on the dotgit regex

config/allowlist.go

@@ -4,6 +4,10 @@ import (
 	"regexp"
 )
 
+// used for ignoring .git directories when the --no-git flag is set
+// related issue: https://github.com/zricethezav/gitleaks/issues/486
+const dotGit = `\.git/`
+
 // AllowList is struct containing items that if encountered will allowlist
 // a commit/line of code that would be considered a leak.
 type AllowList struct {
@@ -45,9 +49,9 @@ func (a *AllowList) RepoAllowed(repo string) bool {
 	return anyRegexMatch(repo, a.Repos)
 }
 
-// IgnoreDotGit appends a `.git$` rule to ignore all .git paths. This is used for --no-git scans
+// IgnoreDotGit appends a `\.git` rule to ignore all .git paths. This is used for --no-git scans
 func (a *AllowList) IgnoreDotGit() error {
-	re, err := regexp.Compile(".git")
+	re, err := regexp.Compile(dotGit)
 	if err != nil {
 		return err
 	}

test_data/test_allow_list_docx_no_git.json

@@ -1,4 +1,20 @@
 [
+ {
+  "line": "",
+  "lineNumber": 1,
+  "offender": "Filename or path offender: ../test_data/test_repos/test_repo_10/.gitignore",
+  "commit": "",
+  "repo": "",
+  "repoURL": "",
+  "leakURL": "",
+  "rule": "Block dangerous filetypes",
+  "commitMessage": "",
+  "author": "",
+  "email": "",
+  "file": "../test_data/test_repos/test_repo_10/.gitignore",
+  "date": "0001-01-01T00:00:00Z",
+  "tags": "key, extensions"
+ },
  {
   "line": "",
   "lineNumber": 1,
@@ -14,5 +30,21 @@
   "file": "../test_data/test_repos/test_repo_10/bad.zip",
   "date": "0001-01-01T00:00:00Z",
   "tags": "key, extensions"
+ },
+ {
+  "line": "",
+  "lineNumber": 1,
+  "offender": "Filename or path offender: ../test_data/test_repos/test_repo_10/gitfile.txt",
+  "commit": "",
+  "repo": "",
+  "repoURL": "",
+  "leakURL": "",
+  "rule": "Block dangerous filetypes",
+  "commitMessage": "",
+  "author": "",
+  "email": "",
+  "file": "../test_data/test_repos/test_repo_10/gitfile.txt",
+  "date": "0001-01-01T00:00:00Z",
+  "tags": "key, extensions"
  }
 ]

test_data/test_configs/allowlist_docx.toml

@@ -1,6 +1,6 @@
 [[rules]]
 	description = "Block dangerous filetypes"
-	file = '''(.*?)(pdf|doc|docx|zip|xls|tfplan|tfstate|tfvars|vault_pass|vagrant|pyc|key|cache)$'''
+	file = '''(.*?)(gitfile.txt|gitignore|pdf|doc|docx|zip|xls|tfplan|tfstate|tfvars|vault_pass|vagrant|pyc|key|cache)$'''
 	tags = ["key", "extensions"]
 	[rules.allowlist]
 		paths = ['''.docx''']

test_data/test_repos/test_repo_10/.gitignore

@@ -0,0 +1 @@
+a dot git ignore file

test_data/test_repos/test_repo_10/gitfile.txt

@@ -0,0 +1 @@
+a git file