checks.go 1.8 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586
  1. package main
  2. import (
  3. _ "fmt"
  4. "github.com/nbutton23/zxcvbn-go"
  5. "os/exec"
  6. "strings"
  7. )
  8. // checkDiff operates on a single diff between to chronological commits
  9. func checkDiff(commit1 string, commit2 string) []string {
  10. var leakPrs bool
  11. var leaks []string
  12. _, seen := cache[commit1+commit2]
  13. if seen {
  14. return []string{}
  15. }
  16. out, err := exec.Command("git", "diff", commit1, commit2).Output()
  17. if err != nil {
  18. return []string{}
  19. }
  20. cache[commit1+commit2] = true
  21. lines := checkRegex(string(out))
  22. if len(lines) == 0 {
  23. return []string{}
  24. }
  25. for _, line := range lines {
  26. leakPrs = checkEntropy(line)
  27. if leakPrs {
  28. leaks = append(leaks, line)
  29. }
  30. }
  31. return leaks
  32. }
  33. // check each line of a diff and see if there are any potential secrets
  34. // [1] https://people.eecs.berkeley.edu/~rohanpadhye/files/key_leaks-msr15.pdf
  35. func checkRegex(diff string) []string {
  36. var match string
  37. var results []string
  38. lines := strings.Split(diff, "\n")
  39. for _, line := range lines {
  40. // doubtful a leak would be on a line > 120 characters
  41. if len(line) == 0 || len(line) > 80 {
  42. continue
  43. }
  44. for _, re := range regexes {
  45. match = re.FindString(line)
  46. if len(match) == 0 {
  47. continue
  48. }
  49. results = append(results, line)
  50. }
  51. }
  52. return results
  53. }
  54. // checkEntropy determines whether target contains enough
  55. // entropy for a hash
  56. // TODO remove stop words:
  57. // setting(s), config(s), property(s), etc
  58. func checkEntropy(target string) bool {
  59. index := assignRegex.FindStringIndex(target)
  60. if len(index) == 0 {
  61. return false
  62. }
  63. // TODO check for stop words here
  64. target = strings.Trim(target[index[1]:len(target)], " ")
  65. if len(target) > 70 {
  66. return false
  67. }
  68. // entropy := shannonEntropy(target)
  69. entropy := zxcvbn.PasswordStrength(target, nil).Entropy
  70. // tune this/make option
  71. if entropy > 70 {
  72. return true
  73. }
  74. return false
  75. }