LBP
/
gitleaks
espejo de https://github.com/gitleaks/gitleaks.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810
							package main

import (
	"context"
	"crypto/md5"
	"encoding/json"
	"fmt"
	"io/ioutil"
	"net/http"
	"os"
	"os/user"
	"path"
	"regexp"
	"strings"
	"sync"

	"gopkg.in/src-d/go-git.v4/plumbing"

	"golang.org/x/oauth2"
	"gopkg.in/src-d/go-git.v4/plumbing/object"
	"gopkg.in/src-d/go-git.v4/plumbing/transport/ssh"
	"gopkg.in/src-d/go-git.v4/storage/memory"

	"github.com/BurntSushi/toml"
	"github.com/google/go-github/github"
	flags "github.com/jessevdk/go-flags"
	log "github.com/sirupsen/logrus"
	git "gopkg.in/src-d/go-git.v4"
)

// Leak represents a leaked secret or regex match. This will be output to stdout and/or the report
type Leak struct {
	Line     string `json:"line"`
	Commit   string `json:"commit"`
	Offender string `json:"offender"`
	Type     string `json:"reason"`
	Message  string `json:"commitMsg"`
	Author   string `json:"author"`
	File     string `json:"file"`
	Branch   string `json:"branch"`
}

// Repo contains the actual git repository and meta data about the repo
type Repo struct {
	path       string
	url        string
	name       string
	leaks      []Leak
	repository *git.Repository
}

// Owner contains a collection of repos. This could represent an org or user.
type Owner struct {
	path  string
	url   string
	repos []Repo
}

// Options for gitleaks
type Options struct {
	// remote target options
	Repo           string `short:"r" long:"repo" description:"Repo url to audit"`
	GithubUser     string `long:"github-user" description:"User url to audit"`
	GithubOrg      string `long:"github-org" description:"Organization url to audit"`
	IncludePrivate bool   `short:"p" long:"private" description:"Include private repos in audit"`

	/*
		TODO:
		GitLabUser string `long:"gitlab-user" description:"User url to audit"`
		GitLabOrg  string `long:"gitlab-org" description:"Organization url to audit"`
	*/

	Branch string `short:"b" long:"branch" description:"branch name to audit (defaults to HEAD)"`
	Commit string `short:"c" long:"commit" description:"sha of commit to stop at"`

	// local target option
	RepoPath  string `long:"repo-path" description:"Path to repo"`
	OwnerPath string `long:"owner-path" description:"Path to owner directory (repos discovered)"`

	// Process options
	MaxGoRoutines int    `long:"max-go" description:"Maximum number of concurrent go-routines gitleaks spawns"`
	InMem         bool   `short:"m" long:"in-memory" description:"Run gitleaks in memory"`
	AuditAllRefs  bool   `long:"all-refs" description:"run audit on all refs"`
	SingleSearch  string `long:"single-search" description:"single regular expression to search for"`
	ConfigPath    string `long:"config" description:"path to gitleaks config"`
	SSHKey        string `long:"ssh-key" description:"path to ssh key"`
	// TODO: IncludeMessages  string `long:"messages" description:"include commit messages in audit"`

	// Output options
	Log     string `short:"l" long:"log" description:"log level"`
	Verbose bool   `short:"v" long:"verbose" description:"Show verbose output from gitleaks audit"`
	Report  string `long:"report" description:"path to write report file"`
	Redact  bool   `long:"redact" description:"redact secrets from log messages and report"`
}

// Config struct for regexes matching and whitelisting
type Config struct {
	Regexes []struct {
		Description string
		Regex       string
	}
	Whitelist struct {
		Files    []string
		Regexes  []string
		Commits  []string
		Branches []string
	}
}

const defaultConfig = `
title = "gitleaks config"
# add regexes to the regex table
[[regexes]]
description = "AWS"
regex = '''AKIA[0-9A-Z]{16}'''
[[regexes]]
description = "RKCS8"
regex = '''-----BEGIN PRIVATE KEY-----'''
[[regexes]]
description = "RSA"
regex = '''-----BEGIN RSA PRIVATE KEY-----'''
[[regexes]]
description = "Github"
regex = '''(?i)github.*['\"][0-9a-zA-Z]{35,40}['\"]'''
[[regexes]]
description = "SSH"
regex = '''-----BEGIN OPENSSH PRIVATE KEY-----'''
[[regexes]]
description = "Facebook"
regex = '''(?i)facebook.*['\"][0-9a-f]{32}['\"]'''
[[regexes]]
description = "Twitter"
regex = '''(?i)twitter.*['\"][0-9a-zA-Z]{35,44}['\"]'''

[whitelist]

#regexes = [
#  "AKAIMYFAKEAWKKEY",
#]

#files = [
#  "(.*?)(jpg|gif|doc|pdf|bin)$"
#]

#commits = [
#  "BADHA5H1",
#  "BADHA5H2",
#]

#branches = [
#	"dev/STUPDIFKNFEATURE"
#]
`

var (
	opts              Options
	regexes           map[string]*regexp.Regexp
	singleSearchRegex *regexp.Regexp
	whiteListRegexes  []*regexp.Regexp
	whiteListFiles    []*regexp.Regexp
	whiteListCommits  map[string]bool
	whiteListBranches []string
	fileDiffRegex     *regexp.Regexp
	sshAuth           *ssh.PublicKeys
	dir               string
)

func init() {
	log.SetOutput(os.Stdout)
	regexes = make(map[string]*regexp.Regexp)
	whiteListCommits = make(map[string]bool)
}

func main() {
	var (
		leaks []Leak
		repos []Repo
	)
	_, err := flags.Parse(&opts)
	if err != nil {
		os.Exit(1)
	}
	setLogLevel()

	err = optsGuard()
	if err != nil {
		log.Fatal(err)
	}

	err = loadToml()
	if err != nil {
		log.Fatal(err)
	}

	if opts.IncludePrivate {
		// if including private repos use ssh as authentication
		sshAuth, err = getSSHAuth()
		if err != nil {
			log.Fatal(err)
		}
	}

	if !opts.InMem {
		// temporary directory where all the gitleaks plain clones will reside
		dir, err = ioutil.TempDir("", "gitleaks")
		defer os.RemoveAll(dir)
		if err != nil {
			log.Fatal(err)
		}
	}

	// start audits
	if opts.Repo != "" || opts.RepoPath != "" {
		r, err := getRepo()
		if err != nil {
			log.Fatal(err)
		}
		repos = append(repos, r)
	} else if ownerTarget() {
		repos, err = getOwnerRepos()
	}
	for _, r := range repos {
		l, err := auditRepo(r.repository)
		if err != nil {
			log.Fatal(err)
		}
		leaks = append(leaks, l...)
	}

	if opts.Report != "" {
		writeReport(leaks)
	}

	if len(leaks) != 0 {
		log.Debug("leaks detected")
		os.Exit(1)
	}
}

// writeReport writes a report to opts.Report in JSON.
// TODO support yaml
func writeReport(leaks []Leak) error {
	log.Info("writing report to %s", opts.Report)
	reportJSON, _ := json.MarshalIndent(leaks, "", "\t")
	err := ioutil.WriteFile(opts.Report, reportJSON, 0644)
	return err
}

// getRepo is responsible for cloning a repo in-memory or to disk, or opening a local repo and creating
// a repo object
func getRepo() (Repo, error) {
	var (
		err error
		r   *git.Repository
	)

	if opts.InMem {
		if opts.IncludePrivate {
			r, err = git.Clone(memory.NewStorage(), nil, &git.CloneOptions{
				URL:      opts.Repo,
				Progress: os.Stdout,
				Auth:     sshAuth,
			})
		} else {
			r, err = git.Clone(memory.NewStorage(), nil, &git.CloneOptions{
				URL:      opts.Repo,
				Progress: os.Stdout,
			})
		}
	} else if opts.RepoPath != "" {
		// use existing repo
		r, err = git.PlainOpen(opts.RepoPath)
	} else {
		cloneTarget := fmt.Sprintf("%s/%x", dir, md5.Sum([]byte(fmt.Sprintf("%s%s", opts.GithubUser, opts.Repo))))
		if opts.IncludePrivate {
			r, err = git.PlainClone(cloneTarget, false, &git.CloneOptions{
				URL:      opts.Repo,
				Progress: os.Stdout,
				Auth:     sshAuth,
			})
		} else {
			r, err = git.PlainClone(cloneTarget, false, &git.CloneOptions{
				URL:      opts.Repo,
				Progress: os.Stdout,
			})
		}
	}
	if err != nil {
		return Repo{}, err
	}
	return Repo{
		repository: r,
		path:       opts.RepoPath,
		url:        opts.Repo,
	}, nil
}

// auditRef audits a git reference
// TODO: need to add a layer of parallelism here and a cache for parent+child commits so we don't
// double dip
func auditRef(r *git.Repository, ref *plumbing.Reference, commitWg *sync.WaitGroup, commitChan chan []Leak) error {
	var (
		err error
		// prevTree        *object.Tree
		prevCommit      *object.Commit
		limitGoRoutines bool
		semaphore       chan bool
	)

	// goroutine limiting
	if opts.MaxGoRoutines != 0 {
		semaphore = make(chan bool, opts.MaxGoRoutines)
		limitGoRoutines = true
	}
	cIter, err := r.Log(&git.LogOptions{From: ref.Hash()})
	if err != nil {
		return err
	}
	err = cIter.ForEach(func(c *object.Commit) error {
		if c.Hash.String() == opts.Commit {
			cIter.Close()
		}
		if whiteListCommits[c.Hash.String()] {
			log.Infof("skipping commit: %s\n", c.Hash.String())
			return nil
		}
		if limitGoRoutines {
			semaphore <- true
		}
		if prevCommit == nil {
			prevCommit = c
		}

		commitWg.Add(1)
		go func(c *object.Commit, prevCommit *object.Commit) {
			var (
				leaks    []Leak
				filePath string
				skipFile bool
			)
			patch, _ := c.Patch(prevCommit)
			for _, f := range patch.FilePatches() {
				skipFile = false
				from, to := f.Files()
				filePath = "???"
				if from != nil {
					filePath = from.Path()
				} else if to != nil {
					filePath = to.Path()
				}
				for _, re := range whiteListFiles {
					if re.FindString(filePath) != "" {
						skipFile = true
						break
					}
				}
				if skipFile {
					continue
				}
				chunks := f.Chunks()
				for _, chunk := range chunks {
					if chunk.Type() == 1 || chunk.Type() == 2 {
						// only check if adding or removing
						leaks = append(leaks, checkDiff(chunk.Content(), c, filePath, string(ref.Name()))...)
					}
				}
			}

			if limitGoRoutines {
				<-semaphore
			}
			commitChan <- leaks
		}(c, prevCommit)

		prevCommit = c
		return nil
	})
	return nil
}

// auditRepo performs an audit on a repository checking for regex matching and ignoring
// files and regexes that are whitelisted
func auditRepo(r *git.Repository) ([]Leak, error) {
	var (
		err      error
		leaks    []Leak
		commitWg sync.WaitGroup
	)

	ref, err := r.Head()
	if err != nil {
		return leaks, err
	}

	// leak messaging
	commitChan := make(chan []Leak, 1)

	if opts.AuditAllRefs {
		skipBranch := false
		refs, err := r.Storer.IterReferences()
		if err != nil {
			return leaks, err
		}
		err = refs.ForEach(func(ref *plumbing.Reference) error {
			for _, b := range whiteListBranches {
				if strings.HasSuffix(string(ref.Name()), b) {
					skipBranch = true
				}
			}
			if skipBranch {
				skipBranch = false
				return nil
			}
			auditRef(r, ref, &commitWg, commitChan)
			return nil
		})
	} else {
		auditRef(r, ref, &commitWg, commitChan)
	}

	go func() {
		for commitLeaks := range commitChan {
			if commitLeaks != nil {
				for _, leak := range commitLeaks {
					leaks = append(leaks, leak)
				}

			}
			commitWg.Done()
		}
	}()

	commitWg.Wait()

	return leaks, err
}

// checkDiff accepts a string diff and commit object then performs a
// regex check
func checkDiff(diff string, commit *object.Commit, filePath string, branch string) []Leak {
	lines := strings.Split(diff, "\n")
	var (
		leaks    []Leak
		skipLine bool
	)

	for _, line := range lines {
		skipLine = false
		for leakType, re := range regexes {
			match := re.FindString(line)
			if match == "" {
				continue
			}

			// whitelists
			for _, wRe := range whiteListRegexes {
				whitelistMatch := wRe.FindString(line)
				if whitelistMatch != "" {
					skipLine = true
					break
				}
			}
			if skipLine {
				break
			}

			leak := Leak{
				Line:     line,
				Commit:   commit.Hash.String(),
				Offender: match,
				Type:     leakType,
				Message:  commit.Message,
				Author:   commit.Author.String(),
				File:     filePath,
				Branch:   branch,
			}
			if opts.Verbose {
				leak.log()
			}
			if opts.Redact {
				leak.Offender = "REDACTED"
			}
			leaks = append(leaks, leak)
		}
	}
	return leaks
}

// auditOwner audits all of the owner's(user or org) repos
func getOwnerRepos() ([]Repo, error) {
	var (
		err   error
		repos []Repo
	)
	ctx := context.Background()

	if opts.OwnerPath != "" {
		repos, err = discoverRepos(opts.OwnerPath)
	} else if opts.GithubOrg != "" {
		githubClient := github.NewClient(githubToken())
		githubOptions := github.RepositoryListByOrgOptions{
			ListOptions: github.ListOptions{PerPage: 10},
		}
		repos, err = getOrgGithubRepos(ctx, &githubOptions, githubClient)
	} else if opts.GithubUser != "" {
		githubClient := github.NewClient(githubToken())
		githubOptions := github.RepositoryListOptions{
			Affiliation: "owner",
			ListOptions: github.ListOptions{
				PerPage: 10,
			},
		}
		repos, err = getUserGithubRepos(ctx, &githubOptions, githubClient)
	}

	return repos, err
}

// getUserGithubRepos
func getUserGithubRepos(ctx context.Context, listOpts *github.RepositoryListOptions, client *github.Client) ([]Repo, error) {
	var (
		err   error
		repos []Repo
		r     *git.Repository
		rs    []*github.Repository
		resp  *github.Response
	)

	for {
		if opts.IncludePrivate {
			rs, resp, err = client.Repositories.List(ctx, "", listOpts)
		} else {
			rs, resp, err = client.Repositories.List(ctx, opts.GithubUser, listOpts)
		}

		for _, rDesc := range rs {
			log.Debugf("Cloning: %s from %s", *rDesc.Name, *rDesc.SSHURL)
			if opts.InMem {
				if opts.IncludePrivate {
					r, err = git.Clone(memory.NewStorage(), nil, &git.CloneOptions{
						URL:  *rDesc.SSHURL,
						Auth: sshAuth,
					})
				} else {
					r, err = git.Clone(memory.NewStorage(), nil, &git.CloneOptions{
						URL: *rDesc.CloneURL,
					})
				}
			} else {
				ownerDir, err := ioutil.TempDir(dir, opts.GithubUser)
				if err != nil {
					return repos, fmt.Errorf("unable to generater owner temp dir: %v", err)
				}
				if opts.IncludePrivate {
					r, err = git.PlainClone(fmt.Sprintf("%s/%s", ownerDir, *rDesc.Name), false, &git.CloneOptions{
						URL:  *rDesc.SSHURL,
						Auth: sshAuth,
					})
				} else {
					r, err = git.PlainClone(fmt.Sprintf("%s/%s", ownerDir, *rDesc.Name), false, &git.CloneOptions{
						URL: *rDesc.CloneURL,
					})

				}
			}
			if err != nil {
				return repos, fmt.Errorf("problem cloning %s -- %v", *rDesc.Name, err)
			}
			repos = append(repos, Repo{
				name:       *rDesc.Name,
				url:        *rDesc.SSHURL,
				repository: r,
			})
		}
		if resp.NextPage == 0 {
			break
		}
		listOpts.Page = resp.NextPage
	}
	return repos, err
}

// getOrgGithubRepos
func getOrgGithubRepos(ctx context.Context, listOpts *github.RepositoryListByOrgOptions, client *github.Client) ([]Repo, error) {
	var (
		err      error
		repos    []Repo
		r        *git.Repository
		ownerDir string
	)

	for {
		rs, resp, err := client.Repositories.ListByOrg(ctx, opts.GithubOrg, listOpts)
		for _, rDesc := range rs {
			log.Debugf("Cloning: %s from %s", *rDesc.Name, *rDesc.SSHURL)
			if opts.InMem {
				if opts.IncludePrivate {
					if sshAuth == nil {
						return nil, fmt.Errorf("no ssh auth available")
					}
					r, err = git.Clone(memory.NewStorage(), nil, &git.CloneOptions{
						URL:  *rDesc.SSHURL,
						Auth: sshAuth,
					})
				} else {
					r, err = git.Clone(memory.NewStorage(), nil, &git.CloneOptions{
						URL: *rDesc.CloneURL,
					})
				}
			} else {
				ownerDir, err = ioutil.TempDir(dir, opts.GithubUser)
				if err != nil {
					return repos, fmt.Errorf("unable to generater owner temp dir: %v", err)
				}
				if opts.IncludePrivate {
					if sshAuth == nil {
						return nil, fmt.Errorf("no ssh auth available")
					}
					r, err = git.PlainClone(fmt.Sprintf("%s/%s", ownerDir, *rDesc.Name), false, &git.CloneOptions{
						URL:  *rDesc.SSHURL,
						Auth: sshAuth,
					})
				} else {
					r, err = git.PlainClone(fmt.Sprintf("%s/%s", ownerDir, *rDesc.Name), false, &git.CloneOptions{
						URL: *rDesc.CloneURL,
					})

				}
			}
			if err != nil {
				return nil, err
			}
			repos = append(repos, Repo{
				url:        *rDesc.SSHURL,
				name:       *rDesc.Name,
				repository: r,
			})
		}
		if err != nil {
			return nil, err
		} else if resp.NextPage == 0 {
			break
		}
		listOpts.Page = resp.NextPage
	}

	return repos, err
}

func githubToken() *http.Client {
	githubToken := os.Getenv("GITHUB_TOKEN")
	if githubToken == "" {
		return nil
	}
	ts := oauth2.StaticTokenSource(
		&oauth2.Token{AccessToken: githubToken},
	)
	return oauth2.NewClient(context.Background(), ts)
}

// discoverRepos walks all the children of `path`. If a child directory
// contain a .git file then that repo will be added
func discoverRepos(ownerPath string) ([]Repo, error) {
	var (
		err   error
		repos []Repo
	)
	files, err := ioutil.ReadDir(ownerPath)
	if err != nil {
		return repos, err
	}
	for _, f := range files {
		if f.IsDir() {
			repoPath := path.Join(ownerPath, f.Name())
			r, err := git.PlainOpen(repoPath)
			if err != nil {
				continue
			}
			repos = append(repos, Repo{
				repository: r,
				name:       f.Name(),
				path:       repoPath,
			})
		}
	}
	return repos, err
}

// setLogLevel sets log level for gitleaks. Default is Warning
func setLogLevel() {
	switch opts.Log {
	case "info":
		log.SetLevel(log.InfoLevel)
	case "debug":
		log.SetLevel(log.DebugLevel)
	case "warn":
		log.SetLevel(log.WarnLevel)
	default:
		log.SetLevel(log.WarnLevel)
	}
}

// optsGuard prevents invalid options
func optsGuard() error {
	var err error
	if opts.GithubOrg != "" && opts.GithubUser != "" {
		return fmt.Errorf("github user and organization set")
	} else if opts.GithubOrg != "" && opts.OwnerPath != "" {
		return fmt.Errorf("github organization set and local owner path")
	} else if opts.GithubUser != "" && opts.OwnerPath != "" {
		return fmt.Errorf("github user set and local owner path")
	} else if opts.IncludePrivate && os.Getenv("GITHUB_TOKEN") == "" && (opts.GithubOrg != "" || opts.GithubUser != "") {
		return fmt.Errorf("user/organization private repos require env var GITHUB_TOKEN to be set")
	}

	if opts.SingleSearch != "" {
		singleSearchRegex, err = regexp.Compile(opts.SingleSearch)
		if err != nil {
			return fmt.Errorf("unable to compile regex: %s, %v", opts.SingleSearch, err)
		}
	}

	return nil
}

// loadToml loads of the toml config containing regexes.
// 1. look for config path
// 2. two, look for gitleaks config env var
func loadToml() error {
	var (
		config     Config
		configPath string
	)
	if opts.ConfigPath != "" {
		configPath = opts.ConfigPath
		_, err := os.Stat(configPath)
		if err != nil {
			return fmt.Errorf("no gitleaks config at %s", configPath)
		}
	} else {
		configPath = os.Getenv("GITLEAKS_CONFIG")
	}

	if configPath != "" {
		if _, err := toml.DecodeFile(configPath, &config); err != nil {
			return fmt.Errorf("problem loading config: %v", err)
		}
	} else {
		_, err := toml.Decode(defaultConfig, &config)
		if err != nil {
			return fmt.Errorf("problem loading default config: %v", err)
		}
	}

	// load up regexes
	if singleSearchRegex != nil {
		// single search takes precedence over default regex
		regexes["singleSearch"] = singleSearchRegex
	} else {
		for _, regex := range config.Regexes {
			regexes[regex.Description] = regexp.MustCompile(regex.Regex)
		}
	}
	whiteListBranches = config.Whitelist.Branches
	whiteListCommits = make(map[string]bool)
	for _, commit := range config.Whitelist.Commits {
		whiteListCommits[commit] = true
	}
	for _, regex := range config.Whitelist.Files {
		whiteListFiles = append(whiteListFiles, regexp.MustCompile(regex))
	}
	for _, regex := range config.Whitelist.Regexes {
		whiteListRegexes = append(whiteListRegexes, regexp.MustCompile(regex))
	}

	return nil
}

// ownerTarget checks if we are dealing with a remote owner
func ownerTarget() bool {
	if opts.GithubOrg != "" ||
		opts.GithubUser != "" ||
		opts.OwnerPath != "" {
		return true
	}
	return false
}

// getSSHAuth generates ssh auth
func getSSHAuth() (*ssh.PublicKeys, error) {
	var (
		sshKeyPath string
	)
	if opts.SSHKey != "" {
		sshKeyPath = opts.SSHKey
	} else {
		c, _ := user.Current()
		sshKeyPath = fmt.Sprintf("%s/.ssh/id_rsa", c.HomeDir)
	}
	sshAuth, err := ssh.NewPublicKeysFromFile("git", sshKeyPath, "")
	if err != nil {
		return nil, fmt.Errorf("unable to generate ssh key: %v", err)
	}
	return sshAuth, err
}

func (leak *Leak) log() {
	b, _ := json.MarshalIndent(leak, "", "   ")
	fmt.Println(string(b))
}