From ace459bec57bbcb88c4fe9d00c603467fb3f572b Mon Sep 17 00:00:00 2001 From: Alexander Demin Date: Wed, 12 Feb 2020 21:54:05 +0000 Subject: [PATCH 1/3] Skip empty variables in detect_aws_credentials --- pre_commit_hooks/detect_aws_credentials.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pre_commit_hooks/detect_aws_credentials.py b/pre_commit_hooks/detect_aws_credentials.py index fe18f4d..aae0734 100644 --- a/pre_commit_hooks/detect_aws_credentials.py +++ b/pre_commit_hooks/detect_aws_credentials.py @@ -84,7 +84,7 @@ def check_file_for_aws_keys( for key in keys: # naively match the entire file, low chance of incorrect # collision - if key in text_body: + if key and key in text_body: bad_files.append(BadFile(filename, key[:4].ljust(28, '*'))) return bad_files From 75d4832e98e25d67530505a319f33ebc278def70 Mon Sep 17 00:00:00 2001 From: Alexander Demin Date: Thu, 13 Feb 2020 12:01:38 +0000 Subject: [PATCH 2/3] Unit test for empty AWS variables --- pre_commit_hooks/detect_aws_credentials.py | 4 ++-- tests/detect_aws_credentials_test.py | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/pre_commit_hooks/detect_aws_credentials.py b/pre_commit_hooks/detect_aws_credentials.py index aae0734..9ef8fec 100644 --- a/pre_commit_hooks/detect_aws_credentials.py +++ b/pre_commit_hooks/detect_aws_credentials.py @@ -31,7 +31,7 @@ def get_aws_secrets_from_env() -> Set[str]: for env_var in ( 'AWS_SECRET_ACCESS_KEY', 'AWS_SECURITY_TOKEN', 'AWS_SESSION_TOKEN', ): - if env_var in os.environ: + if env_var in os.environ and os.environ[env_var]: keys.add(os.environ[env_var]) return keys @@ -84,7 +84,7 @@ def check_file_for_aws_keys( for key in keys: # naively match the entire file, low chance of incorrect # collision - if key and key in text_body: + if key in text_body: bad_files.append(BadFile(filename, key[:4].ljust(28, '*'))) return bad_files diff --git a/tests/detect_aws_credentials_test.py b/tests/detect_aws_credentials_test.py index 777fb48..46e5b36 100644 --- a/tests/detect_aws_credentials_test.py +++ b/tests/detect_aws_credentials_test.py @@ -47,6 +47,8 @@ def test_get_aws_credentials_file_from_env(env_vars, values): ({'AWS_SECRET_ACCESS_KEY': 'foo'}, {'foo'}), ({'AWS_SECURITY_TOKEN': 'foo'}, {'foo'}), ({'AWS_SESSION_TOKEN': 'foo'}, {'foo'}), + ({'AWS_SESSION_TOKEN': ''}, set()), + ({'AWS_SESSION_TOKEN': 'foo', 'AWS_SECURITY_TOKEN': ''}, {'foo'}), ({'AWS_DUMMY_KEY': 'foo', 'AWS_SECRET_ACCESS_KEY': 'bar'}, {'bar'}), ( {'AWS_SECRET_ACCESS_KEY': 'foo', 'AWS_SECURITY_TOKEN': 'bar'}, From b3a28deca775e09a578f0200e6af998c0d8a126e Mon Sep 17 00:00:00 2001 From: Alexander Demin Date: Thu, 13 Feb 2020 17:12:45 +0000 Subject: [PATCH 3/3] Review fixes --- pre_commit_hooks/detect_aws_credentials.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pre_commit_hooks/detect_aws_credentials.py b/pre_commit_hooks/detect_aws_credentials.py index 9ef8fec..a744b6f 100644 --- a/pre_commit_hooks/detect_aws_credentials.py +++ b/pre_commit_hooks/detect_aws_credentials.py @@ -31,7 +31,7 @@ def get_aws_secrets_from_env() -> Set[str]: for env_var in ( 'AWS_SECRET_ACCESS_KEY', 'AWS_SECURITY_TOKEN', 'AWS_SESSION_TOKEN', ): - if env_var in os.environ and os.environ[env_var]: + if os.environ.get(env_var): keys.add(os.environ[env_var]) return keys