Merge pull request #43 from campaul/detect_private_key

Detect OpenSSH private keys
2026-03-30 10:16:54 +00:00 · 2015-03-08 12:38:35 -07:00 · 2015-03-08 12:38:35 -07:00 · 9ce45609a9
commit 9ce45609a9
parent 4cb861acec 68a7729327
5 changed files with 64 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -31,6 +31,7 @@ Add this to your `.pre-commit-config.yaml`
 - `check-xml` - Attempts to load all xml files to verify syntax.
 - `check-yaml` - Attempts to load all yaml files to verify syntax.
 - `debug-statements` - Check for pdb / ipdb / pudb statements in code.
+- `detect-private-key` - Checks for the existence of private keys
 - `double-quote-string-fixer` - This hook replaces double quoted strings with single quoted strings
 - `end-of-file-fixer` - Makes sure files end in a newline and only a newline.
 - `flake8` - Run flake8 on your python files
--- a/hooks.yaml
+++ b/hooks.yaml
@ -49,6 +49,12 @@
    entry: debug-statement-hook
    language: python
    files: \.py$
+-   id: detect-private-key
+    name: Detect Private Key
+    description: Detects the presence of private keys
+    entry: detect-private-key
+    language: python
+    files: ''
 -   id: double-quote-string-fixer
    name: Fix double quoted strings
    description: This hook replaces double quoted strings with single quoted strings
--- a/pre_commit_hooks/detect_private_key.py
+++ b/pre_commit_hooks/detect_private_key.py
@ -0,0 +1,33 @@
+from __future__ import print_function
+
+import io
+import sys
+
+import argparse
+
+
+def detect_private_key(argv=None):
+    parser = argparse.ArgumentParser()
+    parser.add_argument('filenames', nargs='*', help='Filenames to check')
+    args = parser.parse_args(argv)
+
+    private_key_files = []
+
+    for filename in args.filenames:
+        with io.open(filename, 'r') as f:
+            content = f.read()
+            if 'BEGIN RSA PRIVATE KEY' in content:
+                private_key_files.append(content)
+            if 'BEGIN DSA PRIVATE KEY' in content:
+                private_key_files.append(content)
+
+    if private_key_files:
+        for private_key_file in private_key_files:
+            print('Private key found: {0}'.format(private_key_file))
+        return 1
+    else:
+        return 0
+
+
+if __name__ == '__main__':
+    sys.exit(detect_private_key())
--- a/setup.py
+++ b/setup.py
@ -45,6 +45,7 @@ setup(
            'check-xml = pre_commit_hooks.check_xml:check_xml',
            'check-yaml = pre_commit_hooks.check_yaml:check_yaml',
            'debug-statement-hook = pre_commit_hooks.debug_statement_hook:debug_statement_hook',
+            'detect-private-key = pre_commit_hooks.detect_private_key:detect_private_key',
            'end-of-file-fixer = pre_commit_hooks.end_of_file_fixer:end_of_file_fixer',
            'name-tests-test = pre_commit_hooks.tests_should_end_in_test:validate_files',
            'double-quote-string-fixer = pre_commit_hooks.string_fixer:main',
--- a/tests/detect_private_key_test.py
+++ b/tests/detect_private_key_test.py
@ -0,0 +1,23 @@
+import os.path
+
+import pytest
+
+from pre_commit_hooks.detect_private_key import detect_private_key
+
+# Input, expected return value
+TESTS = (
+    (b'-----BEGIN RSA PRIVATE KEY-----', 1),
+    (b'-----BEGIN DSA PRIVATE KEY-----', 1),
+    (b'ssh-rsa DATA', 0),
+    (b'ssh-dsa DATA', 0),
+)
+
+
+@pytest.mark.parametrize(('input_s', 'expected_retval'), TESTS)
+def test_detect_private_key(input_s, expected_retval, tmpdir):
+    path = os.path.join(tmpdir.strpath, 'file.txt')
+
+    with open(path, 'wb') as file_obj:
+        file_obj.write(input_s)
+
+    assert detect_private_key([path]) == expected_retval