From 68a7729327ce204b8b0e72163521e12f7d1b01bc Mon Sep 17 00:00:00 2001 From: Cameron Paul Date: Fri, 6 Mar 2015 12:45:32 -0800 Subject: [PATCH] Detect OpenSSH private keys --- README.md | 1 + hooks.yaml | 6 +++++ pre_commit_hooks/detect_private_key.py | 33 ++++++++++++++++++++++++++ setup.py | 1 + tests/detect_private_key_test.py | 23 ++++++++++++++++++ 5 files changed, 64 insertions(+) create mode 100644 pre_commit_hooks/detect_private_key.py create mode 100644 tests/detect_private_key_test.py diff --git a/README.md b/README.md index d6486ba..e980a98 100644 --- a/README.md +++ b/README.md @@ -31,6 +31,7 @@ Add this to your `.pre-commit-config.yaml` - `check-xml` - Attempts to load all xml files to verify syntax. - `check-yaml` - Attempts to load all yaml files to verify syntax. - `debug-statements` - Check for pdb / ipdb / pudb statements in code. +- `detect-private-key` - Checks for the existence of private keys - `double-quote-string-fixer` - This hook replaces double quoted strings with single quoted strings - `end-of-file-fixer` - Makes sure files end in a newline and only a newline. - `flake8` - Run flake8 on your python files diff --git a/hooks.yaml b/hooks.yaml index 9cb8309..0d84f03 100644 --- a/hooks.yaml +++ b/hooks.yaml @@ -49,6 +49,12 @@ entry: debug-statement-hook language: python files: \.py$ +- id: detect-private-key + name: Detect Private Key + description: Detects the presence of private keys + entry: detect-private-key + language: python + files: '' - id: double-quote-string-fixer name: Fix double quoted strings description: This hook replaces double quoted strings with single quoted strings diff --git a/pre_commit_hooks/detect_private_key.py b/pre_commit_hooks/detect_private_key.py new file mode 100644 index 0000000..98dfeda --- /dev/null +++ b/pre_commit_hooks/detect_private_key.py @@ -0,0 +1,33 @@ +from __future__ import print_function + +import io +import sys + +import argparse + + +def detect_private_key(argv=None): + parser = argparse.ArgumentParser() + parser.add_argument('filenames', nargs='*', help='Filenames to check') + args = parser.parse_args(argv) + + private_key_files = [] + + for filename in args.filenames: + with io.open(filename, 'r') as f: + content = f.read() + if 'BEGIN RSA PRIVATE KEY' in content: + private_key_files.append(content) + if 'BEGIN DSA PRIVATE KEY' in content: + private_key_files.append(content) + + if private_key_files: + for private_key_file in private_key_files: + print('Private key found: {0}'.format(private_key_file)) + return 1 + else: + return 0 + + +if __name__ == '__main__': + sys.exit(detect_private_key()) diff --git a/setup.py b/setup.py index b86acd1..25b264d 100644 --- a/setup.py +++ b/setup.py @@ -44,6 +44,7 @@ setup( 'check-xml = pre_commit_hooks.check_xml:check_xml', 'check-yaml = pre_commit_hooks.check_yaml:check_yaml', 'debug-statement-hook = pre_commit_hooks.debug_statement_hook:debug_statement_hook', + 'detect-private-key = pre_commit_hooks.detect_private_key:detect_private_key', 'end-of-file-fixer = pre_commit_hooks.end_of_file_fixer:end_of_file_fixer', 'name-tests-test = pre_commit_hooks.tests_should_end_in_test:validate_files', 'double-quote-string-fixer = pre_commit_hooks.string_fixer:main', diff --git a/tests/detect_private_key_test.py b/tests/detect_private_key_test.py new file mode 100644 index 0000000..6d2e627 --- /dev/null +++ b/tests/detect_private_key_test.py @@ -0,0 +1,23 @@ +import os.path + +import pytest + +from pre_commit_hooks.detect_private_key import detect_private_key + +# Input, expected return value +TESTS = ( + (b'-----BEGIN RSA PRIVATE KEY-----', 1), + (b'-----BEGIN DSA PRIVATE KEY-----', 1), + (b'ssh-rsa DATA', 0), + (b'ssh-dsa DATA', 0), +) + + +@pytest.mark.parametrize(('input_s', 'expected_retval'), TESTS) +def test_detect_private_key(input_s, expected_retval, tmpdir): + path = os.path.join(tmpdir.strpath, 'file.txt') + + with open(path, 'wb') as file_obj: + file_obj.write(input_s) + + assert detect_private_key([path]) == expected_retval