Skip to content

Commit a5b15fb

Browse files
authored
Merge pull request #15 from PuddingBot/CVE-2022-21669
CVE-2022-21669 Remove exposed bot token and integrate with gitleaks as a pre-commit hook to prevent future security leaks.
2 parents 6f8d8f5 + c15f849 commit a5b15fb

File tree

5 files changed

+75
-9
lines changed

5 files changed

+75
-9
lines changed

Diff for: .gitignore

+1
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
__pycache__/
33
*.py[cod]
44
*$py.class
5+
*.exe
56

67
# Installer logs
78
pip-log.txt

Diff for: first-run.py

+48
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
#!/usr/bin/env python3
2+
# pylint: disable=C0116,W0613
3+
4+
from os.path import exists
5+
6+
HOOKS_FOLDER = ".git/hooks/"
7+
HOOK = "pre-commit"
8+
9+
def prompt(question, default="yes"):
10+
valid = {"yes": True, "y": True, "ye": True, "no": False, "n": False}
11+
if default is None:
12+
prompt = " [y/n] "
13+
elif default == "yes":
14+
prompt = " [Y/n] "
15+
elif default == "no":
16+
prompt = " [y/N] "
17+
else:
18+
raise ValueError("Invalid default answer: '%s'" % default)
19+
20+
while True:
21+
print(question + prompt + "\r")
22+
try:
23+
choice = input().lower()
24+
if default is not None and choice == "":
25+
return valid[default]
26+
elif choice in valid:
27+
return valid[choice]
28+
else:
29+
print("Please respond with '[y]es' or '[n]o'")
30+
except KeyboardInterrupt:
31+
exit("Operation aborted. No files have been changed.")
32+
33+
if exists(HOOKS_FOLDER+HOOK):
34+
overwrite = prompt("pre-commit hook already exists. Overwrite?", None)
35+
if overwrite == True:
36+
try:
37+
with open(HOOK, 'rb') as src, open(HOOKS_FOLDER+HOOK, 'wb') as dst: dst.write(src.read())
38+
print(f"{HOOK} inside {HOOKS_FOLDER} was replaced successfully.")
39+
except:
40+
print(f"{HOOK} could not be written to {HOOKS_FOLDER}.")
41+
else:
42+
print("Operation aborted. No files have been changed.")
43+
else:
44+
try:
45+
with open(HOOK, 'rb') as src, open(HOOKS_FOLDER+HOOK, 'wb') as dst: dst.write(src.read())
46+
print(f"{HOOK} hook was added successfully.")
47+
except:
48+
print(f"{HOOK} could not be written to {HOOKS_FOLDER}.")

Diff for: gitleaks.toml

+4
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
[[rules]]
2+
id = "telegram-bot-token"
3+
description = "telegram bot token"
4+
regex = '''[0-9]{8,10}:[a-zA-Z0-9_-]{35}'''

Diff for: main.py

-9
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,6 @@ def about_command(update: Update, context: CallbackContext) -> None:
4949
update.message.reply_animation(animation=about.ANIMATION,
5050
caption=about.TEXT)
5151

52-
5352
def help_command(update: Update, context: CallbackContext) -> None:
5453
"""Send a message when the command /help is issued."""
5554
update.message.reply_text('Help!')
@@ -175,13 +174,6 @@ def unmute_command(update: Update, context: CallbackContext) -> None:
175174
# Should wrap this into a common function call "not_admin(update)"
176175
update.message.reply_text(messages.PERM_LACK + statuses.IS_ADMIN)
177176

178-
# def get_commands_command(update: Update, context: CallbackContext) -> None:
179-
# # bot = utils.get_bot() // return a Bot object
180-
# bot = Bot("5016982005:AAG6YJFXVkvyVha7_3cghe8gj-PIGAL9aXE")
181-
# commands = bot.get_my_commands()
182-
# update.message.reply_text(commands)
183-
184-
185177
def ban_command(update: Update, context: CallbackContext) -> None:
186178
reply = update.message.reply_to_message.from_user
187179
# perms = {"can_send_messages": False}
@@ -193,7 +185,6 @@ def ban_command(update: Update, context: CallbackContext) -> None:
193185
else:
194186
update.message.reply_text(messages.PERM_LACK + statuses.IS_ADMIN)
195187

196-
197188
def unban_command(update: Update, context: CallbackContext) -> None:
198189
reply = update.message.reply_to_message.from_user
199190
# perms = {"can_send_messages": False}

Diff for: pre-commit

+22
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
#!/usr/bin/env python3
2+
# pylint: disable=C0116,W0613
3+
4+
import sys
5+
import subprocess
6+
7+
def eprint(*args, **kwargs):
8+
print(*args, file=sys.stderr, **kwargs)
9+
10+
try:
11+
subprocess.run(["gitleaks", "protect", "-v", "--staged", "-c", "gitleaks.toml"],
12+
check=True,
13+
universal_newlines=True,
14+
stdout=subprocess.PIPE,
15+
stderr=subprocess.STDOUT)
16+
except subprocess.CalledProcessError as e:
17+
eprint("gitleaks has detected sensitive information in your changes. Commit aborted.")
18+
print(e.output)
19+
sys.exit(1)
20+
except FileNotFoundError:
21+
eprint("gitleaks is not installed or in the PATH. Commit aborted.")
22+
sys.exit(1)

0 commit comments

Comments
 (0)