Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pre-Commit Hook Fix #507

Merged
merged 1 commit into from
Feb 2, 2022
Merged

Pre-Commit Hook Fix #507

merged 1 commit into from
Feb 2, 2022

Conversation

jpdakran
Copy link
Member

@jpdakran jpdakran commented Jan 25, 2022
edited
Loading

Problem

  • When running the pre-commit hook the only change to the .secrets.baseline file is the generated_at key. This causes the hook to fail although there is no other change. This is side-effect of the underlying problem.
  • When running the pre-commit, we compare the .secrets.baseline file result and the current scanned results of the hook.
  • Secrets are stored in a collection with key being the hashed secret
  • A single secret can have multiple types - for example - we match a secret as Hex High Entropy String & Secret Keyword with a single hash
  • This results in a collection size of 1 since the key is the hash and both types have the same hash. It should have a size of 2.
  • Overall result is on different runs - the collections may have the first type or the second type - causing a difference between the baseline and current. This triggers an update to the baseline but there are no result changes but it does cause a change to the generated timestamp.

Solution

  • When creating and comparing this set - we need to set the key as the tuple of (secret_hash, type) to accommodate for this scenario.
  • This is valid since when creating a PotentalSecret object - the comparison keys are the following self.fields_to_compare = ['filename', 'secret_hash', 'type']
  • Since upon comparing we already know the filenames are the same - the key needs to be the later two identifiers.

@jpdakran
When checking the equality of secrets in a file, the key in the set s…
d75bed0 
…hould be the tuple of hash and type. This is because a single secret/hash can have multiple types
domanchi
domanchi approved these changes Jan 27, 2022
View reviewed changes
Copy link
Contributor

@domanchi domanchi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice find!

@jpdakran jpdakran mentioned this pull request Jan 27, 2022
Merged
calvinli
calvinli approved these changes Feb 2, 2022
View reviewed changes
Copy link
Member

@calvinli calvinli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great find :)

@jpdakran jpdakran merged commit 75a5844 into master Feb 2, 2022
@jpdakran jpdakran deleted the jdakran_fix_pre_commit_hook branch February 11, 2022 21:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@calvinli calvinli calvinli approved these changes

@domanchi domanchi domanchi approved these changes

@KevinHock KevinHock Awaiting requested review from KevinHock

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jpdakran @calvinli @domanchi