Merge 6bd7ceb into 348ce17

thoughtworks · Mar 5, 2019 · 125964c · 125964c
2 parents 348ce17 + 6bd7ceb
commit 125964c
Show file tree

Hide file tree

Showing 5 changed files with 84 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -50,7 +50,7 @@ Find the instructions below.
 ## [Recommended approach]
 ## Installation as a global hook template 
 
-We recommend installing Talisman as a git hook template, as that will cause
+We recommend installing Talisman as a **pre-commit git hook template**, as that will cause
 Talisman to be present, not only in your existing git repositories, but also in any new repository that you 'init' or
 'clone'.
 
@@ -226,6 +226,10 @@ In the above example, the file *danger.pem* has been flagged as a security breac
 * The filename matches one of the pre-configured patterns.
 * The file contains an awsSecretKey which is scanned and flagged by Talisman
 
+If you have installed Talisman as a pre-commit hook, it will scan only the _diff_ within each commit. This means that it would only report errors for parts of the file that were changed.
+
+In case you have installed Talisman as a pre-push hook, it will scan the complete file in which changes are made. As mentioned above, it is recommended that you use Talisman as a **pre-commit hook**.
+
 ## Validations
 The following detectors execute against the changesets to detect secrets/sensitive information:
 
@@ -321,7 +325,6 @@ In case you want to store the reports in some other location, it can be provided
 * `talisman --scan --rd=/Users/username/Desktop`
 
 <i>Talisman currently does not support ignoring of files for scanning.</i>
-
 # Uninstallation
 The uninstallation process depends on how you had installed Talisman.
 You could have chosen to install as a global hook template or at a single repository.

diff --git a/acceptance_test.go b/acceptance_test.go
@@ -56,6 +56,15 @@ func TestAddingSimpleFileShouldExitZero(t *testing.T) {
 	})
 }
 
+func TestShouldExitZeroIfFileNameIsIgnoredAndNoOtherSensitiveContentIsFound(t *testing.T) {
+	withNewTmpGitRepo(func(git *git_testing.GitTesting) {
+		git.SetupBaselineFiles("danger.pem")
+		git.AddAndcommit("*", "add private key")
+
+		assert.Equal(t, 1, runTalisman(git), "Expected run() to return 1 and fail as pem file was present in the repo")
+	})
+}
+
 func TestAddingSecretKeyShouldExitOne(t *testing.T) {
 	withNewTmpGitRepo(func(git *git_testing.GitTesting) {
 		git.SetupBaselineFiles("simple-file")
@@ -93,13 +102,13 @@ func TestAddingSecretKeyShouldExitOneIfPEMFileIsPresentInTheGitHistory(t *testin
 		_options := options{
 			debug:   false,
 			githook: PrePush,
-			scan:    true,
+			scan:    false,
 		}
 		git.SetupBaselineFiles("simple-file")
 		git.CreateFileWithContents("private.pem", "secret")
 		git.CreateFileWithContents(".talismanrc", talismanRCDataWithFileNameAndCorrectChecksum)
 		git.AddAndcommit("private.pem", "add private key")
-		assert.Equal(t, 1, runTalismanWithOptions(git, _options), "Expected run() to return 0 and pass as pem file was ignored")
+		assert.Equal(t, 0, runTalismanWithOptions(git, _options), "Expected run() to return 0 and pass as pem file was ignored")
 	})
 }
 
@@ -108,7 +117,7 @@ func TestScanningSimpleFileShouldExitZero(t *testing.T) {
 		_options := options{
 			debug:   false,
 			githook: PrePush,
-			scan:    true,
+			scan:    false,
 		}
 		git.SetupBaselineFiles("simple-file")
 		assert.Equal(t, 0, runTalismanWithOptions(git, _options), "Expected run() to return 0 and pass as pem file was ignored")
@@ -130,6 +139,37 @@ func TestChecksumCalculatorShouldExitOne(t *testing.T) {
 	})
 }
 
+func TestShouldExitOneWhenSecretIsCommitted(t *testing.T) {
+	withNewTmpGitRepo(func(git *git_testing.GitTesting) {
+		_options := options{
+			debug:   false,
+			githook: PreCommit,
+			scan:    false,
+		}
+		git.SetupBaselineFiles("simple-file")
+		git.CreateFileWithContents("sample.txt", "password=somepassword \n")
+		git.Add("*")
+		assert.Equal(t, 1, runTalismanWithOptions(git, _options), "Expected run() to return 1 as given patterns are found")
+	})
+}
+
+func TestShouldExitZeroWhenNonSecretIsCommittedButFileContainsSecretPreviously(t *testing.T) {
+	withNewTmpGitRepo(func(git *git_testing.GitTesting) {
+		_options := options{
+			debug:   false,
+			githook: PreCommit,
+			scan:    false,
+		}
+		git.SetupBaselineFiles("simple-file")
+		git.CreateFileWithContents("sample.txt", "password=somepassword \n")
+		git.AddAndcommit("*", "Initial Commit With Secret")
+
+		git.AppendFileContent("sample.txt", "some text \n")
+		git.Add("*")
+		assert.Equal(t, 0, runTalismanWithOptions(git, _options), "Expected run() to return 1 as given patterns are found")
+	})
+}
+
 // Need to work on this test case as talismanrc does  not yet support comments
 // func TestAddingSecretKeyShouldExitZeroIfPEMFilesAreIgnoredAndCommented(t *testing.T) {
 // 	withNewTmpGitRepo(func(git *git_testing.GitTesting) {

diff --git a/git_repo/git_repo.go b/git_repo/git_repo.go
@@ -38,6 +38,21 @@ func RepoLocatedAt(path string) GitRepo {
 	return GitRepo{absoluteRoot}
 }
 
+//Gets all the staged files and collects the diff section in each file
+func (repo GitRepo) GetDiffForStagedFiles() []Addition {
+	files := repo.stagedFiles()
+	result := make([]Addition, len(files))
+	for i, file := range files {
+		data := repo.fetchStagedDiff(file)
+		result[i] = NewAddition(file, data)
+	}
+
+	log.WithFields(log.Fields{
+		"additions": result,
+	}).Info("Generating staged additions.")
+	return result
+}
+
 func (repo GitRepo) StagedAdditions() []Addition {
 	files := repo.stagedFiles()
 	result := make([]Addition, len(files))
@@ -208,6 +223,20 @@ func (repo *GitRepo) fetchStagedChanges() string {
 	return string(repo.executeRepoCommand("git", "diff", "--cached", "--name-status", "--diff-filter=ACM"))
 }
 
+//Fetches the currently staged diff and filters the command output to get only the modified sections of the file
+func (repo *GitRepo) fetchStagedDiff(fileName string) []byte {
+	var result []byte
+	changes := strings.Split(string(repo.executeRepoCommand("git", "diff", "--staged", fileName)), "\n")
+	for _, c := range changes {
+		if !strings.HasPrefix(c, "+++") && !strings.HasPrefix(c, "---") && strings.HasPrefix(c, "+") {
+
+			result = append(result, strings.TrimPrefix(c, "+")...)
+			result = append(result, "\n"...)
+		}
+	}
+	return result
+}
+
 func (repo GitRepo) fetchRawOutgoingDiff(oldCommit string, newCommit string) string {
 	gitRange := oldCommit + ".." + newCommit
 	return string(repo.executeRepoCommand("git", "diff", gitRange, "--name-only", "--diff-filter=ACM"))

diff --git a/git_testing/git_testing.go b/git_testing/git_testing.go
@@ -107,14 +107,18 @@ func (git *GitTesting) FileContents(filePath string) []byte {
 }
 
 func (git *GitTesting) AddAndcommit(fileName string, message string) {
-	git.ExecCommand("git", "add", fileName)
-	git.ExecCommand("git", "commit", fileName, "-m", message)
+	git.Add(fileName)
+	git.Commit(fileName, message)
 }
 
 func (git *GitTesting) Add(fileName string) {
 	git.ExecCommand("git", "add", fileName)
 }
 
+func (git *GitTesting) Commit(fileName string, message string) {
+	git.ExecCommand("git", "commit", fileName, "-m", message)
+}
+
 func (git *GitTesting) GetBlobDetails(fileName string) string {
 	var output []byte
 	object_hash_and_filename := ""

diff --git a/pre_commit_hook.go b/pre_commit_hook.go
@@ -15,5 +15,5 @@ func NewPreCommitHook() *PreCommitHook {
 func (p *PreCommitHook) GetRepoAdditions() []git_repo.Addition {
 	wd, _ := os.Getwd()
 	repo := git_repo.RepoLocatedAt(wd)
-	return repo.StagedAdditions()
+	return repo.GetDiffForStagedFiles()
 }