Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: talisman allows push when user adds a commit to delete the added secret #16

Open
jacksingleton opened this issue May 27, 2016 · 5 comments
Open

bug: talisman allows push when user adds a commit to delete the added secret #16

jacksingleton opened this issue May 27, 2016 · 5 comments
Labels
bug hacktoberfest help wanted

Comments

@jacksingleton
Copy link
Collaborator

touch secret.pem
git commit -am "whoops"
git push
talisman: booo
rm secret.pem
git commit -am "all safe now"
git push
talisman: 馃憤
@giovaneliberato
Copy link

Shouldn't talisman be a pre-commit hook instead of a pre-push hook?

@Aiko-Klostermann Aiko-Klostermann mentioned this issue Sep 28, 2018
Closed
@AikoPath AikoPath mentioned this issue Sep 28, 2018
Closed
@harinee
Copy link
Collaborator

harinee commented Apr 25, 2019

It works with the latest Talisman. Tested. @jacksingleton Please test and close the ticket if it looks ok

@harinee
Copy link
Collaborator

harinee commented May 20, 2019

Closing this ticket, due to no further feedback. Please do let us know if you would like to re-open this.

@harinee harinee closed this as completed May 20, 2019
@harinee
Copy link
Collaborator

harinee commented Aug 2, 2019

Sorry, closed in error. This issue is actually still reproducible. Re-opening.

This is because on pre-push hook, talisman checks the complete file, and not the diff

@harinee harinee reopened this Aug 2, 2019
@harinee harinee added the bug label Aug 13, 2019
@teleivo
Copy link
Contributor

teleivo commented Apr 19, 2021

I just stumbled on this bug as well 馃槄 I think this behavior should be highlighted in https://github.com/thoughtworks/talisman#talisman-in-action to prevent anyone from getting bitten by this.

It is mentioned that a pre-commit hook is preferred but its not clear why.

In case you have installed Talisman as a pre-push hook, it will scan the complete file in which changes are made. As mentioned above, it is recommended that you use Talisman as a pre-commit hook.

Especially

...as a pre-push hook, it will scan the complete file in which changes are made.

What's happening is that the pre-push hook will get the filenames of files that were added, copied or modified via git diff ShaOfLatestCommitOnRemote..ShaOfNotLatestLocalCommit --name-only --diff-filter=ACM in the range of commits that are about to be pushed. It will then only get and scan the contents of the files as they are in the last commit. This explains the behavior described at #16 (comment)

Here is the path in the code:

  • talisman/pre_push_hook.go

    Line 75 in 201dd2c

    return repo.AdditionsWithinRange(oldCommit, newCommit)

  • talisman/gitrepo/gitrepo.go

    Lines 78 to 83 in 201dd2c

    files := repo.outgoingNonDeletedFiles(oldCommit, newCommit)
    result := make([]Addition, len(files))
    for i, file := range files {
    data, _ := repo.ReadRepoFile(file)
    result[i] = NewAddition(file, data)
    }

This is pretty confusing as there are at least 3 different scanning behaviors I can find. The --scan, pre-commit, pre-push (maybe--ignoreHistory is a 4th one).

Hope this helps the person picking this up :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug hacktoberfest help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jacksingleton @harinee @giovaneliberato @teleivo