Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detect NoGit scan appends source folder in the Fingerprint #1287

Open
uandrei opened this issue Nov 10, 2023 · 3 comments · May be fixed by #1354
Open

Detect NoGit scan appends source folder in the Fingerprint #1287

uandrei opened this issue Nov 10, 2023 · 3 comments · May be fixed by #1354
Labels
bug Something isn't working

Comments

@uandrei
Copy link

uandrei commented Nov 10, 2023

Describe the bug
When running detect --no-git with the source parameter (-s), the path provided in the source parameter is added to the Fingerprint which means that the fingerprints in the .gitleaksignore file need to have the full path in there too. This issue mostly manifests when running gitleaks on a build server and the source parameter is needed to ensure that the correct folder is scanned.

To Reproduce

  1. Create a folder "c:\Temp\gitleaks"
  2. Create a simple "Program.cs":
var secret = "4ec64ed8e5c146338a658eb72942ce30"
  1. Create a .gitleaksignore
Program.cs:generic-api-key:1
  1. Run gitleaks detect --verbose --no-git - Expected Success - Actual Success - no secrets found (due tot he fingerprint in the .gitleaksignore file)
  2. Run gitleaks detect -s=c:\temp\gitleaks --verbose --no-git - Expected Success - Actual Failed - the Fingerprint is now shown as Fingerprint: c:\temp\gitleaks\Program.cs:generic-api-key:1

Screenshots
image

Basic Info (please complete the following information):

  • OS: Windows 10
  • Gitleaks Version: 8.18.0

Additional context
Add any other context about the problem here.

cc @zricethezav
@uandrei uandrei added the bug Something isn't working label Nov 10, 2023
@zricethezav
Copy link
Collaborator

zricethezav commented Nov 10, 2023
edited

@uandrei thanks for opening this. Looks like the fingerprint path should be checked in this block too

gitleaks/detect/detect.go

Lines 580 to 584 in e63b657

// check if filepath is allowed
if fragment.FilePath != "" && (d.Config.Allowlist.PathAllowed(fragment.FilePath) ||
fragment.FilePath == d.Config.Path || (d.baselinePath != "" && fragment.FilePath == d.baselinePath)) {
return findings
}

edit: ehm, actually that's a different issue. I reread the issue and understand now. Definitely need to look into this

@uandrei
Copy link
Author

uandrei commented Feb 12, 2024

@zricethezav if you're happy, I would like to contribute to the repository with a PR to try and fix this issue. I've been looking for a solution and I think I've found a fix that works well when scans are run both locally and on build servers with and without the source parameter set. Please let me know if you're happy for me to raise a PR.

@uandrei
Copy link
Author

uandrei commented Feb 13, 2024

@zricethezav I'll try to explain where I think the issue is and how that can be fixed. To me it seems that the root issue is down to how the path/filepath package reports files, based on the source parameter. When the source parameter is not set (or set to "."), the Walk function will report all the files having relative paths to the current working directory.

gitleaks/sources/directory.go

Lines 21 to 22 in 8d23afd

return filepath.Walk(source,
func(path string, fInfo os.FileInfo, err error) error {

This means that when the globalFingerprint is computed in the addFinding function, the finding.File will be different based on the source parameter.

gitleaks/detect/detect.go

Lines 369 to 370 in 8d23afd

func (d *Detector) addFinding(finding report.Finding) {
globalFingerprint := fmt.Sprintf("%s:%s:%d", finding.File, finding.RuleID, finding.StartLine)

My proposal is to update the DetectFiles function where the fragment structure is created to always use a relative path to reference the file that is being tested.

Replace this:

gitleaks/detect/directory.go

Lines 63 to 66 in 8d23afd

fragment := Fragment{
Raw: string(buf[:n]),
FilePath: p.Path,
}

With this, as I've done in my fork:

relativePath, err := filepath.Rel(d.basePath, p.Path)
if err != nil {
	log.Fatal().Err(err)
}

fragment := Fragment{
	Raw:      string(buf[:n]),
	FilePath: relativePath,
}

The benefits of this change:

  • finding Fingerprint generated is the same whether the source parameter is set or not
  • .gitleaksignore works OK when source parameter is set
  • finding FileName is relative to the working directory or source parameter which fixes the Gitleaks AzureDevOps incorrect linking the findings to files in the git repo

@uandrei uandrei linked a pull request Feb 22, 2024 that will close this issue
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
2 participants
@uandrei @zricethezav