search

N0MoreSecr3ts / wraith

Uncover forgotten secrets and bring them back to life, haunting security and operations teams.
MIT License
206 stars 42 forks source link

Fix/commit scans #139

Closed shreyas-sriram closed 2 years ago

shreyas-sriram commented 2 years ago

Addresses https://github.com/N0MoreSecr3ts/wraith/issues/134 and https://github.com/N0MoreSecr3ts/wraith/issues/138.

@mattyjones I am not aware of all the issues related to this, feel free to add them if I have missed any.

Logic for case PartContent in func (s PatternSignature) ExtractMatch(..) is updated to handle non-locaPath scanType. The code snippet was correct, but the flow of execution was wrong. This has been fixed.

In io.go, the execution is meant to continue even if the file does not exist in the filesystem. What happens otherwise (before this) is, wraith doesn't see the file in the filesystem for git scans and ignores the file.

The reasoning for this is difficult to understand, hence I have added it in code as comments.

Sample Output

Running wraith against https://github.com/shreyas-sriram/git-with-secrets.

Before

--------Results--------

-------Findings------
Total Findings......: 1

--------Files--------
Total Files.........: 5
Files Scanned.......: 1
Files Ignored.......: 4
Files Dirty.........: 1

---------SCM---------
Repos Found.........: 0
Repos Cloned........: 2
Repos Scanned.......: 1
Commits Total.......: 5
Commits Scanned.....: 5
Commits Dirty.......: 1

-------General-------
Wraith Version......: 0.0.9
Signatures Version..: 0.0.1
Elapsed Time........: 21.168165ms

After

--------Results--------

-------Findings------
Total Findings......: 5

--------Files--------
Total Files.........: 5
Files Scanned.......: 5
Files Ignored.......: 0
Files Dirty.........: 5

---------SCM---------
Repos Found.........: 0
Repos Cloned........: 2
Repos Scanned.......: 1
Commits Total.......: 5
Commits Scanned.....: 5
Commits Dirty.......: 4

-------General-------
Wraith Version......: 0.0.9
Signatures Version..: 0.0.1
Elapsed Time........: 23.804434ms
shreyas-sriram commented 2 years ago

Another thing I noticed is that the first (oldest) commit is never scanned.

Output from --debug mentions that there are 0 changes in the first commit.

0 changes in b86a81ffe21f40e5186cd0f3da3e4d90fee40a73

This can also be seen in the PR's sample output (https://github.com/N0MoreSecr3ts/wraith/pull/139#issue-1353195555) under Commits Dirty.......: 4. The expected number of dirty commits is 5.

mattyjones commented 2 years ago

This is great I will review it this week coming up. The first commit is never scanned possibly because it is root. It may not be able to go back as git might not be able, as it currently stands, to pull changes as there are no changes to pull being the absolute commit.

@shreyas-sriram