search

godaddy / tartufo

Searches through git repositories for high entropy strings and secrets, digging deep into commit history
https://tartufo.readthedocs.io/
GNU General Public License v2.0
459 stars 71 forks source link

Exception in pre-commit mode for first commit in empty repository #349

Open pmevzek-godaddy opened 2 years ago

pmevzek-godaddy commented 2 years ago

🐛 Bug Report

With an empty repository, tartufo pre-commit raises an exception. tartufo scan-local-repo does not raise an exception.

To Reproduce

$ git init test2
Initialized empty Git repository in /private/tmp/test2/.git/
$ cd test2
$ echo OnVybD48OnVybD48c21kOnZvaWNlPiszMi4yMDAwMDAwMDwvc21kOnZvaWNlPjwvc21kOmlzc3VlckluZm8 > secret.txt
$ git add secret.txt
$ tartufo --entropy pre-commit
Traceback (most recent call last):
  File "/Users/mevzek/.local/bin/tartufo", line 8, in <module>
    sys.exit(main())
  File "/Users/mevzek/.local/pipx/venvs/tartufo/lib/python3.9/site-packages/click/core.py", line 1130, in __call__
    return self.main(*args, **kwargs)
  File "/Users/mevzek/.local/pipx/venvs/tartufo/lib/python3.9/site-packages/click/core.py", line 1055, in main
    rv = self.invoke(ctx)
  File "/Users/mevzek/.local/pipx/venvs/tartufo/lib/python3.9/site-packages/click/core.py", line 1657, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/Users/mevzek/.local/pipx/venvs/tartufo/lib/python3.9/site-packages/click/core.py", line 1404, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/Users/mevzek/.local/pipx/venvs/tartufo/lib/python3.9/site-packages/click/core.py", line 760, in invoke
    return __callback(*args, **kwargs)
  File "/Users/mevzek/.local/pipx/venvs/tartufo/lib/python3.9/site-packages/click/decorators.py", line 38, in new_func
    return f(get_current_context().obj, *args, **kwargs)
  File "/Users/mevzek/.local/pipx/venvs/tartufo/lib/python3.9/site-packages/click/decorators.py", line 26, in new_func
    return f(get_current_context(), *args, **kwargs)
  File "/Users/mevzek/.local/pipx/venvs/tartufo/lib/python3.9/site-packages/tartufo/commands/pre_commit.py", line 28, in main
    util.process_issues(str(repo_path), scanner, options)
  File "/Users/mevzek/.local/pipx/venvs/tartufo/lib/python3.9/site-packages/tartufo/util.py", line 253, in process_issues
    echo_result(options, scan, repo_path, output_dir)
  File "/Users/mevzek/.local/pipx/venvs/tartufo/lib/python3.9/site-packages/tartufo/util.py", line 104, in echo_result
    for issue in scanner.scan():
  File "/Users/mevzek/.local/pipx/venvs/tartufo/lib/python3.9/site-packages/tartufo/scanner.py", line 571, in scan
    for chunk in self.chunks:  # pylint: disable=too-many-nested-blocks
  File "/Users/mevzek/.local/pipx/venvs/tartufo/lib/python3.9/site-packages/tartufo/scanner.py", line 908, in chunks
    diff_index = self._repo.diff("HEAD")
  File "/Users/mevzek/.local/pipx/venvs/tartufo/lib/python3.9/site-packages/pygit2/repository.py", line 543, in diff
    a = self.__whatever_to_tree_or_blob(a)
  File "/Users/mevzek/.local/pipx/venvs/tartufo/lib/python3.9/site-packages/pygit2/repository.py", line 464, in __whatever_to_tree_or_blob
    obj = self.revparse_single(obj)
KeyError: 'HEAD'

The problem seems to be in pygit2 but tartufo should protect against that.

Doing the commit and then running tartufo scan-local-repo then works (no exception, secret detected):

$ git commit -m 'Added'
[main (root-commit) 050b554] Added
 1 file changed, 1 insertion(+)
 create mode 100644 secret.txt
$ tartufo --entropy scan-local-repo .
~~~~~~~~~~~~~~~~~~~~~
Reason: High Entropy
Filepath: secret.txt
Signature: ca29177c396aa5465f41495af1e486d666308b51b7dab52228730624466cbc25
Commit time: 2022-04-13 14:47:21
Commit message: Added

Commit hash: 050b55440dc9bcc0fa428d15e2ba6991e3ac79a1
Branch: main
diff --git a/secret.txt b/secret.txt
new file mode 100644
index 0000000..049ae76
--- /dev/null
+++ b/secret.txt
@@ -0,0 +1 @@
+OnVybD48c21kOnZvaWNlPiszMi4yMDAwMDAwMDwvc21kOnZvaWNlPjwvc21kOmlzc3VlckluZm8

~~~~~~~~~~~~~~~~~~~~~

Expected Behavior

tartufo pre-commit should work even for first commit in repository

Code Example

Maybe related to #284

Environment

$ tartufo --version
tartufo, version 3.1.3
$ pipx list | grep -A100 tartufo
   package tartufo 3.1.3, installed using Python 3.9.10
    - tartufo
$ /Users/mevzek/.local/pipx/venvs/tartufo/bin/python3 -c 'import pygit2; print(pygit2.LIBGIT2_VER)'
(1, 4, 2)
sushantmimani commented 2 years ago

Hi. This has been fixed in 3.1.4 as well. https://github.com/godaddy/tartufo/issues/350#issuecomment-1142786609