search

sirwart / ripsecrets

A command-line tool to prevent committing secret keys into your source code
MIT License
805 stars 24 forks source link

Inconsistent behavior on secretsignore #67

Open BrianKopp opened 1 year ago

BrianKopp commented 1 year ago

Hi there! First off, thanks for this awesome tool!

I'm seeing some unexpected / inconsistent behavior where secrets files are being sometimes being ignored, based on whether the [secrets] section is present in the .secretsignore file.

Setup:

> ripsecrets --version
ripsecrets 0.1.3
# this is the v0.1.5 git tag, but it has 0.1.3 as the Cargo.toml version

# create some secret file with TOTALLY FAKE AWS access key
> echo "aws_access_key_id = AKIATHAAGaZc4krwNWdc" > test.txt

# create a secrets ignore file
> echo "test.txt" > .secretsignore

> ripsecrets && echo "no secrets found"
no secrets found
> ripsecrets --strict-ignore && echo "no secrets found"
no secrets found
> ripsecrets --strict-ignore test.txt && echo "no secrets found"
test.txt:1:aws_access_key_id = AKIATHAAGaZc4krwNWdc

So when using normally, with no positional file/directory specified, it comes back exit code 0. But when the file is provided as a positional argument, it comes back with a failure.

But, if we add a [secrets] tag to the .secretsignore file, then the command comes back with exit code 0.

> echo "[secrets]" >> .secretsignore

> cat .secretsignore
test.txt
[secrets]

> ripsecrets --strict-ignore test.txt && echo "no secrets found"
no secrets found

I think this is because in src/find_secrets.rs, it conditionally ignores the explicitly provided files only if there's a ignore_matcher.is_some() (permalink), which looks like it's coming from ignore_info.rs behind this conditional.

Is this expected behavior? If not, I'm happy to contribute a fix!

Thanks again! Cheers!

sirwart commented 1 year ago

Here's the expected behavior:

> ripsecrets && echo "no secrets found"
no secrets found
> ripsecrets --strict-ignore && echo "no secrets found"
no secrets found
> ripsecrets --strict-ignore test.txt && echo "no secrets found"
no secrets found

Notably, running ripsecrets --strict-ignore test.txt && echo "no secrets found" should not fail, since --strict-ignore means that test.txt should get ignored even though it was passed in as a CLI argument. Any time the behavior of --strict-ignore changes depending on whether the [secrets] section is present is a bug.

This might have been fixed in this commit (https://github.com/sirwart/ripsecrets/commit/cce91ae1f38d18381e823eac61fd6bd749853519). Could you try building from source and see if the issue is still present? If so then I just need to build a new binary.

BrianKopp commented 1 year ago

Hi sirwart! Thanks for the reply! You're correct. The latest code on main does produce that expected behavior!