search

thoughtworks / talisman

Using a pre-commit hook, Talisman validates the outgoing changeset for things that look suspicious — such as tokens, passwords, and private keys.
https://thoughtworks.github.io/talisman/
MIT License
1.89k stars 241 forks source link

talisman output for files with brackets #382

Open revolunet opened 2 years ago

revolunet commented 2 years ago

When a file containing brackets gets flagged by talisman, the CLI output doesnt escape the brackets so we cant copy/paste directly to .talismanrc. file names with brackets break the YAML

svishwanath-tw commented 2 years ago

@revolunet : Sample output along with original filename will be highly appreciated.

revolunet commented 2 years ago

Hi,

Say i have a file named src/[something].ts that contain a secret

talisman detects it correctly :

Talisman Report:
+-------------------------------------+--------------------------------------------+----------+
|                FILE                 |                   ERRORS                   | SEVERITY |
+-------------------------------------+--------------------------------------------+----------+
| src/[something].ts | Expected file to not to contain            | high     |
|                                     | base64 encoded texts such as:              |          |
|                                     | b3+E9r461JVqUgUYbnRHC/1XpN1jl0lvXp4ainmTw= |          |
+-------------------------------------+--------------------------------------------+----------+

If you are absolutely sure that you want to ignore the above files from talisman detectors, consider pasting the following format in .talismanrc file in the project root

fileignoreconfig:
- filename: src/[something].ts
  checksum: 01f54590c32718f14c24dfc10e5378090326b841e9037dd2f15a51e028b6ae8f

If i add this line manually, or use interactive mode, its added to .talismanrc as is but has no effect.

The .talismanrc entry should be - filename: src/\[something\].ts

So we should fix how the entry is displayed in the CLI output and also how its written in .talismanrc

svishwanath-tw commented 2 years ago

@revolunet : Thanks for this clarification. I wanted to know what kind of brackets were being talked about. I'm a non-native english speaker, and as far as I know: () -> round brackets {} -> curly brackets [] - square brackets

Having said that, talisman (and therefore .talismanrc) supports checksumming a pattern of filenames , golang regexes can be used to specify filenames at the time of checksumming . I believe [something] is being treated as a character-class ,the filename in your case will point to the following collection of files {"s.ts", "o.ts" ...., "g.ts"}

Great find. This helps make talisman better and the feedback is much appreciated.

revolunet commented 2 years ago

Thanks for clarification, no native english here either :) 🇫🇷

So yes my case is when using square brackets : []