pre-commit-hooks/pre_commit_hooks/detect_private_key.py

from __future__ import annotations

import argparse
from collections.abc import Sequence

BLACKLIST = [
    b'BEGIN RSA PRIVATE KEY',
    b'BEGIN DSA PRIVATE KEY',
    b'BEGIN EC PRIVATE KEY',
    b'BEGIN OPENSSH PRIVATE KEY',
    b'BEGIN PRIVATE KEY',
    b'PuTTY-User-Key-File-2',
    b'BEGIN SSH2 ENCRYPTED PRIVATE KEY',
    b'BEGIN PGP PRIVATE KEY BLOCK',
    b'BEGIN ENCRYPTED PRIVATE KEY',
    b'BEGIN OpenVPN Static key V1',
]


def main(argv: Sequence[str] | None = None) -> int:
    parser = argparse.ArgumentParser()
    parser.add_argument('filenames', nargs='*', help='Filenames to check')
    args = parser.parse_args(argv)

    private_key_files = []

    for filename in args.filenames:
        with open(filename, 'rb') as f:
            content = f.read()
            if any(line in content for line in BLACKLIST):
                private_key_files.append(filename)

    if private_key_files:
        for private_key_file in private_key_files:
            print(f'Private key found: {private_key_file}')
        return 1
    else:
        return 0


if __name__ == '__main__':
    raise SystemExit(main())
drop python3.6 support python 3.6 reached end of life on 2021-12-23 Committed via https://github.com/asottile/all-repos 2022-01-16 08:24:05 +08:00			`from __future__ import annotations`

Implement Markdown trailing space line break preservation Markdown uses two or more trailing spaces on a line to indicate a forced line break `<br/>` - these will be preserved for files with a markdown extension (default = `.md` or `.markdown`). Add `--markdown-linebreak-ext=X,Y` to add extensions (`*` matches any), and `--no-markdown-linebreak-ext` to disable this feature. If you want to set specific extension `foo` only (and not md/markdown), use `--no-markdown-linebreak-ext --markdown-linebreak-ext=foo` Tries to prevent --markdown-linebreak-ext from eating filenames as if they were extensions by rejecting any with '.' or '/' (or even Windows-style '\' or ':') Update README.md to include information on these arguments as well as arguments added to other hooks Add extensive tests using pytest.mark.parametrize test that `txt` file is not considered as 'txt' extension test that `.txt` file is not considered as 'txt' extension The latter is the (correct) behavior of os.path.splitext(), and an example of why it is better to use the libraries than to mangle strings yourself. 2015-05-10 16:00:54 +08:00			`import argparse`
py39+ Committed via https://github.com/asottile/all-repos 2024-10-12 07:30:07 +08:00			`from collections.abc import Sequence`
Detect OpenSSH private keys 2015-03-07 04:45:32 +08:00
detect_private_key: print filenames, not the key 2015-08-02 07:59:21 +08:00			`BLACKLIST = [`
			`b'BEGIN RSA PRIVATE KEY',`
			`b'BEGIN DSA PRIVATE KEY',`
			`b'BEGIN EC PRIVATE KEY',`
Add trailing comma 2016-12-27 06:51:26 +08:00			`b'BEGIN OPENSSH PRIVATE KEY',`
Update detect_private_key.py 2018-01-14 09:16:50 +08:00			`b'BEGIN PRIVATE KEY',`
Detect putty & sshcom private keys 2018-05-19 07:31:16 +08:00			`b'PuTTY-User-Key-File-2',`
			`b'BEGIN SSH2 ENCRYPTED PRIVATE KEY',`
Add ban for pgp/gpg private key blocks 2018-10-23 03:11:59 +08:00			`b'BEGIN PGP PRIVATE KEY BLOCK',`
detect_private_key: add textual version of `PKCS #8` encrypted private keys As described by RFC7468 and RFC5958, keys that are encoded using the "ENCRYPTED PRIVATE KEY" label are described as private key information and therefore can contain secrets, even though encrypted. Signed-off-by: Luís Ferreira <contact@lsferreira.net> 2021-10-03 03:33:35 +08:00			`b'BEGIN ENCRYPTED PRIVATE KEY',`
detect_private_key: add OpenVPN shared-secret key block 'OpenVPN Static key V1' label is often used by OpenVPN for providing hardening security with additional HMAC signatures to the SSL/TLS handshake packets. They are shared secrets and should be kept private. Signed-off-by: Luís Ferreira <contact@lsferreira.net> 2021-10-03 03:42:15 +08:00			`b'BEGIN OpenVPN Static key V1',`
detect_private_key: print filenames, not the key 2015-08-02 07:59:21 +08:00			`]`

Detect OpenSSH private keys 2015-03-07 04:45:32 +08:00
drop python3.6 support python 3.6 reached end of life on 2021-12-23 Committed via https://github.com/asottile/all-repos 2022-01-16 08:24:05 +08:00			`def main(argv: Sequence[str] \| None = None) -> int:`
Detect OpenSSH private keys 2015-03-07 04:45:32 +08:00			`parser = argparse.ArgumentParser()`
			`parser.add_argument('filenames', nargs='*', help='Filenames to check')`
			`args = parser.parse_args(argv)`

			`private_key_files = []`

			`for filename in args.filenames:`
detect_private_key: print filenames, not the key 2015-08-02 07:59:21 +08:00			`with open(filename, 'rb') as f:`
			`content = f.read()`
			`if any(line in content for line in BLACKLIST):`
			`private_key_files.append(filename)`
Detect OpenSSH private keys 2015-03-07 04:45:32 +08:00
			`if private_key_files:`
			`for private_key_file in private_key_files:`
pre-commit-hooks: python3.6+ 2020-02-06 03:10:42 +08:00			`print(f'Private key found: {private_key_file}')`
Detect OpenSSH private keys 2015-03-07 04:45:32 +08:00			`return 1`
			`else:`
			`return 0`


			`if __name__ == '__main__':`
replace exit(main()) with raise SystemExit(main()) Committed via https://github.com/asottile/all-repos 2021-10-24 01:23:50 +08:00			`raise SystemExit(main())`