/usr/lib/python3/dist-packages/dodgy/checks.py is in dodgy 0.1.9-3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 | import re
import codecs
STRING_VALS = (
(
'aws_secret_key',
'Amazon Web Services secret key',
(
re.compile(r'(\'|")[A-Za-z0-9\\\+]{40}(\'|")'),
re.compile(r'(\b|_)AWS(\b|_)', re.IGNORECASE)
),
all
),
)
LINE_VALS = (
(
'diff',
'Possible SCM diff in code',
(
re.compile(r'^<<<<<<< .*$'),
re.compile(r'^>>>>>>> .*$')
),
),
(
'ssh_rsa_private_key',
'Possible SSH private key',
re.compile(r'^-{5}(BEGIN|END)\s+RSA\s+PRIVATE\s+KEY-{5}$')
),
(
'ssh_rsa_public_key',
'Possible SSH public key',
re.compile('^ssh-rsa\s+AAAA[0-9A-Za-z+/]+[=]{0,3}\s*([^@]+@[^@]+)?$')
),
)
VAR_NAMES = (
(
'password',
'Possible hardcoded password',
re.compile(r'(\b|[A-Z0-9_]*_)PASSWORD(_[A-Z0-9_]*|\b)\s*=\s(\'|")[^\'"]+(\'|")')
),
(
'secret',
'Possible hardcoded secret key',
re.compile(r'(\b|[A-Z0-9_]*_)SECRET(_[A-Z0-9_]*|\b)\s*=\s(\'|")[^\'"]+(\'|")')
),
)
def check_line(line, check_list):
messages = []
for tup in check_list:
if len(tup) == 3:
key, msg, regexps = tup
cond = any
else:
key, msg, regexps, cond = tup
if not isinstance(regexps, (list, tuple)):
regexps = [regexps]
if cond([regexp.search(line) for regexp in regexps]):
messages.append((key, msg))
return messages
def check_file(filepath):
with codecs.open(filepath, 'r', 'utf-8') as to_check:
return check_file_contents(to_check.read())
def check_file_contents(file_contents):
messages = []
for line_number0, line in enumerate(file_contents.split('\n')):
for check_list in (STRING_VALS, LINE_VALS, VAR_NAMES):
messages += [(line_number0+1, key, msg) for key, msg in check_line(line, check_list)]
return messages
|