refactor: modified gileaks rules and general code cleanup

finos · Nov 27, 2024 · 9c14954 · 9c14954
1 parent 72da56e
commit 9c14954
Show file tree

Hide file tree

Showing 18 changed files with 3,370 additions and 452 deletions.
diff --git a/.gitleaksignore b/.gitleaksignore
@@ -0,0 +1 @@
+**/gitleaks_report.json
diff --git a/gitleaks.toml b/gitleaks.toml
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -59,7 +59,7 @@
     "lodash": "^4.17.21",
     "lusca": "^1.7.0",
     "moment": "^2.29.4",
-    "mongodb": "^5.0.0",
+    "mongodb": "^5.9.2",
     "nodemailer": "^6.6.1",
     "parse-diff": "^0.11.1",
     "passport": "^0.7.0",

diff --git a/proxy.config.json b/proxy.config.json
@@ -9,8 +9,14 @@
   "authorisedList": [
     {
       "project": "finos",
-      "name": "git-proxy",
-      "url": "https://github.com/finos/git-proxy.git"
+      "name": "git-proxy-test",
+      "url": "[email protected]:finos/git-proxy-test.git"
+    },
+    {
+      "project": "project name",
+      "name": "repo name",
+      "url": "repo url",
+      "LocalRepoRoot": "specify you local repository path"
     }
   ],
   "sink": [
@@ -23,14 +29,14 @@
     },
     {
       "type": "mongo",
-      "connectionString": "mongodb://localhost:27017/gitproxy",
+      "connectionString": "mongodb+srv://username:[email protected]/?retryWrites=true&w=majority&appName=Cluster0",
       "options": {
         "useNewUrlParser": true,
         "useUnifiedTopology": true,
         "tlsAllowInvalidCertificates": false,
         "ssl": true
       },
-      "enabled": false
+      "enabled": true
     }
   ],
   "authentication": [
@@ -78,16 +84,17 @@
         "literals": [],
         "patterns": [],
         "providers": {},
-        "proxyFileTypes": [".csv", ".jpg", ".xlsx", ".log", ".json"]
+        "proxyFileTypes": [".csv", ".jpg", ".xlsx", ".log", ".json", ".jpg"]
       }
     },
     "checkForSecrets": {
-      "enabled": false
+      "enabled": true
     },
     "aiMlUsage": {
-          "enabled": true,
-          "blockPatterns": ["modelWeights", "largeDatasets", "aiLibraries", "configKeys", "aiFunctions"]
+      "enabled": true,
+      "blockPatterns": ["modelWeights", "largeDatasets", "aiLibraries", "configKeys", "aiFunctions"]
     }
+
   },
   "attestationConfig": {
     "questions": [

diff --git a/src/db/file/repo.js b/src/db/file/repo.js
@@ -75,6 +75,8 @@ exports.addUserCanPush = async (name, user) => {
 exports.addUserCanAuthorise = async (name, user) => {
   return new Promise(async (resolve, reject) => {
     const repo = await exports.getRepo(name);
+    console.log('details');
+    console.log(JSON.stringify(repo));
 
     if (repo.users.canAuthorise.includes(user)) {
       resolve(null);

diff --git a/src/proxy/actions/Step.js b/src/proxy/actions/Step.js
@@ -66,9 +66,9 @@ class Step {
    * @param {*} message
    */
   log(message) {
-    const m = `${this.stepName} - ${message}`;
-    this.logs.push(m);
-    console.info(m);
+    // const m = `${this.stepName} - ${message}`;
+    // this.logs.push(m);
+    // console.info(m);
   }
 }
 

diff --git a/src/proxy/chain.js b/src/proxy/chain.js
@@ -5,21 +5,20 @@ const pushActionChain = [
   proc.push.checkRepoInAuthorisedList,
   proc.push.checkCommitMessages,
   proc.push.checkAuthorEmails,
-  proc.push.checkUserPushPermission,
+  // proc.push.checkUserPushPermission,
   proc.push.checkIfWaitingAuth,
   proc.push.pullRemote,
   proc.push.writePack,
   proc.push.getDiff,
   proc.push.checkForAiMlUsage,
-  proc.push.checkExifJpeg,              
-  proc.push.checkSensitiveData,     
+  proc.push.checkExifJpeg,
+  proc.push.checkSensitiveData,
+  proc.push.checkForSecrets,
   proc.push.clearBareClone,
-  proc.push.checkCryptoImplementation,
   proc.push.scanDiff,
   proc.push.blockForAuth,
 ];
 
-
 const pullActionChain = [proc.push.checkRepoInAuthorisedList];
 
 let pluginsInserted = false;

diff --git a/src/proxy/processors/push-action/checkCommitMessages.js b/src/proxy/processors/push-action/checkCommitMessages.js
@@ -56,7 +56,9 @@ const exec = async (req, action) => {
   const step = new Step('checkCommitMessages');
 
   const uniqueCommitMessages = [...new Set(action.commitData.map((commit) => commit.message))];
-  console.log({ uniqueCommitMessages });
+  // console.log({ uniqueCommitMessages });
+  console.log('This is my commit data \n');
+  console.log(action);
 
   const illegalMessages = uniqueCommitMessages.filter((message) => !isMessageAllowed(message));
   console.log({ illegalMessages });

diff --git a/src/proxy/processors/push-action/checkCryptoImplementation.js b/src/proxy/processors/push-action/checkCryptoImplementation.js
@@ -37,6 +37,8 @@ const CRYPTO_PATTERNS = {
 };
 
 function analyzeCodeForCrypto(diffContent) {
+  // file access
+
   const issues = [];
   // Check for above mentioned cryto Patterns
   if(!diffContent) return issues;
@@ -87,14 +89,17 @@ function analyzeCodeForCrypto(diffContent) {
 }
 
 const exec = async (req, action) => {
+
   const step = new Step('checkCryptoImplementation');
 
   try {
     let hasIssues = false;
     const allIssues = [];
-
+    console.log("action:",action);
     for (const commit of action.commitData) {
       const diff = commit.diff || '';
+      console.log("diff",diff);
+
       const issues = analyzeCodeForCrypto(diff);
 
       if (issues.length > 0) {
@@ -135,6 +140,6 @@ const exec = async (req, action) => {
   }
 };
 
-// exec.displayName = 'checkCryptoImplementation.exec';
+exec.displayName = 'checkCryptoImplementation.exec';
 exports.exec = exec;
 exports.analyzeCodeForCrypto = analyzeCodeForCrypto;
diff --git a/src/proxy/processors/push-action/checkExifJpeg.js b/src/proxy/processors/push-action/checkExifJpeg.js
@@ -1,90 +1,103 @@
 const { ExifTool } = require('exiftool-vendored');
 const { Step } = require('../../actions');
+const path = require('path');
+
 const config = require('../../../config');
 
 const commitConfig = config.getCommitConfig();
+const authorizedlist = config.getAuthorisedList();
+
 const validExtensions = ['.jpeg', '.png', '.jpg', '.tiff'];
 // Make sure you have modified the proxy.config.json;
 // Function to check sensitive EXIF data
 const checkSensitiveExifData = (metadata) => {
-    let allSafe = true;
-
-
+  let allSafe = true;
 
-        if (metadata.GPSLatitude || metadata.GPSLongitude) {
-            console.log('GPS data detected; push is blocked due to sensitive EXIF metadata');
-            allSafe = false;
-        }
+  if (metadata.GPSLatitude || metadata.GPSLongitude) {
+    console.log('GPS data detected; push is blocked due to sensitive EXIF metadata');
+    allSafe = false;
+  }
 
-
-        if (metadata.Make || metadata.Model || metadata.Software) {
-            console.log('Camera information detected; push is blocked due to sensitive EXIF metadata');
-            allSafe = false;
-        }
-
+  if (metadata.Make || metadata.Model || metadata.Software) {
+    console.log('Camera information detected; push is blocked due to sensitive EXIF metadata');
+    allSafe = false;
+  }
 
-    return allSafe;
+  return allSafe;
 };
 
 // Function to retrieve EXIF data using ExifTool
-const getExifData = async (filePath) => {
-    const exifTool = new ExifTool();
-    try {
-        const metadata = await exifTool.read(filePath);
-        return metadata ? checkSensitiveExifData(metadata) : true;
-    } catch (error) {
-        console.log(`Error reading EXIF data from ${filePath}: ${error.message}`);
-        return false;
-    } finally {
-        await exifTool.end();
-    }
+const getExifData = async (relativePath, reporRoot) => {
+  const exifTool = new ExifTool();
+  const filePath = path.join(reporRoot, relativePath);
+  try {
+    const metadata = await exifTool.read(filePath);
+    return metadata ? checkSensitiveExifData(metadata) : true;
+  } catch (error) {
+    console.log(`Error reading EXIF data from ${filePath}: ${error.message}`);
+    return false;
+  } finally {
+    await exifTool.end();
+  }
 };
 
 // Helper function to parse file paths from git diff content
 const extractFilePathsFromDiff = (diffContent) => {
-    const filePaths = [];
-    const lines = diffContent.split('\n');
+  const filePaths = [];
+  const lines = diffContent.split('\n');
 
-    lines.forEach(line => {
-        const match = line.match(/^diff --git a\/(.+?) b\/(.+?)$/);
-        if (match) {
-            filePaths.push(match[1]); // Extract the file path from "a/" in the diff line
-        }
-    });
+  lines.forEach((line) => {
+    const match = line.match(/^diff --git a\/(.+?) b\/(.+?)$/);
+    if (match) {
+      filePaths.push(match[1]); // Extract the file path from "a/" in the diff line
+    }
+  });
 
-    return filePaths;
+  return filePaths;
 };
 
 // Main exec function
 const exec = async (req, action, log = console.log) => {
-
-    const diffStep = action.steps.find((s) => s.stepName === 'diff');
-    const step = new Step('checkExifJpeg');
-    const allowedFileType = commitConfig.diff.block.ProxyFileTypes;
-
-    if (diffStep && diffStep.content) {
-        const filePaths = extractFilePathsFromDiff(diffStep.content);
-        const filteredPaths = filePaths.filter(path => validExtensions.some(ext => path.endsWith(ext) && allowedFileType.includes(ext)));
-
-        if (filteredPaths.length > 0) {
-            const exifResults = await Promise.all(filteredPaths.map(filePath => getExifData(filePath)));
-            const isBlocked = exifResults.some(result => !result);
-
-            if (isBlocked) {
-                step.blocked = true;
-                step.error = true;
-                step.errorMessage = 'Your push has been blocked due to sensitive EXIF metadata detection in an image';
-                log(step.errorMessage);
-            }
-        } else {
-            log('No valid image files found in the diff content.');
-        }
+  const diffStep = action.steps.find((s) => s.stepName === 'diff');
+  const step = new Step('checkExifJpeg');
+  const allowedFileType = commitConfig.diff.block.proxyFileTypes;
+
+  if (diffStep && diffStep.content) {
+    const relativepaths = extractFilePathsFromDiff(diffStep.content);
+
+    const filteredPaths = relativepaths.filter((path) =>
+      validExtensions.some((ext) => path.endsWith(ext) && allowedFileType.includes(ext)),
+    );
+
+    if (filteredPaths.length > 0) {
+      const exifResults = await Promise.all(
+        filteredPaths.map((Path) => {
+          const repo = action.url;
+          const repoRoot = authorizedlist.find((item) => item.url === repo).LocalRepoRoot;
+          getExifData(Path, repoRoot);
+        }),
+      );
+
+      const isBlocked = exifResults.some((result) => {
+        if (result != undefined) return !result;
+      });
+
+      if (isBlocked) {
+        step.blocked = true;
+        step.error = true;
+        step.errorMessage =
+          'Your push has been blocked due to sensitive EXIF metadata detection in an image';
+        log(step.errorMessage);
+      }
     } else {
-        log('No diff content available.');
+      log('No files with valid extensions found in the diff content.');
     }
+  } else {
+    log('No diff content available.');
+  }
 
-    action.addStep(step);
-    return action;
+  action.addStep(step);
+  return action;
 };
 
 exec.displayName = 'CheckExif.exec';