refactor: Pre-commit hook uses dynamic git-crypt checks
This commit is contained in:
parent
73a031b677
commit
55834529a7
1 changed files with 26 additions and 28 deletions
|
|
@ -1,49 +1,47 @@
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
# =============================================================================
|
# =============================================================================
|
||||||
# .git/hooks/pre-commit
|
# .git/hooks/pre-commit
|
||||||
# Fail-safe security hook: Prevents plaintext leaks of sensitive data.
|
# Fail-safe security hook: prevents plaintext commits of encrypted files.
|
||||||
|
# Reads encryption requirements dynamically from .gitattributes via
|
||||||
|
# git check-attr — no hardcoded paths, inherits all future rules automatically.
|
||||||
# =============================================================================
|
# =============================================================================
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
|
|
||||||
# Directories that MUST be encrypted
|
|
||||||
PRIVATE_PATTERNS=("raw/private/" "wiki/private/")
|
|
||||||
FAILED=0
|
FAILED=0
|
||||||
|
|
||||||
# Check on git-crypt
|
# Verify git-crypt is initialized
|
||||||
if [[ ! -d ".git-crypt" ]]; then
|
if [[ ! -d ".git-crypt" ]]; then
|
||||||
echo -e "\n\033[0;31m[CRITICAL] git-crypt is not initialized in this repository.\033[0m"
|
printf "\n\033[0;31m[CRITICAL] git-crypt not initialized.\033[0m\n"
|
||||||
echo "Run 'git-crypt init' and 'make setup' before committing."
|
printf "Run 'git-crypt init' and 'make setup' before committing.\n"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Get staged files (excluding deletions)
|
# Get staged files (additions, copies, modifications — no deletions)
|
||||||
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null || true)
|
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null || true)
|
||||||
|
|
||||||
if [[ -z "$STAGED_FILES" ]]; then
|
[[ -z "$STAGED_FILES" ]] && exit 0
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
for pattern in "${PRIVATE_PATTERNS[@]}"; do
|
while IFS= read -r file; do
|
||||||
while IFS= read -r file; do
|
# Dynamically check if this file requires git-crypt encryption
|
||||||
if [[ "$file" == ${pattern}* ]]; then
|
filter=$(git check-attr filter -- "$file" 2>/dev/null | sed 's/.*: //')
|
||||||
# Check encryption status via git-crypt
|
[[ "$filter" != "git-crypt" ]] && continue
|
||||||
STATUS=$(git-crypt status "$file" 2>/dev/null || echo "error")
|
|
||||||
if echo "$STATUS" | grep -q "not encrypted"; then
|
# File is required to be encrypted — verify it actually is
|
||||||
echo -e "\n\033[0;31m[SECURITY ALERT] PLAINTEXT LEAK DETECTED\033[0m"
|
status=$(git-crypt status "$file" 2>/dev/null || printf "error")
|
||||||
echo "-----------------------------------------------------------"
|
if printf '%s\n' "$status" | grep -q "not encrypted"; then
|
||||||
echo "File: $file"
|
printf "\n\033[0;31m[SECURITY ALERT] PLAINTEXT LEAK DETECTED\033[0m\n"
|
||||||
echo "Status: This file is in a private/ folder but is NOT encrypted."
|
printf -- "-----------------------------------------------------------\n"
|
||||||
echo "Action: Fix your .gitattributes or run 'git-crypt init'."
|
printf "File: %s\n" "$file"
|
||||||
echo "-----------------------------------------------------------"
|
printf "Status: Marked for git-crypt in .gitattributes but NOT encrypted.\n"
|
||||||
|
printf "Action: Verify .gitattributes rules and re-run 'git-crypt init'.\n"
|
||||||
|
printf -- "-----------------------------------------------------------\n"
|
||||||
FAILED=1
|
FAILED=1
|
||||||
fi
|
fi
|
||||||
fi
|
done <<< "$STAGED_FILES"
|
||||||
done <<< "$STAGED_FILES"
|
|
||||||
done
|
|
||||||
|
|
||||||
if [[ "$FAILED" -ne 0 ]]; then
|
if [[ "$FAILED" -ne 0 ]]; then
|
||||||
echo -e "\033[0;31mCommit blocked for security reasons.\033[0m\n"
|
printf "\n\033[0;31mCommit blocked: security policy violation.\033[0m\n\n"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue