Skip to content

Commit 0396fda

Browse files
jdaltonjdalton
authored
fix(hooks): use strings for binary file scanning in pre-push (#58)
1 parent 7077fa7 commit 0396fda

1 file changed

Lines changed: 24 additions & 9 deletions

File tree

.git-hooks/pre-push

Lines changed: 24 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -118,36 +118,51 @@ while read local_ref local_sha remote_ref remote_sha; do
118118
continue
119119
fi
120120

121+
# Use strings for binary files, grep directly for text files.
122+
# This correctly extracts printable strings from WASM, .lockb, etc.
123+
is_binary=false
124+
if grep -qI '' "$file" 2>/dev/null; then
125+
is_binary=false
126+
else
127+
is_binary=true
128+
fi
129+
130+
if [ "$is_binary" = true ]; then
131+
file_text=$(strings "$file" 2>/dev/null)
132+
else
133+
file_text=$(cat "$file" 2>/dev/null)
134+
fi
135+
121136
# Check for hardcoded user paths.
122-
if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
137+
if echo "$file_text" | grep -qE '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)'; then
123138
printf "${RED}✗ BLOCKED: Hardcoded personal path found in: $file${NC}\n"
124-
grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
139+
echo "$file_text" | grep -nE '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' | head -3
125140
ERRORS=$((ERRORS + 1))
126141
fi
127142

128143
# Check for Socket API keys.
129-
if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
144+
if echo "$file_text" | grep -E 'sktsec_[a-zA-Z0-9_-]+' | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
130145
printf "${RED}✗ BLOCKED: Real API key detected in: $file${NC}\n"
131-
grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
146+
echo "$file_text" | grep -n 'sktsec_' | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
132147
ERRORS=$((ERRORS + 1))
133148
fi
134149

135150
# Check for AWS keys.
136-
if grep -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" 2>/dev/null | grep -q .; then
151+
if echo "$file_text" | grep -iqE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})'; then
137152
printf "${RED}✗ BLOCKED: Potential AWS credentials found in: $file${NC}\n"
138-
grep -n -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" | head -3
153+
echo "$file_text" | grep -niE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' | head -3
139154
ERRORS=$((ERRORS + 1))
140155
fi
141156

142157
# Check for GitHub tokens.
143-
if grep -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" 2>/dev/null | grep -q .; then
158+
if echo "$file_text" | grep -qE 'gh[ps]_[a-zA-Z0-9]{36}'; then
144159
printf "${RED}✗ BLOCKED: Potential GitHub token found in: $file${NC}\n"
145-
grep -n -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" | head -3
160+
echo "$file_text" | grep -nE 'gh[ps]_[a-zA-Z0-9]{36}' | head -3
146161
ERRORS=$((ERRORS + 1))
147162
fi
148163

149164
# Check for private keys.
150-
if grep -E '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null | grep -q .; then
165+
if echo "$file_text" | grep -qE -- '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----'; then
151166
printf "${RED}✗ BLOCKED: Private key found in: $file${NC}\n"
152167
ERRORS=$((ERRORS + 1))
153168
fi

0 commit comments

Comments
 (0)