Kapisi/precommit-hooks/find-passwords-in-files

#!/bin/bash

# Ignore Ansibilized templates.
saferegex='\{\{.+\}\}|secrets\['
# Ignore comments
saferegex="$saferegex"'|^[a-z,A-Z,0-9,_,-,/,.]+:\s*;|^[a-z,A-Z,0-9,_,-,/,.]+:\s*#|^[a-z,A-Z,0-9,_,-,/,.]+:\s*//|\s+[/]?[*][/]?\s+'
# AniNIX Constructs
saferegex="$saferegex"'|password.aninix.net|aur.list'
# Web constructs
saferegex="$saferegex"'|.css:|.html:|.md:|htdocs|htpasswd'
# Ignore template text to set policy
saferegex="$saferegex"'|_LENGTH|Set new|attempt|pwdchange'
# haveibeenpwned is referenced in comments
saferegex="$saferegex"'|haveibeenpwned'
# Unset variables.
saferegex="$saferegex"'|\s+=\s*$|\s+yes$|\s+no$'
# Ignore LDAP attributes
saferegex="$saferegex"'|pwpolicies|pwdLastSuccess|pwdAttribute|pwdMaxAge|pwdExpireWarning|pwdInHistory|pwdCheckQuality|pwdMaxFailure|pwdLockout|pwdLockoutDuration|pwdGraceAuthNLimit|pwdFailureCountInterval|pwdMustChange|pwdMinLength|pwdAllowUserChange|pwdSafeModify|pwdChangedTime|pwdPolicy|last changed their password on|/root/.ldappass'
# Ignore IRC Modules
saferegex="$saferegex"'|m_password_hash.so|/quote ns identify|SELECT|password_attribute|SET PASS|SASET PASS'
# Ignore SSH known hosts
saferegex="$saferegex""|ssh_known_hosts:|"

git ls-files roles/*/{files,templates} | xargs grep -irE 'secret|password|pw|passphrase|pass=' | grep -vE "$saferegex"
if [ $? -ne 1 ]; then
    echo
    echo If these are false positives, you need to add the signature to the whitelist in $0.
    echo Otherwise, convert any files above to templates and encode the passphrase into your vault.
    exit 1;
fi
IFS="
"
for i in `ansible-vault decrypt --output - ${ANSIBLE_VAULT_FILE} | sed 's/\s\?-\?\s\?[A-Za-z0-9_]\+://' | grep -vE '\||password|^\s\?$|#|https://' | sed "s/^ \+['\"]\?//" | sed "s/[\"']\s\?//" | sort | uniq`; do
    grep -rl "${i}" . 2>/dev/null
    if [ $? -ne 1 ]; then
        echo "A secret starting with $(echo "$i" | cut -c 1-7) was found in the files above."
        exit 1;
    fi
done
Whitespace cleanup to get in sync with AniNIX/Uniglot hooks 2022-11-20 20:03:01 -06:00			`#!/bin/bash`

			`# Ignore Ansibilized templates.`
Updating DarkNet VPN setup 2022-12-18 22:24:44 -06:00			`saferegex='\{\{.+\}\}\|secrets\['`
Whitespace cleanup to get in sync with AniNIX/Uniglot hooks 2022-11-20 20:03:01 -06:00			`# Ignore comments`
Removing large files; adding hook to watch for them 2022-12-18 22:14:25 -06:00			`saferegex="$saferegex"'\|^[a-z,A-Z,0-9,_,-,/,.]+:\s;\|^[a-z,A-Z,0-9,_,-,/,.]+:\s#\|^[a-z,A-Z,0-9,_,-,/,.]+:\s//\|\s+[/]?[][/]?\s+'`
Whitespace cleanup to get in sync with AniNIX/Uniglot hooks 2022-11-20 20:03:01 -06:00			`# AniNIX Constructs`
			`saferegex="$saferegex"'\|password.aninix.net\|aur.list'`
			`# Web constructs`
			`saferegex="$saferegex"'\|.css:\|.html:\|.md:\|htdocs\|htpasswd'`
			`# Ignore template text to set policy`
			`saferegex="$saferegex"'\|_LENGTH\|Set new\|attempt\|pwdchange'`
			`# haveibeenpwned is referenced in comments`
			`saferegex="$saferegex"'\|haveibeenpwned'`
			`# Unset variables.`
			`saferegex="$saferegex"'\|\s+=\s*$\|\s+yes$\|\s+no$'`
			`# Ignore LDAP attributes`
			`saferegex="$saferegex"'\|pwpolicies\|pwdLastSuccess\|pwdAttribute\|pwdMaxAge\|pwdExpireWarning\|pwdInHistory\|pwdCheckQuality\|pwdMaxFailure\|pwdLockout\|pwdLockoutDuration\|pwdGraceAuthNLimit\|pwdFailureCountInterval\|pwdMustChange\|pwdMinLength\|pwdAllowUserChange\|pwdSafeModify\|pwdChangedTime\|pwdPolicy\|last changed their password on\|/root/.ldappass'`
Removing large files; adding hook to watch for them 2022-12-18 22:14:25 -06:00			`# Ignore IRC Modules`
			`saferegex="$saferegex"'\|m_password_hash.so\|/quote ns identify\|SELECT\|password_attribute\|SET PASS\|SASET PASS'`
Updating some SSH config 2023-07-19 15:41:27 -05:00			`# Ignore SSH known hosts`
			`saferegex="$saferegex""\|ssh_known_hosts:\|"`
Whitespace cleanup to get in sync with AniNIX/Uniglot hooks 2022-11-20 20:03:01 -06:00
Updating some SSH config 2023-07-19 15:41:27 -05:00			`git ls-files roles/*/{files,templates} \| xargs grep -irE 'secret\|password\|pw\|passphrase\|pass=' \| grep -vE "$saferegex"`
Whitespace cleanup to get in sync with AniNIX/Uniglot hooks 2022-11-20 20:03:01 -06:00			`if [ $? -ne 1 ]; then`
			`echo`
			`echo If these are false positives, you need to add the signature to the whitelist in $0.`
			`echo Otherwise, convert any files above to templates and encode the passphrase into your vault.`
			`exit 1;`
			`fi`
Updates for latest inspircd & anope 2025-09-29 16:33:05 -05:00			`IFS="`
			`"`
			for i in `ansible-vault decrypt --output - ${ANSIBLE_VAULT_FILE} \| sed 's/\s\?-\?\s\?[A-Za-z0-9_]\+://' \| grep -vE '\\|\|password\|^\s\?$\|#\|https://' \| sed "s/^ \+['\"]\?//" \| sed "s/[\"']\s\?//" \| sort \| uniq`; do
			`grep -rl "${i}" . 2>/dev/null`
			`if [ $? -ne 1 ]; then`
			`echo "A secret starting with $(echo "$i" \| cut -c 1-7) was found in the files above."`
			`exit 1;`
			`fi`
			`done`