116 lines
4.3 KiB
Bash
Executable File
116 lines
4.3 KiB
Bash
Executable File
#!/bin/bash
|
|
# Pre-commit hook for Delphi Consulting Group Database System
|
|
# Prevents committing sensitive files and data
|
|
#
|
|
# To install: ln -s ../../scripts/git-pre-commit-hook .git/hooks/pre-commit
|
|
|
|
set -e
|
|
|
|
# Colors for output
|
|
RED='\033[0;31m'
|
|
YELLOW='\033[1;33m'
|
|
GREEN='\033[0;32m'
|
|
NC='\033[0m' # No Color
|
|
|
|
echo -e "${GREEN}🔍 Running security pre-commit checks...${NC}"
|
|
|
|
# Flag to track if any issues found
|
|
ISSUES_FOUND=0
|
|
|
|
# Function to report security issue
|
|
report_issue() {
|
|
echo -e "${RED}❌ SECURITY ISSUE: $1${NC}"
|
|
ISSUES_FOUND=1
|
|
}
|
|
|
|
# Function to report warning
|
|
report_warning() {
|
|
echo -e "${YELLOW}⚠️ WARNING: $1${NC}"
|
|
}
|
|
|
|
# Check for .env files
|
|
if git diff --cached --name-only | grep -E "\.env$|\.env\." > /dev/null; then
|
|
report_issue "Environment files (.env) contain secrets and should not be committed!"
|
|
echo " Files: $(git diff --cached --name-only | grep -E "\.env$|\.env\.")"
|
|
fi
|
|
|
|
# Check for database files
|
|
if git diff --cached --name-only | grep -E "\.(db|sqlite|sqlite3)$" > /dev/null; then
|
|
report_issue "Database files contain sensitive data and should not be committed!"
|
|
echo " Files: $(git diff --cached --name-only | grep -E "\.(db|sqlite|sqlite3)$")"
|
|
fi
|
|
|
|
# Check for backup files
|
|
if git diff --cached --name-only | grep -E "\.(backup|bak|dump)$|backups/" > /dev/null; then
|
|
report_issue "Backup files may contain sensitive data and should not be committed!"
|
|
echo " Files: $(git diff --cached --name-only | grep -E "\.(backup|bak|dump)$|backups/")"
|
|
fi
|
|
|
|
# Check for SSL certificates and keys
|
|
if git diff --cached --name-only | grep -E "\.(pem|key|crt|cert|p12|pfx)$" > /dev/null; then
|
|
report_issue "SSL certificates and private keys should not be committed!"
|
|
echo " Files: $(git diff --cached --name-only | grep -E "\.(pem|key|crt|cert|p12|pfx)$")"
|
|
fi
|
|
|
|
# Check for upload directories
|
|
if git diff --cached --name-only | grep -E "uploads/|user-uploads/" > /dev/null; then
|
|
report_issue "Upload directories may contain sensitive user documents!"
|
|
echo " Files: $(git diff --cached --name-only | grep -E "uploads/|user-uploads/")"
|
|
fi
|
|
|
|
# Check for local configuration files
|
|
if git diff --cached --name-only | grep -E "\-local\.|config\.local|settings\.local" > /dev/null; then
|
|
report_warning "Local configuration files detected - ensure they don't contain secrets"
|
|
echo " Files: $(git diff --cached --name-only | grep -E "\-local\.|config\.local|settings\.local")"
|
|
fi
|
|
|
|
# Check for common secret patterns in staged files
|
|
SECRET_PATTERNS=(
|
|
"password\s*=\s*['\"][^'\"]+['\"]"
|
|
"api_key\s*=\s*['\"][^'\"]+['\"]"
|
|
"secret_key\s*=\s*['\"][^'\"]+['\"]"
|
|
"token\s*=\s*['\"][^'\"]+['\"]"
|
|
"-----BEGIN (RSA )?PRIVATE KEY-----"
|
|
"-----BEGIN CERTIFICATE-----"
|
|
)
|
|
|
|
for pattern in "${SECRET_PATTERNS[@]}"; do
|
|
if git diff --cached | grep -qiE "$pattern"; then
|
|
report_warning "Potential secret detected in staged changes"
|
|
echo " Pattern: $pattern"
|
|
echo " Review your changes carefully!"
|
|
fi
|
|
done
|
|
|
|
# Check for large files (may be database dumps or uploads)
|
|
LARGE_FILES=$(git diff --cached --name-only | xargs -I {} stat -f%z {} 2>/dev/null | awk '$1 > 1048576 {count++} END {print count+0}')
|
|
if [ "$LARGE_FILES" -gt 0 ]; then
|
|
report_warning "$LARGE_FILES large files detected (>1MB) - ensure they're not sensitive data"
|
|
fi
|
|
|
|
# Check for Python cache files (should be in .gitignore but double-check)
|
|
if git diff --cached --name-only | grep -E "__pycache__|\.pyc$" > /dev/null; then
|
|
report_warning "Python cache files detected - these should be in .gitignore"
|
|
echo " Files: $(git diff --cached --name-only | grep -E "__pycache__|\.pyc$")"
|
|
fi
|
|
|
|
# If any security issues found, prevent commit
|
|
if [ $ISSUES_FOUND -eq 1 ]; then
|
|
echo -e "${RED}🚫 COMMIT BLOCKED: Security issues detected!${NC}"
|
|
echo ""
|
|
echo "To fix:"
|
|
echo "1. Remove sensitive files from staging: git reset HEAD <filename>"
|
|
echo "2. Add files to .gitignore if needed"
|
|
echo "3. Use environment variables for secrets"
|
|
echo "4. Run: python scripts/setup-security.py for proper configuration"
|
|
echo ""
|
|
echo "To bypass this check (NOT RECOMMENDED): git commit --no-verify"
|
|
exit 1
|
|
fi
|
|
|
|
# Show summary
|
|
echo -e "${GREEN}✅ Pre-commit security checks passed!${NC}"
|
|
echo "📝 Staged files: $(git diff --cached --name-only | wc -l)"
|
|
|
|
# Success - allow commit to proceed
|
|
exit 0 |