Hook currently fails to interpret filenames with spaces #470

psedge · 2021-07-16T09:27:00Z

I noticed that detect-secrets-hook -v --baseline .secrets.baseline $(git ls-files) interprets filenames containing spaces as separate arguments, preventing them from being scanned. It seems like with the current README.md command it is possible to evade secrets detection by naming files in this way.

To prevent that, it would be better to use the -z argument for git diff and git ls-files, splitting by NUL instead, and passing the arglist to detect-secrets-hook via xargs -0.

I'm not sure if the change needs to be made elsewhere as well, possibly in the .pre-commit hook?

Thanks!

KevinHock

TIL

git ls-files --help
....
-z
           \0 line termination on output and do not quote filenames. See OUTPUT below for more information.

and

man xargs
....
     -0      Change xargs to expect NUL (``\0'') characters as separators, instead of spaces and newlines.  This is expected to be
             used in concert with the -print0 function in find(1).

Thanks @psedge!

Change README.md for hook to support filenames with spaces

64d533a

KevinHock approved these changes Aug 1, 2021

View reviewed changes

KevinHock merged commit c0a37d2 into Yelp:master Aug 1, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Hook currently fails to interpret filenames with spaces #470

Hook currently fails to interpret filenames with spaces #470

psedge commented Jul 16, 2021

KevinHock left a comment

Hook currently fails to interpret filenames with spaces #470

Hook currently fails to interpret filenames with spaces #470

Conversation

psedge commented Jul 16, 2021

KevinHock left a comment

Choose a reason for hiding this comment