roboscott 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 5c681267a2332eebb783cce94b68ceb1757f5cc8
+  data.tar.gz: 8d3cb169844fa3afbcbfa5f0b4a606c141043d44
+SHA512:
+  metadata.gz: 08c304cccbd1c4d19eadf8870463811acd1891e1636b4ddf7c4c35b2346df0f35af9ac8fd87edfa86e6e83dd179679b9a47489c303647ccad4aabee69d687953
+  data.tar.gz: 205c6ff996af23354b5939ac5df33950b04afd12e8469f6e28655acc8f20198551ce3050181ae9edd3f6aa6e734a8027146ca24962e6fbc3d985094372455dcc

data/bin/roboscott

@@ -0,0 +1,55 @@
+#!/usr/bin/env ruby
+
+require 'getoptlong'
+require 'yaml'
+
+begin
+  require 'roboscott'
+rescue LoadError
+  $: << File.expand_path(File.join(File.dirname(__FILE__), '..', 'lib'))
+  require 'roboscott'
+end
+
+opts = GetoptLong.new(
+  [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
+  [ '--unredacted', '-u', GetoptLong::NO_ARGUMENT ]
+)
+
+config = {}
+
+opts.each do |opt, arg|
+  case opt
+    when '--help'
+      puts <<-EOF
+roboscott [OPTION] ... <DIR|Files>
+
+-h, --help:
+   show help
+
+-u, --unredacted:
+   log all found suspicious passwords to the console
+
+DIR|Files: The directory or files to parse
+      EOF
+    when '--unredacted'
+      puts 'Running in unredacted mode'
+      config[:unredacted] = true
+  end
+end
+
+if ARGV.length < 1
+  puts "Missing dir argument. Running on current directory (try --help if this isn't intendted)"
+  dir = ['.']
+else
+  dir = ARGV
+end
+
+failed = 0
+
+# Okay, enough setting up, let's check some files
+ARGV.each do|file|
+  lint = RoboScott.new(file, config)
+  failed = failed + lint.do_lint
+end
+
+exit failed

data/lib/roboscott.rb

@@ -0,0 +1,144 @@
+#!/usr/bin/env ruby
+
+require 'yaml'
+
+module Logging
+  ESCAPES = { :green  => "\033[32m",
+              :yellow => "\033[33m",
+              :red    => "\033[31m",
+              :reset  => "\033[0m" }
+
+  def error(message)
+    emit(:message => message, :color => :red)
+  end
+
+  def emit(opts={})
+    color   = opts[:color]
+    message = opts[:message]
+    print ESCAPES[color]
+    print message
+    print ESCAPES[:reset]
+    print "\n"
+  end
+end
+
+class RoboScott
+  include Logging
+
+  def initialize(file, config={})
+    @file = file
+    @config = config
+  end
+
+  def do_lint
+    unless File.exists? @file
+      error "File #{@file} does not exist"
+      return 0
+    else
+      if File.directory? @file
+        return self.parse_directory @file
+      else
+        return self.parse_file @file
+      end
+    end
+  end
+
+  def parse_directory(directory)
+    Dir.glob("#{directory}/*").inject(0) do |mem, fdir|
+      if File.directory? fdir
+        mem + parse_directory(fdir)
+      else
+        mem + parse_file(fdir)
+      end
+    end
+  end
+
+  def parse_file(file)
+    if (not File.extname(file) =~ /.(yaml|yml)$/) && (not @config[:nocheckfileext])
+      # Instead of logging an error, just silently move on. Helps us scan a repo
+      return 1
+    end
+    begin
+      yaml = YAML.load_file(file)
+    rescue Exception => err
+      # Not a yaml file, move on, nothing to see here
+      return 1
+    else
+      traverse(file, yaml ) do |node|
+        #puts node
+      end
+      return 0
+    end
+  end
+
+  def has_keys?(yaml)
+    has_fails = false
+    yaml.each do |key, value|
+      puts "Key: #{key}"
+      if key_looks_important?(key) and value_looks_sensitive?(value)
+        has_fails = true
+        report_fail(key, value)
+      end
+    end
+    return has_fails
+  end
+
+  def key_looks_important?(key)
+    if key.class != String
+      return false
+    end
+
+    # TODO - move bad_words to a config value
+    bad_words = ['SECRET', 'TOKEN', 'PASSWORD', 'KEY']
+    bad_words.each do |baddy|
+      if key.upcase.include? baddy
+        return true
+      end
+    end
+    return false
+  end
+
+  def value_looks_sensitive?(val)
+    if val == nil or val == ''
+      return false
+    end
+
+    # TODO - move okay_vals to a config value
+    okay_vals = ['ENV', 'DUMMY']
+    okay_vals.each do |ok|
+      if val.upcase.include? ok
+        return false
+      end
+    end
+    rescue
+      return false
+    return true
+  end
+
+  def report_fail(file, key, value, redacted=true)
+    value = 'REDACTED' unless @config[:unredacted]
+
+    error "File #{file} - The value '#{value}' for key '#{key}' looks sensitive"
+  end
+
+  def traverse(filename, obj, &blk)
+    case obj
+    when Hash
+      obj.each {|key, val|
+      if val.class == Hash
+        traverse(filename, val, &blk)
+      else
+        # In this case the value should be a leaf node (not another hash)
+        if key_looks_important?(key) and value_looks_sensitive?(val)
+          has_fails = true
+          report_fail(filename, key, val)
+        end
+      end
+      }
+    when Array
+      obj.each {|v| traverse(filename, v, &blk) }
+    else
+      blk.call(obj)
+    end
+  end
+end

metadata

@@ -0,0 +1,46 @@
+--- !ruby/object:Gem::Specification
+name: roboscott
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Elliot Rushton
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-11-20 00:00:00.000000000 Z
+dependencies: []
+description: Check if YAML files contain secrets that should be in ENV
+email: elliot.rushton@gmail.com
+executables:
+- roboscott
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/roboscott
+- lib/roboscott.rb
+homepage: https://github.com/elliotrushton/roboscott
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5.1
+signing_key: 
+specification_version: 4
+summary: Simple secret linter
+test_files: []