Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tartufo pre-commit fails to work with git commit --amend #175

Open
pmevzek-godaddy opened this issue Mar 12, 2021 · 0 comments
Open

tartufo pre-commit fails to work with git commit --amend #175

pmevzek-godaddy opened this issue Mar 12, 2021 · 0 comments
Labels
bug Something isn't working

Comments

@pmevzek-godaddy
Copy link

pmevzek-godaddy commented Mar 12, 2021
edited
Loading

🐛 Bug Report

If trying to amend the current commit that has a secret with a change that removes it (hence final complete commit is secrets free), tartufo pre-commit will still complain hence prohibiting the amended commit.

To Reproduce

$ git init test
$ cd test
$ git commit --allow-empty --allow-empty-message -m 'Start'
$ cat secret.txt
This is a secret: 8bf1dd6fb79a553017b909be2b29b06b21950646
$ git add secret.txt
$ git commit -m "Commiting a secret, I am a bad boy"
[master 845714f] Commiting a secret, I am a bad boy
 1 file changed, 1 insertion(+)
 create mode 100644 secret.txt
$ tartufo scan-local-repo --no-fetch .
~~~~~~~~~~~~~~~~~~~~~
Reason: High Entropy
Filepath: secret.txt
Signature: b42390dbe7384163dc49438b1a43596def9ac8437ececb723b2c7fb39106055c
Commit time: 2021-03-12 11:42:30
Commit message: Commiting a secret, I am a bad boy

Commit hash: 845714fe1c5ebee0fccbaef79171c30fc9461b39
Branch: master
@@ -0,0 +1 @@
+This is a secret: 8bf1dd6fb79a553017b909be2b29b06b21950646

~~~~~~~~~~~~~~~~~~~~~

# So at this stage everything is as expected, repository has a secret...
# Now I want to amend the commit to remove the secret, hence replacing this commit having a secret with another commit that has no secret
# the git commit --amend replaces the commit so old one with the secret won't be in topology anymore

$ cat secret.txt
This is a secret: REDACTED
$ git add secret.txt
$ tartufo pre-commit
~~~~~~~~~~~~~~~~~~~~~
Reason: High Entropy
Filepath: secret.txt
Signature: b42390dbe7384163dc49438b1a43596def9ac8437ececb723b2c7fb39106055c
@@ -1 +1 @@
-This is a secret: 8bf1dd6fb79a553017b909be2b29b06b21950646
+This is a secret: REDACTED

~~~~~~~~~~~~~~~~~~~~~

# This result above is wrong, if I had a pre commit hook, the following won't be allowed, while it should

$ git commit --amend
[master 5f84074] Commiting a secret, I am a bad boy
 Date: Fri Mar 12 11:42:30 2021 -0500
 1 file changed, 1 insertion(+)
 create mode 100644 secret.txt
$ tartufo scan-local-repo --no-fetch .
Time: 2021-03-12T11:44:15.354387
All clear. No secrets detected.

# That final result proves that the above commit should succeed and not be blocked by tartufo in pre-commit mode

Expected Behavior

git commit --amend is a completely standard git operation and easily allows to change the tip commit. Hence if there is a pre commit hook calling tartufo pre-commit, it is the final commit content (with what is amended) that should be tested by tartufo, not the "previous" commit content that is being amended.

I guess the problem can be circumvented by doing, instead of git commit --amend something like git reset --hard HEAD^1. then git cherry-pick --no-commit of the bad commit, edit the file, and then do a git commit.
So it is not blocking, but complicating a rewrite operation.

Code Example

See reproducible example above.

Environment

Tested with tartufo 2.4.0, no specific configuration.
@pmevzek-godaddy pmevzek-godaddy added the bug Something isn't working label Mar 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pmevzek-godaddy