commit 21553c2ca913fefe2eaffea8778035e108a671c3
author Anthony Sottile <asottile@umich.edu> Tue Feb 18 10:24:17 2020 -0800
committer Anthony Sottile <asottile@umich.edu> Tue Feb 18 10:24:17 2020 -0800
tree a3abdbfb6ab1dc2e8c6e72da7ec2fd4736c561a3
parent c7d0d3c9cc59ab05329e69276afd84a1e87b0c0d

Allow arbitrarily encoded files to be checked with detect-aws-credentials

pre_commit_hooks/detect_aws_credentials.py

diff --git a/pre_commit_hooks/detect_aws_credentials.py b/pre_commit_hooks/detect_aws_credentials.py
index a744b6f..1663cfd 100644
--- a/pre_commit_hooks/detect_aws_credentials.py
+++ b/pre_commit_hooks/detect_aws_credentials.py
@@ -69,7 +69,7 @@
 
 def check_file_for_aws_keys(
         filenames: Sequence[str],
-        keys: Set[str],
+        keys: Set[bytes],
 ) -> List[BadFile]:
     """Check if files contain AWS secrets.
 
@@ -79,13 +79,14 @@
     bad_files = []
 
     for filename in filenames:
-        with open(filename, 'r') as content:
+        with open(filename, 'rb') as content:
             text_body = content.read()
             for key in keys:
                 # naively match the entire file, low chance of incorrect
                 # collision
                 if key in text_body:
-                    bad_files.append(BadFile(filename, key[:4].ljust(28, '*')))
+                    key_hidden = key.decode()[:4].ljust(28, '*')
+                    bad_files.append(BadFile(filename, key_hidden))
     return bad_files
 
 
@@ -137,7 +138,8 @@
         )
         return 2
 
-    bad_filenames = check_file_for_aws_keys(args.filenames, keys)
+    keys_b = {key.encode() for key in keys}
+    bad_filenames = check_file_for_aws_keys(args.filenames, keys_b)
     if bad_filenames:
         for bad_file in bad_filenames:
             print(f'AWS secret found in {bad_file.filename}: {bad_file.key}')

tests/detect_aws_credentials_test.py

diff --git a/tests/detect_aws_credentials_test.py b/tests/detect_aws_credentials_test.py
index 46e5b36..41b7b0a 100644
--- a/tests/detect_aws_credentials_test.py
+++ b/tests/detect_aws_credentials_test.py
@@ -117,6 +117,19 @@
     assert ret == expected_retval
 
 
+def test_allows_arbitrarily_encoded_files(tmpdir):
+    src_ini = tmpdir.join('src.ini')
+    src_ini.write(
+        '[default]\n'
+        'aws_access_key_id=AKIASDFASDF\n'
+        'aws_secret_Access_key=9018asdf23908190238123\n',
+    )
+    arbitrary_encoding = tmpdir.join('f')
+    arbitrary_encoding.write_binary(b'\x12\x9a\xe2\xf2')
+    ret = main((str(arbitrary_encoding), '--credentials-file', str(src_ini)))
+    assert ret == 0
+
+
 @patch('pre_commit_hooks.detect_aws_credentials.get_aws_secrets_from_file')
 @patch('pre_commit_hooks.detect_aws_credentials.get_aws_secrets_from_env')
 def test_non_existent_credentials(mock_secrets_env, mock_secrets_file, capsys):