Detect OpenSSH private keys
diff --git a/README.md b/README.md
index d6486ba..e980a98 100644
--- a/README.md
+++ b/README.md
@@ -31,6 +31,7 @@
- `check-xml` - Attempts to load all xml files to verify syntax.
- `check-yaml` - Attempts to load all yaml files to verify syntax.
- `debug-statements` - Check for pdb / ipdb / pudb statements in code.
+- `detect-private-key` - Checks for the existence of private keys
- `double-quote-string-fixer` - This hook replaces double quoted strings with single quoted strings
- `end-of-file-fixer` - Makes sure files end in a newline and only a newline.
- `flake8` - Run flake8 on your python files
diff --git a/hooks.yaml b/hooks.yaml
index 9cb8309..0d84f03 100644
--- a/hooks.yaml
+++ b/hooks.yaml
@@ -49,6 +49,12 @@
entry: debug-statement-hook
language: python
files: \.py$
+- id: detect-private-key
+ name: Detect Private Key
+ description: Detects the presence of private keys
+ entry: detect-private-key
+ language: python
+ files: ''
- id: double-quote-string-fixer
name: Fix double quoted strings
description: This hook replaces double quoted strings with single quoted strings
diff --git a/pre_commit_hooks/detect_private_key.py b/pre_commit_hooks/detect_private_key.py
new file mode 100644
index 0000000..98dfeda
--- /dev/null
+++ b/pre_commit_hooks/detect_private_key.py
@@ -0,0 +1,33 @@
+from __future__ import print_function
+
+import io
+import sys
+
+import argparse
+
+
+def detect_private_key(argv=None):
+ parser = argparse.ArgumentParser()
+ parser.add_argument('filenames', nargs='*', help='Filenames to check')
+ args = parser.parse_args(argv)
+
+ private_key_files = []
+
+ for filename in args.filenames:
+ with io.open(filename, 'r') as f:
+ content = f.read()
+ if 'BEGIN RSA PRIVATE KEY' in content:
+ private_key_files.append(content)
+ if 'BEGIN DSA PRIVATE KEY' in content:
+ private_key_files.append(content)
+
+ if private_key_files:
+ for private_key_file in private_key_files:
+ print('Private key found: {0}'.format(private_key_file))
+ return 1
+ else:
+ return 0
+
+
+if __name__ == '__main__':
+ sys.exit(detect_private_key())
diff --git a/setup.py b/setup.py
index b86acd1..25b264d 100644
--- a/setup.py
+++ b/setup.py
@@ -44,6 +44,7 @@
'check-xml = pre_commit_hooks.check_xml:check_xml',
'check-yaml = pre_commit_hooks.check_yaml:check_yaml',
'debug-statement-hook = pre_commit_hooks.debug_statement_hook:debug_statement_hook',
+ 'detect-private-key = pre_commit_hooks.detect_private_key:detect_private_key',
'end-of-file-fixer = pre_commit_hooks.end_of_file_fixer:end_of_file_fixer',
'name-tests-test = pre_commit_hooks.tests_should_end_in_test:validate_files',
'double-quote-string-fixer = pre_commit_hooks.string_fixer:main',
diff --git a/tests/detect_private_key_test.py b/tests/detect_private_key_test.py
new file mode 100644
index 0000000..6d2e627
--- /dev/null
+++ b/tests/detect_private_key_test.py
@@ -0,0 +1,23 @@
+import os.path
+
+import pytest
+
+from pre_commit_hooks.detect_private_key import detect_private_key
+
+# Input, expected return value
+TESTS = (
+ (b'-----BEGIN RSA PRIVATE KEY-----', 1),
+ (b'-----BEGIN DSA PRIVATE KEY-----', 1),
+ (b'ssh-rsa DATA', 0),
+ (b'ssh-dsa DATA', 0),
+)
+
+
+@pytest.mark.parametrize(('input_s', 'expected_retval'), TESTS)
+def test_detect_private_key(input_s, expected_retval, tmpdir):
+ path = os.path.join(tmpdir.strpath, 'file.txt')
+
+ with open(path, 'wb') as file_obj:
+ file_obj.write(input_s)
+
+ assert detect_private_key([path]) == expected_retval
