add extension verification check

babenek · babenek · commit 68504ad95d18 · 2025-10-24T09:54:22.000+03:00
diff --git a/config.json b/config.json
@@ -0,0 +1,202 @@
+{
+    "exclude": {
+        "pattern": [],
+        "containers": [
+            ".aar",
+            ".apk",
+            ".bz2",
+            ".class",
+            ".gz",
+            ".jar",
+            ".lzma",
+            ".rpm",
+            ".tar",
+            ".war",
+            ".whl",
+            ".xz",
+            ".zip"
+        ],
+        "documents": [
+            ".doc",
+            ".docx",
+            ".odp",
+            ".ods",
+            ".odt",
+            ".pdf",
+            ".ppt",
+            ".pptx",
+            ".xls",
+            ".xlsx"
+        ],
+        "extension": [
+            ".7z",
+            ".a",
+            ".aac",
+            ".avi",
+            ".bin",
+            ".bmp",
+            ".css",
+            ".dmg",
+            ".ear",
+            ".eot",
+            ".elf",
+            ".exe",
+            ".gif",
+            ".gmo",
+            ".ico",
+            ".img",
+            ".info",
+            ".jpeg",
+            ".jpg",
+            ".lib",
+            ".map",
+            ".m4a",
+            ".mat",
+            ".mo",
+            ".mov",
+            ".mp3",
+            ".mp4",
+            ".mpg",
+            ".mkv",
+            ".npy",
+            ".npz",
+            ".obj",
+            ".oga",
+            ".ogg",
+            ".ogv",
+            ".ops",
+            ".pak",
+            ".png",
+            ".psd",
+            ".pyc",
+            ".pyd",
+            ".pyo",
+            ".rar",
+            ".rc",
+            ".rc2",
+            ".realm",
+            ".res",
+            ".s7z",
+            ".scss",
+            ".so",
+            ".sum",
+            ".svg",
+            ".swf",
+            ".tif",
+            ".tiff",
+            ".tlb",
+            ".ttf",
+            ".vcxproj",
+            ".vdproj",
+            ".wav",
+            ".webm",
+            ".webp",
+            ".wma",
+            ".woff",
+            ".woff2",
+            ".yuv"
+        ],
+        "path": [
+            "/.git/",
+            "/.idea/",
+            "/.svn/",
+            "/__pycache__/",
+            "/node_modules/",
+            "/target/",
+            "/.venv/",
+            "/venv/"
+        ],
+        "lines": [],
+        "values": []
+    },
+    "source_ext": [
+        ".aspx",
+        ".cs",
+        ".cshtml",
+        ".ejs",
+        ".erb",
+        ".go",
+        ".html",
+        ".ipynb",
+        ".jsp",
+        ".jsx",
+        ".php",
+        ".phtml",
+        ".rb",
+        ".sh",
+        ".swift",
+        ".ts",
+        ".twig",
+        ".vue",
+        ".xhtml",
+        ".java",
+        ".js",
+        ".py",
+        ".cpp",
+        ".c",
+        ".h",
+        ".hpp",
+        ".mm",
+        ".cu",
+        ".y",
+        ".vb",
+        ".m",
+        ".cu"
+    ],
+    "source_quote_ext": [
+        ".cs",
+        ".cc",
+        ".php",
+        ".tf",
+        ".kt",
+        ".go",
+        ".ipynb",
+        ".ts",
+        ".java",
+        ".js",
+        ".py",
+        ".cpp",
+        ".c",
+        ".h",
+        ".hpp"
+    ],
+    "find_by_ext_list": [
+        ".pem",
+        ".cer",
+        ".csr",
+        ".der",
+        ".pfx",
+        ".p12",
+        ".key",
+        ".jks"
+    ],
+    "bruteforce_list": [
+        "",
+        "changeit",
+        "changeme",
+        "tizen"
+    ],
+    "check_for_literals": true,
+    "max_password_value_length": 64,
+    "max_url_cred_value_length": 80,
+    "line_data_output": [
+        "line",
+        "line_num",
+        "path",
+        "info",
+        "variable",
+        "variable_start",
+        "variable_end",
+        "value",
+        "value_start",
+        "value_end",
+        "entropy"
+    ],
+    "candidate_output": [
+        "rule",
+        "severity",
+        "confidence",
+        "ml_probability",
+        "line_data_list"
+    ]
+}
diff --git a/review_data.py b/review_data.py
@@ -7,13 +7,13 @@
 MAGENTA - templates
 When value start-end defined - the text is marked
 """
-
+import functools
 import json
 import os
+import pathlib
 import subprocess
 import sys
 from argparse import ArgumentParser
-from functools import cache
 from typing import List, Optional, Tuple, Dict
 
 from colorama import Fore, Back, Style
@@ -25,7 +25,15 @@
 EXIT_FAILURE = 1
 
 
-@cache
+@functools.cache
+def get_excluding_extensions() -> set[str]:
+    # copy of CredSweeper/secret/config.json
+    with open("config.json") as f:
+        result = json.load(f)
+    return set(result["exclude"]["containers"] + result["exclude"]["documents"] + result["exclude"]["extension"])
+
+
+@functools.cache
 def read_cache(path) -> list[str]:
     with open(path, "r", encoding="utf8") as f:
         return f.read().replace("\r\n", '\n').replace('\r', '\n').split('\n')
@@ -115,15 +123,15 @@ def read_data(path, line_start, line_end, value_start, value_end, ground_truth,
                  f"/.*{path.split('/')[-1]},{line_start},{line_end},.*/d",
                  f"meta/{repo_id}.csv"])
 
-    print("\n\n")
+    print("\n\n", flush=True)
 
 
-def main(meta_dir: str,
-         data_dir: str,
-         check_only: bool,
-         data_filter: dict,
-         load_json: Optional[str] = None,
-         category: Optional[str] = None) -> int:
+def review(meta_dir: str,
+           data_dir: str,
+           check_only: bool,
+           data_filter: dict,
+           load_json: Optional[str] = None,
+           category: Optional[str] = None) -> int:
     errors = 0
     duplicates = 0
     if not os.path.exists(meta_dir):
@@ -146,6 +154,11 @@ def main(meta_dir: str,
         if category and category not in row.Category.split(':'):
             continue
 
+        if pathlib.Path(row.FilePath).suffix in get_excluding_extensions():
+            # the file extension will be excluded during default scan
+            print(f"File {row.FilePath} is excluded by default config with extension filter!", flush=True)
+            errors += 1
+
         displayed_rows += 1
         if not check_only:
             print(str(row), flush=True)
@@ -221,7 +234,7 @@ def main(meta_dir: str,
     return result
 
 
-if __name__ == "__main__":
+def main(argv) -> int:
     parser = ArgumentParser(prog="python review_data.py",
                             description="Console script for review markup with colorization")
 
@@ -233,7 +246,7 @@ def main(meta_dir: str,
     parser.add_argument("-X", help="Show X markup", action="store_true")
     parser.add_argument("--load", help="Load json report from CredSweeper", nargs='?')
     parser.add_argument("--category", help="Filter only with the category", nargs='?')
-    _args = parser.parse_args()
+    _args = parser.parse_args(argv[1:])
 
     _data_filter = {"Other": False}
     if not _args.T and not _args.F and not _args.X:
@@ -244,8 +257,11 @@ def main(meta_dir: str,
         _data_filter["T"] = _args.T
         _data_filter["F"] = _args.F
         _data_filter["X"] = _args.X
-    exit_code = main(_args.meta_dir, _args.data_dir, bool(_args.check_only), _data_filter, _args.load, _args.category)
-    sys.exit(exit_code)
+    return review(_args.meta_dir, _args.data_dir, bool(_args.check_only), _data_filter, _args.load, _args.category)
+
+
+if __name__ == """__main__""":
+    sys.exit(main(sys.argv))
 
 # review generation command
 # .venv/bin/python review_data.py meta data >review.$(now).$(git rev-parse HEAD).txt
