talisman
talisman copied to clipboard
bug: talisman allows push when user adds a commit to delete the added secret
touch secret.pem git commit -am "whoops" git push talisman: booo rm secret.pem git commit -am "all safe now" git push talisman: :+1:
Shouldn't talisman be a pre-commit hook instead of a pre-push hook?
It works with the latest Talisman. Tested. @jacksingleton Please test and close the ticket if it looks ok
Closing this ticket, due to no further feedback. Please do let us know if you would like to re-open this.
Sorry, closed in error. This issue is actually still reproducible. Re-opening.
This is because on pre-push hook, talisman checks the complete file, and not the diff
I just stumbled on this bug as well 😅 I think this behavior should be highlighted in https://github.com/thoughtworks/talisman#talisman-in-action to prevent anyone from getting bitten by this.
It is mentioned that a pre-commit hook is preferred but its not clear why.
In case you have installed Talisman as a pre-push hook, it will scan the complete file in which changes are made. As mentioned above, it is recommended that you use Talisman as a pre-commit hook.
Especially
...as a pre-push hook, it will scan the complete file in which changes are made.
What's happening is that the pre-push hook will get the filenames of files that were added, copied or modified via git diff ShaOfLatestCommitOnRemote..ShaOfNotLatestLocalCommit --name-only --diff-filter=ACM
in the range of commits that are about to be pushed. It will then only get and scan the contents of the files as they are in the last commit. This explains the behavior described at https://github.com/thoughtworks/talisman/issues/16#issue-157115065
Here is the path in the code:
- https://github.com/thoughtworks/talisman/blob/201dd2c9078ba46450d77485f8743eac1374cb4f/pre_push_hook.go#L75
- https://github.com/thoughtworks/talisman/blob/201dd2c9078ba46450d77485f8743eac1374cb4f/gitrepo/gitrepo.go#L78-L83
This is pretty confusing as there are at least 3 different scanning behaviors I can find. The --scan
, pre-commit, pre-push (maybe--ignoreHistory is a 4th one).
Hope this helps the person picking this up :)