diff options
| author | Craig Jennings <c@cjennings.net> | 2026-07-16 11:19:45 -0500 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-07-16 11:19:45 -0500 |
| commit | 794a8bd606006cc21351be098a30cbbfe55750e4 (patch) | |
| tree | ef3a113221cc49610a3e6f1e607af0f2f62fab91 /scripts/systemd/roam-sync.timer | |
| parent | cf3eadc5dfeff5145feb891a2e61d1ada9a94df0 (diff) | |
| download | rulesets-794a8bd606006cc21351be098a30cbbfe55750e4.tar.gz rulesets-794a8bd606006cc21351be098a30cbbfe55750e4.zip | |
fix(githooks): match fixed-case secret tokens case-sensitively
The secret scan ran every pattern through grep -iE, so AKIA[0-9A-Z]{16} matched any mixed-case 20-char run. Random base64 in an embedded image blob hits that about 6% of the time per 100KB, enough to block a real commit and force --no-verify. takuzu hit it on a PNG sprite. AWS keys are uppercase, sk- keys lowercase, and PEM headers fixed, so those three now match case-sensitively. Only the keyword=value patterns still need -i.
I measured both causes first. Across ~10MB of random base64 the old pattern produced 7 matches and would have false-positived 6 of 100 sprite-sized blobs. Case-sensitive matching produced none.
takuzu's report also proposed skipping any added line containing ";base64,". I left that out. It guards against an uppercase AKIA run surviving the case fix, which never occurred in the sample and runs about one in a million per blob. The cost is real: minified bundles put a whole file on one line, so a data URI and a live key can share it, and skipping the line hides the key. A test covers that.
The three variants share one scan block, so elisp, bash, and go all carry the change. Splitting one grep into two meant a line matching both passes got reported twice, which reads as two separate leaks. awk dedupes it.
Diffstat (limited to 'scripts/systemd/roam-sync.timer')
0 files changed, 0 insertions, 0 deletions
