diff options
| author | terminaldweller <devi@terminaldweller.com> | 2023-03-20 19:53:48 +0000 |
|---|---|---|
| committer | terminaldweller <devi@terminaldweller.com> | 2023-03-20 19:53:48 +0000 |
| commit | 56ac1ba44d5c4043590459c2beb11b73cf5be3f7 (patch) | |
| tree | 31cd7e9d041598ed81ab781faacb89d3103ed31b | |
| parent | updated the frontend example (diff) | |
| download | lclip-56ac1ba44d5c4043590459c2beb11b73cf5be3f7.tar.gz lclip-56ac1ba44d5c4043590459c2beb11b73cf5be3f7.zip | |
added an option for passing options to detect-secrets. lclipd now changes the db file permission to read/write for user only.
| -rw-r--r-- | README.md | 12 | ||||
| -rwxr-xr-x | lclipd.lua | 33 |
2 files changed, 32 insertions, 13 deletions
@@ -32,7 +32,7 @@ pip install detect-secrets ## Usage -lclipd is technically just the "back-end". One way to have a frontend is to use dmenu:</br> +lclipd is technically just the "backend". One way to have a frontend is to use dmenu:</br> ```sh #!/usr/bin/env sh @@ -40,22 +40,22 @@ SQL_DB="$(cat /tmp/lclipd/lclipd_db_name)" content=$(sqlite3 "${SQL_DB}" "select replace(content,char(10),' '),id from lclipd;" | dmenu -fn "DejaVuSansMono Nerd Font Mono-11.3;antialias=true;autohint=true" -D "|" -l 20 -p "lclipd:") sqlite3 "${SQL_DB}" "select content from lclipd where id = ${content}" | xsel -ib ``` +For the above to work you have to have added the dynamic patch to dmenu.</br> ## Options ``` -Usage: ./lclipd.lua [-h] [-s <hist_size>] +Usage: ./lclipd.lua [-h] [-s <hist_size>] [-d <detect_secrets_args>] Options: -h, --help Show this help message and exit. -s <hist_size>, --hist_size <hist_size> number of distinct entries for clipboard history + -d <detect_secrets_args>, + --detect_secrets_args <detect_secrets_args> + options that will be passed to detect secrets (default: ) ``` ## Supported OSes lcilpd uses luaposix so any POSIX-half-compliant OS will do.</br> - -## TODO -* The DB permissions are not being taken care of.</br> -* allow passing options to `detect-secrets`.</br> @@ -81,8 +81,9 @@ local sql_insert = [=[ insert into lclipd(content,dateAdded) values('%s', unixepoch()); ]=] +-- using a heredoc string without expansion bypasses the need for escaping local detect_secrets_cmd = [=[ -detect-secrets scan --string <<- STR | grep -v False +detect-secrets scan %s --string <<- STR | grep -v False %s STR ]=] @@ -107,6 +108,8 @@ end local parser = argparse() parser:option("-s --hist_size", "number of distinct entries for clipboard history", 200) +parser:option("-d --detect_secrets_args", + "options that will be passed to detect secrets", "") --- Log the given string to syslog with the given priority. -- @param log_str the string passed to the logging facility @@ -127,6 +130,16 @@ local function check_uid_gid() posix_syslog.LOG_INFO) end +--- Change the permission to user read/write i.e. chmod 600 +-- @param path to the database file whose permissions will be set +local function set_db_permissions(db_path) + local ret = sys_stat.chmod(db_path, sys_stat.S_IRUSR | sys_stat.S_IWUSR) + if ret ~= 0 then + log_to_syslog(tostring(ret), posix_syslog.LOG_CRIT) + lclip_exit(1) + end +end + --- Creates the necessary dirs local function make_tmp_dirs() local f = sys_stat.stat(tmp_dir) @@ -190,7 +203,9 @@ end --- Runs secret detection tests -- returns true if the string is not a secret -local function detect_secrets(clipboard_content) +-- @param clipboard_content the content that will be checked against detect-secrets +-- @param detect_secrets_arg extra args that will be passed to detect-secrets scan +local function detect_secrets(clipboard_content, detect_secrets_args) if clipboard_content == nil or clipboard_content == "" then return false end local pipe_read, pipe_write = unistd.pipe() if pipe_read == nil then @@ -201,7 +216,7 @@ local function detect_secrets(clipboard_content) local pid, errmsg = unistd.fork() - if pid == nil then + if pid == nil then -- error unistd.closr(pipe_read) unistd.closr(pipe_write) log_to_syslog("could not fork", posix_syslog.LOG_CRIT) @@ -209,7 +224,8 @@ local function detect_secrets(clipboard_content) lclip_exit(1) elseif pid == 0 then -- child unistd.close(pipe_read) - local cmd = string.format(detect_secrets_cmd, clipboard_content) + local cmd = string.format(detect_secrets_cmd, detect_secrets_args, + clipboard_content) local _, secrets_baseline_handle = pcall(io.popen, cmd) local secrets_baseline = secrets_baseline_handle:read("*a") if secrets_baseline == "" then @@ -286,6 +302,7 @@ local function get_sqlite_handle() log_to_syslog("could not open the database", posix_syslog.LOG_CRIT) lclip_exit(1) end + set_db_permissions(tmp_db_name) local tmp_db_file = io.open(db_file_name, "w") local stdout = io.output() @@ -299,7 +316,8 @@ end --- The clipboard's main loop -- @param clip_hist_size number of entries limit for the clip history file -local function loop(clip_hist_size) +-- @param detect_secrets_artgs args to pass to detect-secrets scan +local function loop(clip_hist_size, detect_secrets_args) local sqlite_handle = get_sqlite_handle() -- create the table if it does not exist @@ -340,7 +358,7 @@ local function loop(clip_hist_size) if clip_content == nil then goto continue end local insert_string = string.format(sql_insert, clip_content) - if detect_secrets(clip_content) then + if detect_secrets(clip_content, detect_secrets_args) then sqlite_handle:exec(insert_string) end if return_code ~= sqlite3.OK then @@ -368,7 +386,8 @@ local function main() check_pid_file() write_pid_file() check_uid_gid() - local status, err = pcall(loop, args["hist_size"]) + local status, err = pcall(loop, args["hist_size"], + args["detect_secrets_args"]) if status ~= true then log_to_syslog(err, posix_syslog.LOG_CRIT) end end |