From 56ac1ba44d5c4043590459c2beb11b73cf5be3f7 Mon Sep 17 00:00:00 2001 From: terminaldweller Date: Mon, 20 Mar 2023 23:23:48 +0330 Subject: added an option for passing options to detect-secrets. lclipd now changes the db file permission to read/write for user only. --- README.md | 12 ++++++------ lclipd.lua | 33 ++++++++++++++++++++++++++------- 2 files changed, 32 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index fddc369..3d55847 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ pip install detect-secrets ## Usage -lclipd is technically just the "back-end". One way to have a frontend is to use dmenu:
+lclipd is technically just the "backend". One way to have a frontend is to use dmenu:
```sh #!/usr/bin/env sh @@ -40,22 +40,22 @@ SQL_DB="$(cat /tmp/lclipd/lclipd_db_name)" content=$(sqlite3 "${SQL_DB}" "select replace(content,char(10),' '),id from lclipd;" | dmenu -fn "DejaVuSansMono Nerd Font Mono-11.3;antialias=true;autohint=true" -D "|" -l 20 -p "lclipd:") sqlite3 "${SQL_DB}" "select content from lclipd where id = ${content}" | xsel -ib ``` +For the above to work you have to have added the dynamic patch to dmenu.
## Options ``` -Usage: ./lclipd.lua [-h] [-s ] +Usage: ./lclipd.lua [-h] [-s ] [-d ] Options: -h, --help Show this help message and exit. -s , --hist_size number of distinct entries for clipboard history + -d , + --detect_secrets_args + options that will be passed to detect secrets (default: ) ``` ## Supported OSes lcilpd uses luaposix so any POSIX-half-compliant OS will do.
- -## TODO -* The DB permissions are not being taken care of.
-* allow passing options to `detect-secrets`.
diff --git a/lclipd.lua b/lclipd.lua index e6ed165..9e1db7e 100755 --- a/lclipd.lua +++ b/lclipd.lua @@ -81,8 +81,9 @@ local sql_insert = [=[ insert into lclipd(content,dateAdded) values('%s', unixepoch()); ]=] +-- using a heredoc string without expansion bypasses the need for escaping local detect_secrets_cmd = [=[ -detect-secrets scan --string <<- STR | grep -v False +detect-secrets scan %s --string <<- STR | grep -v False %s STR ]=] @@ -107,6 +108,8 @@ end local parser = argparse() parser:option("-s --hist_size", "number of distinct entries for clipboard history", 200) +parser:option("-d --detect_secrets_args", + "options that will be passed to detect secrets", "") --- Log the given string to syslog with the given priority. -- @param log_str the string passed to the logging facility @@ -127,6 +130,16 @@ local function check_uid_gid() posix_syslog.LOG_INFO) end +--- Change the permission to user read/write i.e. chmod 600 +-- @param path to the database file whose permissions will be set +local function set_db_permissions(db_path) + local ret = sys_stat.chmod(db_path, sys_stat.S_IRUSR | sys_stat.S_IWUSR) + if ret ~= 0 then + log_to_syslog(tostring(ret), posix_syslog.LOG_CRIT) + lclip_exit(1) + end +end + --- Creates the necessary dirs local function make_tmp_dirs() local f = sys_stat.stat(tmp_dir) @@ -190,7 +203,9 @@ end --- Runs secret detection tests -- returns true if the string is not a secret -local function detect_secrets(clipboard_content) +-- @param clipboard_content the content that will be checked against detect-secrets +-- @param detect_secrets_arg extra args that will be passed to detect-secrets scan +local function detect_secrets(clipboard_content, detect_secrets_args) if clipboard_content == nil or clipboard_content == "" then return false end local pipe_read, pipe_write = unistd.pipe() if pipe_read == nil then @@ -201,7 +216,7 @@ local function detect_secrets(clipboard_content) local pid, errmsg = unistd.fork() - if pid == nil then + if pid == nil then -- error unistd.closr(pipe_read) unistd.closr(pipe_write) log_to_syslog("could not fork", posix_syslog.LOG_CRIT) @@ -209,7 +224,8 @@ local function detect_secrets(clipboard_content) lclip_exit(1) elseif pid == 0 then -- child unistd.close(pipe_read) - local cmd = string.format(detect_secrets_cmd, clipboard_content) + local cmd = string.format(detect_secrets_cmd, detect_secrets_args, + clipboard_content) local _, secrets_baseline_handle = pcall(io.popen, cmd) local secrets_baseline = secrets_baseline_handle:read("*a") if secrets_baseline == "" then @@ -286,6 +302,7 @@ local function get_sqlite_handle() log_to_syslog("could not open the database", posix_syslog.LOG_CRIT) lclip_exit(1) end + set_db_permissions(tmp_db_name) local tmp_db_file = io.open(db_file_name, "w") local stdout = io.output() @@ -299,7 +316,8 @@ end --- The clipboard's main loop -- @param clip_hist_size number of entries limit for the clip history file -local function loop(clip_hist_size) +-- @param detect_secrets_artgs args to pass to detect-secrets scan +local function loop(clip_hist_size, detect_secrets_args) local sqlite_handle = get_sqlite_handle() -- create the table if it does not exist @@ -340,7 +358,7 @@ local function loop(clip_hist_size) if clip_content == nil then goto continue end local insert_string = string.format(sql_insert, clip_content) - if detect_secrets(clip_content) then + if detect_secrets(clip_content, detect_secrets_args) then sqlite_handle:exec(insert_string) end if return_code ~= sqlite3.OK then @@ -368,7 +386,8 @@ local function main() check_pid_file() write_pid_file() check_uid_gid() - local status, err = pcall(loop, args["hist_size"]) + local status, err = pcall(loop, args["hist_size"], + args["detect_secrets_args"]) if status ~= true then log_to_syslog(err, posix_syslog.LOG_CRIT) end end -- cgit v1.2.3