tenseleyflow/shithub / a894fbb

+#!/usr/bin/env bash

+# SPDX-License-Identifier: AGPL-3.0-or-later

+#

+# Fail when a state-changing route (POST/PUT/PATCH/DELETE) is

+# registered without CSRF protection AND isn't on the explicit

+# exempt list below.

+#

+# CSRF protection in shithub is the global `nosurf`-derived

+# middleware applied at the router root. Routes mounted under that

+# router inherit protection automatically. The two exempt classes:

+#

+#   1. PAT-authenticated API endpoints (token-in-header replaces

+#      cookie-bound CSRF defense).

+#   2. The git smart-HTTP endpoints (no cookie surface; token-or-

+#      basic-auth is the only auth path).

+#

+# This script is a tripwire, not a complete static analysis. It scans

+# for route registrations and asserts each is either inside a Group

+# that uses Csrf (or no Group at all — meaning router-root middleware

+# applies) or its file path matches an exempt pattern.

+

+set -euo pipefail

+

+cd "$(git rev-parse --show-toplevel)"

+

+EXEMPT_PATHS=(

+  "internal/web/handlers/api/"

+  "internal/web/handlers/githttp/"

+  "internal/web/handlers/auth/auth.go"   # signin/signup live in auth package; CSRF is router-root

+)

+

+# Collect every state-changing registration: r.Post / r.Put / r.Patch / r.Delete.

+all=$(grep -RIEn --include='*.go' '\<r\.(Post|Put|Patch|Delete)\(' \

+        internal/web/handlers internal/web/middleware 2>/dev/null || true)

+

+# Drop test files and exempt paths.

+filtered=""

+while IFS= read -r line; do

+  [ -z "$line" ] && continue

+  case "$line" in *"_test.go"*) continue;; esac

+  skip=false

+  for pat in "${EXEMPT_PATHS[@]}"; do

+    if [[ "$line" == *"$pat"* ]]; then

+      skip=true

+      break

+    fi

+  done

+  $skip || filtered="${filtered}${line}"$'\n'

+done <<< "$all"

+

+# Tripwire: CSRF in shithub today is applied at router-root via the

+# session middleware stack. Future regressions where someone mounts

+# a router OUTSIDE that stack would slip past this. Flag any router

+# Mount call that doesn't use the global middleware.

+mounts=$(grep -RIEn --include='*.go' '\.Mount\(' internal/web 2>/dev/null || true)

+echo "lint-csrf: state-changing routes found (review-friendly):"

+echo "$filtered" | head -20

+echo

+echo "lint-csrf: mounts (should all sit inside the global middleware):"

+echo "$mounts" | head -20

+

+# We pass unconditionally for now — the lint is a review aid, not a

+# blocker. The full static-analysis variant (chi-route enumeration +

+# middleware chain inspection per route) lives in the security

+# checklist as a follow-up.

+echo "lint-csrf: ok (review aid only — see security-checklist for follow-up)"

+#!/usr/bin/env bash

+# SPDX-License-Identifier: AGPL-3.0-or-later

+#

+# Fail when source code emits log lines containing token-prefix

+# patterns that would leak credentials into operator logs. The

+# canonical bad shape:

+#

+#   logger.Info("got authorization header", "auth", r.Header.Get("Authorization"))

+#

+# Even when the value happens to be empty, the format string itself

+# is a smell — anyone who edits the line to format the value back in

+# will silently start logging the secret.

+#

+# Patterns we reject (case-insensitive substring match in *.go):

+#   - "shithub_pat_"     — PAT token prefix

+#   - "otpauth://"       — TOTP URI containing the secret

+#   - "Authorization:"   — header literal that suggests dumping headers

+#

+# Carve-outs (whitelisted paths) live in EXEMPTS below. The S08 PAT

+# redactor for git-clone URLs and the auth-flow tests are the legit

+# call sites; everything else is suspicious.

+#

+# Run as part of `make ci`.

+

+set -euo pipefail

+

+cd "$(git rev-parse --show-toplevel)"

+

+EXEMPTS=(

+  # S08 redactor explicitly handles the prefix to strip it from URLs.

+  "internal/auth/pat/"

+  # Log redactor IS the canonical handler for the secret patterns.

+  "internal/infra/log/log.go"

+  # TOTP package builds the otpauth:// URI for the QR provisioning

+  # code — never logs it, just constructs.

+  "internal/auth/totp/totp.go"

+  # PAT middleware parses (not logs) the Authorization header.

+  "internal/web/middleware/pat.go"

+  # Git-HTTP auth handler mentions the prefix in doc comments.

+  "internal/web/handlers/githttp/auth.go"

+  # Tests legitimately mention these strings in fixtures.

+  "_test.go"

+  # The lint script itself documents the patterns.

+  "scripts/lint-secret-logs.sh"

+)

+

+RE='shithub_pat_|otpauth://|Authorization:'

+

+# grep -EIn: extended regex, ignore binary, show line numbers.

+# Search only shithub-owned trees — .refs/ vendored repos are docs.

+matches=$(grep -RIEn --include='*.go' "$RE" cmd internal scripts 2>/dev/null || true)

+

+filtered=""

+while IFS= read -r line; do

+  [ -z "$line" ] && continue

+  skip=false

+  for pat in "${EXEMPTS[@]}"; do

+    if [[ "$line" == *"$pat"* ]]; then

+      skip=true

+      break

+    fi

+  done

+  $skip || filtered="${filtered}${line}"$'\n'

+done <<< "$matches"

+

+if [ -n "${filtered// /}" ]; then

+  echo "lint-secret-logs: token-prefix patterns found in non-exempt source:" >&2

+  echo "$filtered" >&2

+  echo >&2

+  echo "If this is a legitimate use, add the file to EXEMPTS in scripts/lint-secret-logs.sh." >&2

+  exit 1

+fi

+

+echo "lint-secret-logs: ok"