curo/Business-Management
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add test user seed, password validation, and pre-commit security hook

Browse Source 
- backend/scripts/seed.py: creates test@example.com on dev startup
- backend/scripts/start_dev.sh: runs migrations + seed + uvicorn --reload
- backend/app/schemas/user.py: password validator (length, case, digit, special char, forbidden words)
- scripts/security_check.py: Docker-based scanner for secrets, dangerous patterns, weak crypto, bandit
- .githooks/pre-commit: runs security_check.py in python:3.12-slim on every commit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
curo1305
2026-04-12 15:54:23 +02:00
parent 2351b489fe
commit 61cef2eacd
9 changed files with 323 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/security_check.py
+161
View File
@@ -0,0 +1,161 @@
#!/usr/bin/env python3
"""
Security pre-commit checker.
Runs inside a Docker container — do not execute directly on the host.
Checks:
1. Hardcoded secrets / credentials in staged files
2. Dangerous patterns (eval, exec, shell=True, pickle)
3. Weak cryptography (MD5, SHA1 for passwords, DES)
4. SQL injection risk (raw string formatting into queries)
5. Debug/development flags left in code
6. bandit static analysis on Python files
"""
import os
import re
import subprocess
import sys
from pathlib import Path
# ── Patterns ─────────────────────────────────────────────────────────────────
SECRET_PATTERNS = [
# Only match lowercase/camelCase variable names — excludes ALL_CAPS test constants
(r'(?i)(?<![A-Z_])(password|passwd|secret|api_key|apikey|token|auth)(?![A-Z_])\s*=\s*["\'][^"\']{4,}["\']',
"possible hardcoded credential"),
(r'(?i)secret_key\s*=\s*["\'][^"\']{4,}["\'](?!.*change)',
"hardcoded secret_key (use env var)"),
(r'-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----',
"private key embedded in source"),
(r'(?i)(aws_access_key_id|aws_secret_access_key)\s*=\s*["\'][A-Za-z0-9/+]{16,}["\']',
"possible AWS credential"),
]
DANGEROUS_PATTERNS = [
(r'\beval\s*\(', "use of eval()"),
(r'\bexec\s*\(', "use of exec()"),
(r'subprocess\.[a-z_]+\(.*shell\s*=\s*True', "subprocess with shell=True"),
(r'pickle\.loads?\(', "use of pickle (deserialization risk)"),
(r'yaml\.load\s*\([^)]*\)(?!\s*#.*safe)', "yaml.load without Loader=yaml.SafeLoader"),
]
WEAK_CRYPTO_PATTERNS = [
(r'\bMD5\b|\bhashlib\.md5\b', "MD5 is not suitable for password hashing"),
(r'\bSHA1\b|\bhashlib\.sha1\b', "SHA1 is not suitable for password hashing"),
(r'\bDES\b(?!C)', "DES is a weak cipher"),
(r'random\.random\(\)|random\.randint\(', "use secrets module for security-sensitive randomness"),
]
SQL_INJECTION_PATTERNS = [
(r'(execute|query)\s*\(\s*[f"\'].*%s.*["\']\.format|f".*SELECT.*{',
"potential SQL injection via string formatting"),
]
DEBUG_PATTERNS = [
(r'\bdebug\s*=\s*True\b', "debug=True left in code"),
(r'print\s*\(.*password', "possible password printed to stdout"),
]
ALL_PATTERNS = (
[("SECRET", p, m) for p, m in SECRET_PATTERNS]
+ [("DANGER", p, m) for p, m in DANGEROUS_PATTERNS]
+ [("CRYPTO", p, m) for p, m in WEAK_CRYPTO_PATTERNS]
+ [("SQLINJ", p, m) for p, m in SQL_INJECTION_PATTERNS]
+ [("DEBUG", p, m) for p, m in DEBUG_PATTERNS]
)
# Files/dirs to skip
SKIP_DIRS = {".git", "node_modules", "__pycache__", ".venv", "dist", "build", "changelog"}
SKIP_FILES = {"package-lock.json", "poetry.lock", "security_check.py"}
# Skip documentation and binary files — they may reference pattern keywords without risk
SKIP_EXTENSIONS = {
".md", ".txt", ".rst",
".png", ".jpg", ".jpeg", ".gif", ".ico",
".woff", ".woff2", ".ttf", ".eot",
}
# ── Helpers ───────────────────────────────────────────────────────────────────
def get_staged_files() -> list[Path]:
"""Read staged files from STAGED_FILES env var (set by the pre-commit hook)."""
raw = os.environ.get("STAGED_FILES", "")
files = []
for line in raw.splitlines():
line = line.strip()
if not line:
continue
p = Path(line)
if p.suffix in SKIP_EXTENSIONS:
continue
if any(part in SKIP_DIRS for part in p.parts):
continue
if p.name in SKIP_FILES:
continue
if p.exists():
files.append(p)
return files
def scan_file(path: Path) -> list[tuple[int, str, str]]:
findings = []
try:
content = path.read_text(errors="ignore")
except Exception:
return findings
for line_no, line in enumerate(content.splitlines(), start=1):
for category, pattern, message in ALL_PATTERNS:
if re.search(pattern, line):
# Skip lines that are clearly comments explaining the pattern
stripped = line.strip()
if stripped.startswith("#") or stripped.startswith("//"):
continue
findings.append((line_no, category, message))
return findings
def run_bandit(py_files: list[Path]) -> tuple[bool, str]:
if not py_files:
return True, ""
result = subprocess.run(
["python", "-m", "bandit", "-q", "-ll", "--", *[str(f) for f in py_files]],
capture_output=True, text=True
)
passed = result.returncode == 0
return passed, result.stdout + result.stderr
# ── Main ──────────────────────────────────────────────────────────────────────
def main() -> int:
staged = get_staged_files()
if not staged:
print("[security] no staged files to check")
return 0
print(f"[security] scanning {len(staged)} staged file(s)...")
violations = 0
for path in staged:
findings = scan_file(path)
for line_no, category, message in findings:
print(f" [{category}] {path}:{line_no}{message}")
violations += 1
py_files = [f for f in staged if f.suffix == ".py"]
bandit_ok, bandit_out = run_bandit(py_files)
if not bandit_ok:
print("\n[security] bandit found issues:")
print(bandit_out)
violations += 1
if violations:
print(f"\n[security] BLOCKED — {violations} issue(s) found. Fix them or use git commit --no-verify to override.")
return 1
print("[security] all checks passed.")
return 0
if __name__ == "__main__":
sys.exit(main())