mirror of
https://github.com/A6-9V/MQL5-Google-Onedrive.git
synced 2026-04-11 04:40:57 +00:00
44b1b0d27c
Replaces `rglob` with `os.walk` using `topdown=True` in `scripts/ci_validate_repo.py`. This allows pruning large ignored directories (like `node_modules` or `.git`) *before* traversal, significantly reducing the number of files scanned. Performance: - Benchmarked ~2.4x faster in the current environment (0.045s -> 0.019s). - Impact scales with the size of ignored directories. Verification: - Added `scripts/verify_secret_scanning.py` to ensure secret scanning logic correctly detects secrets in tracked files and ignores them in excluded directories.
88 lines
2.6 KiB
Python
88 lines
2.6 KiB
Python
#!/usr/bin/env python3
|
|
"""
|
|
Verification script for ci_validate_repo.py secret scanning.
|
|
"""
|
|
|
|
import sys
|
|
import shutil
|
|
import subprocess
|
|
from pathlib import Path
|
|
|
|
REPO_ROOT = Path(__file__).resolve().parents[1]
|
|
CI_SCRIPT = REPO_ROOT / "scripts" / "ci_validate_repo.py"
|
|
|
|
def run_check():
|
|
"""Runs the validation script and returns returncode."""
|
|
result = subprocess.run(
|
|
[sys.executable, str(CI_SCRIPT)],
|
|
cwd=REPO_ROOT,
|
|
capture_output=True,
|
|
text=True
|
|
)
|
|
return result.returncode, result.stdout, result.stderr
|
|
|
|
def test_secret_in_tracked_file():
|
|
print("Testing secret in tracked file (should FAIL)...")
|
|
test_file = REPO_ROOT / "scripts" / "temp_secret.py"
|
|
# Create file with a pattern that ci_validate_repo.py detects
|
|
# ghp_ is the prefix, then 36 chars
|
|
# We construct it dynamically so the script itself isn't flagged
|
|
secret = "ghp_" + "1" * 36
|
|
test_file.write_text(f'SECRET_TOKEN = "{secret}"')
|
|
|
|
try:
|
|
code, out, err = run_check()
|
|
if code != 0:
|
|
print("PASS: Script correctly failed.")
|
|
else:
|
|
print("FAIL: Script passed but should have failed.")
|
|
print("Output:", out)
|
|
print("Error:", err)
|
|
sys.exit(1)
|
|
finally:
|
|
if test_file.exists():
|
|
test_file.unlink()
|
|
|
|
def test_secret_in_excluded_dir():
|
|
print("Testing secret in excluded dir (should PASS)...")
|
|
# Make sure we use a directory name that is in the excluded list of ci_validate_repo.py
|
|
# "node_modules" is a safe bet
|
|
excluded_root = REPO_ROOT / "node_modules"
|
|
|
|
created_root = False
|
|
if not excluded_root.exists():
|
|
excluded_root.mkdir()
|
|
created_root = True
|
|
|
|
test_dir = excluded_root / "test_pkg"
|
|
test_dir.mkdir(exist_ok=True)
|
|
|
|
test_file = test_dir / "index.js"
|
|
# Create file with a pattern that ci_validate_repo.py detects
|
|
secret = "ghp_" + "1" * 36
|
|
test_file.write_text(f'const token = "{secret}";')
|
|
|
|
try:
|
|
code, out, err = run_check()
|
|
if code == 0:
|
|
print("PASS: Script correctly ignored excluded directory.")
|
|
else:
|
|
print("FAIL: Script failed but should have passed.")
|
|
print("Output:", out)
|
|
print("Error:", err)
|
|
sys.exit(1)
|
|
finally:
|
|
if test_file.exists():
|
|
test_file.unlink()
|
|
if test_dir.exists():
|
|
test_dir.rmdir()
|
|
if created_root and excluded_root.exists():
|
|
excluded_root.rmdir()
|
|
|
|
if __name__ == "__main__":
|
|
print("Running verification tests...")
|
|
|
|
test_secret_in_tracked_file()
|
|
test_secret_in_excluded_dir()
|
|
|
|
print("All verification tests passed!")
|