Skip to content

Commit 3cff07c

Browse files
efijefij
committed
Normalize clipboard guard rules on Windows
1 parent 5583209 commit 3cff07c

1 file changed

Lines changed: 25 additions & 4 deletions

File tree

hooks/clipboard-exfiltration-guard.sh

Lines changed: 25 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -7,16 +7,37 @@ CLIPBOARD_FILE="$CONFIG_HOME/clipboard-commands.regex"
77
TOKEN_FILE="$CONFIG_HOME/live-token-patterns.regex"
88
SECRET_PATHS_FILE="$CONFIG_HOME/secret-paths.regex"
99
. "$(dirname "${BASH_SOURCE[0]}")/lib/audit.sh"
10+
. "$(dirname "${BASH_SOURCE[0]}")/lib/patterns.sh"
1011

1112
[ -f "$CLIPBOARD_FILE" ] || exit 0
1213

13-
if ! printf '%s\n' "$INPUT" | grep -Eif "$CLIPBOARD_FILE" >/dev/null 2>&1; then
14-
exit 0
14+
clipboard_match="false"
15+
case "$INPUT" in
16+
*pbcopy*|*clip.exe*|*Set-Clipboard*|*xclip*|*xsel*|*wl-copy*)
17+
clipboard_match="true"
18+
;;
19+
esac
20+
21+
if [ "$clipboard_match" != "true" ]; then
22+
CLEAN_CLIPBOARD_FILE="$(shield_prepare_pattern_file "$CLIPBOARD_FILE")" || exit 1
23+
trap 'rm -f "${CLEAN_CLIPBOARD_FILE:-}" "${CLEAN_TOKEN_FILE:-}" "${CLEAN_SECRET_PATHS_FILE:-}"' EXIT
24+
if ! printf '%s\n' "$INPUT" | grep -Eif "$CLEAN_CLIPBOARD_FILE" >/dev/null 2>&1; then
25+
exit 0
26+
fi
27+
else
28+
trap 'rm -f "${CLEAN_CLIPBOARD_FILE:-}" "${CLEAN_TOKEN_FILE:-}" "${CLEAN_SECRET_PATHS_FILE:-}"' EXIT
29+
fi
30+
31+
if [ -f "$TOKEN_FILE" ]; then
32+
CLEAN_TOKEN_FILE="$(shield_prepare_pattern_file "$TOKEN_FILE")" || exit 1
33+
fi
34+
if [ -f "$SECRET_PATHS_FILE" ]; then
35+
CLEAN_SECRET_PATHS_FILE="$(shield_prepare_pattern_file "$SECRET_PATHS_FILE")" || exit 1
1536
fi
1637

17-
if [ -f "$TOKEN_FILE" ] && printf '%s\n' "$INPUT" | grep -Eif "$TOKEN_FILE" >/dev/null 2>&1; then
38+
if [ -n "${CLEAN_TOKEN_FILE:-}" ] && printf '%s\n' "$INPUT" | grep -Eif "$CLEAN_TOKEN_FILE" >/dev/null 2>&1; then
1839
:
19-
elif [ -f "$SECRET_PATHS_FILE" ] && printf '%s\n' "$INPUT" | grep -Eif "$SECRET_PATHS_FILE" >/dev/null 2>&1; then
40+
elif [ -n "${CLEAN_SECRET_PATHS_FILE:-}" ] && printf '%s\n' "$INPUT" | grep -Eif "$CLEAN_SECRET_PATHS_FILE" >/dev/null 2>&1; then
2041
:
2142
elif printf '%s' "$INPUT" | grep -Eqi '(printenv|gh[[:space:]]+auth[[:space:]]+token|gcloud[[:space:]]+auth[[:space:]]+print-access-token|aws[[:space:]]+configure[[:space:]]+export-credentials|kubectl[[:space:]]+config[[:space:]]+view[[:space:]]+--raw)'; then
2243
:

0 commit comments

Comments
 (0)