finos · Psingle20 · Jul 21, 2024 · Jul 23, 2024 · Jul 24, 2024 · Jul 25, 2024
diff --git a/.gitleaksignore b/.gitleaksignore
@@ -0,0 +1 @@
+**/gitleaks_report.json
diff --git a/.husky/commit-msg b/.husky/commit-msg
@@ -1,4 +1,2 @@
-#!/usr/bin/env sh
-. "$(dirname -- "$0")/_/husky.sh"
 
 npx --no -- commitlint --edit ${1} && npm run lint
diff --git a/gitleaks.toml b/gitleaks.toml
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -45,24 +45,28 @@
     "concurrently": "^8.0.0",
     "connect-mongo": "^5.1.0",
     "cors": "^2.8.5",
+    "csv-parser": "^3.0.0",
     "diff2html": "^3.4.33",
+    "exiftool-vendored": "^29.0.0",
     "express": "^4.18.2",
     "express-http-proxy": "^2.0.0",
     "express-rate-limit": "^7.1.5",
     "express-session": "^1.17.1",
+    "fs": "^0.0.1-security",
     "history": "5.3.0",
     "isomorphic-git": "^1.27.1",
     "jsonschema": "^1.4.1",
     "load-plugin": "^6.0.0",
     "lodash": "^4.17.21",
     "lusca": "^1.7.0",
     "moment": "^2.29.4",
-    "mongodb": "^5.0.0",
+    "mongodb": "^5.9.2",
     "nodemailer": "^6.6.1",
     "parse-diff": "^0.11.1",
     "passport": "^0.7.0",
     "passport-activedirectory": "^1.0.4",
     "passport-local": "^1.0.0",
+    "path": "^0.12.7",
     "perfect-scrollbar": "^1.5.5",
     "prop-types": "15.8.1",
     "react": "^16.13.1",
@@ -71,6 +75,7 @@
     "react-router-dom": "6.26.2",
     "simple-git": "^3.25.0",
     "uuid": "^10.0.0",
+    "xlsx": "^0.18.5",
     "yargs": "^17.7.2"
   },
   "devDependencies": {

diff --git a/proxy.config.json b/proxy.config.json
@@ -9,8 +9,14 @@
   "authorisedList": [
     {
       "project": "finos",
-      "name": "git-proxy",
-      "url": "https://github.com/finos/git-proxy.git"
+      "name": "git-proxy-test",
+      "url": "[email protected]:finos/git-proxy-test.git"
+    },
+    {
+      "project": "project name",
+      "name": "repo name",
+      "url": "repo url",
+      "LocalRepoRoot": "specify you local repository path"
     }
   ],
   "sink": [
@@ -77,8 +83,16 @@
       "block": {
         "literals": [],
         "patterns": [],
-        "providers": {}
+        "providers": {},
+        "proxyFileTypes": [".csv", ".jpg", ".xlsx", ".log", ".json", ".jpg"]
       }
+    },
+    "checkForSecrets": {
+      "enabled": true
+    },
+    "aiMlUsage": {
+      "enabled": true,
+      "blockPatterns": ["modelWeights", "largeDatasets", "aiLibraries", "configKeys", "aiFunctions"]
     }
   },
   "attestationConfig": {

diff --git a/src/proxy/chain.js b/src/proxy/chain.js
@@ -10,6 +10,10 @@ const pushActionChain = [
   proc.push.pullRemote,
   proc.push.writePack,
   proc.push.getDiff,
+  proc.push.checkForAiMlUsage,
+  proc.push.checkExifJpeg,
+  proc.push.checkSensitiveData,
+  proc.push.checkForSecrets,
   proc.push.clearBareClone,
   proc.push.scanDiff,
   proc.push.blockForAuth,

diff --git a/src/proxy/processors/push-action/checkCryptoImplementation.js b/src/proxy/processors/push-action/checkCryptoImplementation.js
@@ -0,0 +1,145 @@
+const Step = require('../../actions').Step;
+
+// Common encryption-related patterns and keywords
+const CRYPTO_PATTERNS = {
+  // Known non-standard encryption algorithms
+  nonStandardAlgorithms: [
+    'xor\\s*\\(',
+    'rot13',
+    'caesar\\s*cipher',
+    'custom\\s*encrypt',
+    'simple\\s*encrypt',
+    'homebrew\\s*crypto',
+    'custom\\s*hash'
+  ],
+
+  // Suspicious operations that might indicate custom crypto Implementation
+  suspiciousOperations: [
+    'bit\\s*shift',
+    'bit\\s*rotate',
+    '\\^=',  
+    '\\^',   
+    '>>>',
+    '<<<',
+    'shuffle\\s*bytes'
+  ],
+
+  // Common encryption-related variable names
+  suspiciousVariables: [
+    'cipher',
+    'encrypt',
+    'decrypt',
+    'scramble',
+    'salt(?!\\w)',
+    'iv(?!\\w)',
+    'nonce'
+  ]
+};
+
+function analyzeCodeForCrypto(diffContent) {
+  // file access
+
+  const issues = [];
+  // Check for above mentioned cryto Patterns
+  if(!diffContent) return issues;
+
+  CRYPTO_PATTERNS.nonStandardAlgorithms.forEach(pattern => {
+    const regex = new RegExp(pattern, 'gi');
+    const matches = diffContent.match(regex);
+    if (matches) {
+      issues.push({
+        type: 'non_standard_algorithm',
+        pattern: pattern,
+        matches: matches,
+        severity: 'high',
+        message: `Detected possible non-standard encryption algorithm: ${matches.join(', ')}`
+      });
+    }
+  });
+
+  CRYPTO_PATTERNS.suspiciousOperations.forEach(pattern => {
+    const regex = new RegExp(pattern, 'gi');
+    const matches = diffContent.match(regex);
+    if (matches) {
+      issues.push({
+        type: 'suspicious_operation',
+        pattern: pattern,
+        matches: matches,
+        severity: 'medium',
+        message: `Detected suspicious cryptographic operation: ${matches.join(', ')}`
+      });
+    }
+  });
+
+  CRYPTO_PATTERNS.suspiciousVariables.forEach(pattern => {
+    const regex = new RegExp(pattern, 'gi');
+    const matches = diffContent.match(regex);
+    if (matches) {
+      issues.push({
+        type: 'suspicious_variable',
+        pattern: pattern,
+        matches: matches,
+        severity: 'low',
+        message: `Detected potential encryption-related variable: ${matches.join(', ')}`
+      });
+    }
+  });
+
+  return issues;
+}
+
+const exec = async (req, action) => {
+
+  const step = new Step('checkCryptoImplementation');
+
+  try {
+    let hasIssues = false;
+    const allIssues = [];
+    console.log("action:",action);
+    for (const commit of action.commitData) {
+      const diff = commit.diff || '';
+      console.log("diff",diff);
+
+      const issues = analyzeCodeForCrypto(diff);
+
+      if (issues.length > 0) {
+        hasIssues = true;
+        allIssues.push({
+          commit: commit.hash,
+          issues: issues
+        });
+      }
+    }
+
+    if (hasIssues) {
+      step.error = true;
+
+      const errorMessage = allIssues.map(commitIssues => {
+        return `Commit ${commitIssues.commit}:\n` +
+          commitIssues.issues.map(issue => 
+            `- ${issue.severity.toUpperCase()}: ${issue.message}`
+          ).join('\n');
+      }).join('\n\n');
+
+      step.setError(
+        '\n\nYour push has been blocked.\n' +
+        'Potential non-standard cryptographic implementations detected:\n\n' +
+        `${errorMessage}\n\n` +
+        'Please use standard cryptographic libraries instead of custom implementations.\n' +
+        'Recommended: Use established libraries like crypto, node-forge, or Web Crypto API.\n'
+      );
+    }
+
+    action.addStep(step);
+    return action;
+  } catch (error) {
+    step.error = true;
+    step.setError(`Error analyzing crypto implementation: ${error.message}`);
+    action.addStep(step);
+    return action;
+  }
+};
+
+exec.displayName = 'checkCryptoImplementation.exec';
+exports.exec = exec;
+exports.analyzeCodeForCrypto = analyzeCodeForCrypto;