Looks at Python code to search for things which look "dodgy" such as passwords or diffs

Overview

dodgy

Dodgy is a very basic tool to run against your codebase to search for "dodgy" looking values. It is a series of simple regular expressions designed to detect things such as accidental SCM diff checkins, or passwords or secret keys hard coded into files.

While this is primarily aimed at open source projects (for whom a publicly available secret key is pretty dangerous), it can also be used in private projects, with the caveat that it will point out things which are not a problem for private projects and is not configurable enough currently to change that.

Another note - this tool is probably best run pre-commit, since it will hopefully prevent dodgy things being checked in. To automatically execute before a commit use a git pre-commit hook

Status

Latest Version Build Status Code Health Coverage Status

This is a very early version with minimal functionality right now, but will be improved over time.

It was written as one of several tools for landscape.io, a code metrics and repository analyser for Python. As such, the features will mostly reflect the needs of Landscape in the early stages.

Comments
  • Add CLI and fix edge case with gzipped text files

    Add CLI and fix edge case with gzipped text files

    This PR aims to address #15 (Unicode issue with try/except workaround) and #5 (adds command line interface with ability to specify ignore paths and enables dodgy --help)

    There is also a version bump.

    Note this PR also makes use of GitHub actions (see .github/workflows/pythonpackage.yml) and could be combined with GitHub's secrets to add $TWINE_USERNAME and $TWINE_PASSWORD to enable automatic uploading of dodgy to PyPI.

    opened by Liam-Deacon 2
  • Travis-ci: Added support for ppc64le

    Travis-ci: Added support for ppc64le

    Hi, I have added support for ppc64le build on travis-ci in the branch . The travis-ci build log can be tracked on the link :https://travis-ci.com/github/sanjaymsh/dodgy/builds/187367458 . I believe it is ready for the final review and merge. Please have a look on it and if everything looks fine for you then please approve it for merge.

    Thanks !!

    opened by sanjaymsh 1
  • Switched broken pypip.in badges to shields.io

    Switched broken pypip.in badges to shields.io

    Hello, this is an auto-generated Pull Request. (Feedback?)

    Some time ago, pypip.in shut down. This broke the badges for a bunch of repositories, including dodgy. Thankfully, an equivalent service is run by shields.io. This pull request changes the badge to use shields.io instead.

    opened by movermeyer 1
  • Regular expression parse error in dodgy/run.py

    Regular expression parse error in dodgy/run.py

    When I try to use prospector in the following way, I get a traceback

    prospector

    These also fail with the same error message

    prospector --help prospector --strictness high

    The error message is Traceback (most recent call last): File "D:\Python27_x86\Scripts\prospector-script.py", line 9, in load_entry_point('prospector==0.6.4', 'console_scripts', 'prospector')() File "D:\Python27_x86\lib\site-packages\pkg_resources.py", line 356, in load_entry_point return get_distribution(dist).load_entry_point(group, name) File "D:\Python27_x86\lib\site-packages\pkg_resources.py", line 2476, in load_entry_point return ep.load() File "D:\Python27_x86\lib\site-packages\pkg_resources.py", line 2190, in load ['name']) File "D:\Python27_x86\lib\site-packages\prospector\run.py", line 7, in from prospector import config as cfg, tools, blender File "D:\Python27_x86\lib\site-packages\prospector\config.py", line 6, in from prospector.tools import TOOLS, DEFAULT_TOOLS File "D:\Python27_x86\lib\site-packages\prospector\tools__init__.py", line 1, in from prospector.tools.dodgy import DodgyTool File "D:\Python27_x86\lib\site-packages\prospector\tools\dodgy__init__.py", line 5, in from dodgy.run import check_file File "D:\Python27_x86\lib\site-packages\dodgy\run.py", line 12, in r'%(sep)stests?(%(sep)s|$)', File "D:\Python27_x86\lib\re.py", line 190, in compile return _compile(pattern, flags) File "D:\Python27_x86\lib\re.py", line 242, in _compile raise error, v # invalid expression sre_constants.error: unbalanced parenthesis

    On Windows 7, I'm using: python 2.7 64-bit argparse (1.2.1) astroid (1.2.1) dodgy (0.1.5) enum34 (1.0) pep8 (1.5.7) pep8-naming (0.2.2) pies (2.6.1) pies2overrides (2.6.1) prospector (0.6.4) pycairo (1.10.0) pyflakes (0.8.1) pylint (1.3.1) pylint-celery (0.3) pylint-common (0.2.1) pylint-django (0.5.5) pylint-plugin-utils (0.2.2)

    I think that covers all the packages dodgy cares about :)

    opened by SteveDoyle2 1
  • Deprecation warning due to invalid escape sequences in Python 3.8

    Deprecation warning due to invalid escape sequences in Python 3.8

    Deprecation warnings are raised due to invalid escape sequences in Python 3.8 . Below is a log of the warnings raised during compiling all the python files. Using raw strings or escaping them will fix this issue.

    find . -iname '*.py'  | xargs -P 4 -I{} python -Walways -m py_compile {}
    
    ./tests/testdata/amazon.py:2: DeprecationWarning: invalid escape sequence \A
      AWS_SECRET_ACCESS_KEY = 'A8+6AN5TSUZ3vysJg68Rt\A9E7duMlfKODwb3ZD8'
    
    opened by tirkarthi 0
  • distutils is depreacted in Python 3.10

    distutils is depreacted in Python 3.10

    https://github.com/landscapeio/dodgy/blob/b3fbaf05b106f7c3da8160e38c704f695613ff4d/setup.py#L2

    PYTHONWARNINGS=always python setup.py install   
    /root/checked_repos_clone_1500_1600/dodgy/setup.py:2: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
      from distutils.core import setup
    
    opened by tirkarthi 0
  • UnicodeDecodeError: 'utf-8' codec can't decode byte

    UnicodeDecodeError: 'utf-8' codec can't decode byte

    $ dodgy ---help                                                         │
    Traceback (most recent call last):
      File "/usr/bin/dodgy", line 4, in <module>
        dodgy.run.run()
      File "/usr/lib/python3/dist-packages/dodgy/run.py", line 56, in run
        warnings = run_checks(os.getcwd())
      File "/usr/lib/python3/dist-packages/dodgy/run.py", line 44, in run_checks
        for msg_parts in check_file(filepath):
      File "/usr/lib/python3/dist-packages/dodgy/checks.py", line 72, in check_file
        return check_file_contents(to_check.read())
      File "/usr/lib/python3.6/codecs.py", line 700, in read
        return self.reader.read(size)
      File "/usr/lib/python3.6/codecs.py", line 503, in read
        newchars, decodedbytes = self.decode(data, self.errors)
    UnicodeDecodeError: 'utf-8' codec can't decode byte 0xe0 in position 787: invalid continuation byte
    $ dpkg -l dodgy                                                         │
    ii  dodgy                   0.1.9-3          all              searches for dodgy looking lines in Python code
    
    opened by arthurzenika 1
  • Improove Exception handling

    Improove Exception handling

    Install the library and try to execute dodgy script in the directory where are no Python files. Instead of the stack trace, I would imagine an error message or at least empty dict...

    <mock-chroot> sh-4.4# dodgy
    Traceback (most recent call last):
      File "/usr/bin/dodgy", line 4, in <module>
        dodgy.run.run()
      File "/usr/lib/python2.7/site-packages/dodgy/run.py", line 56, in run
        warnings = run_checks(os.getcwd())
      File "/usr/lib/python2.7/site-packages/dodgy/run.py", line 44, in run_checks
        for msg_parts in check_file(filepath):
      File "/usr/lib/python2.7/site-packages/dodgy/checks.py", line 72, in check_file
        return check_file_contents(to_check.read())
      File "/usr/lib64/python2.7/codecs.py", line 686, in read
        return self.reader.read(size)
      File "/usr/lib64/python2.7/codecs.py", line 492, in read
        newchars, decodedbytes = self.decode(data, self.errors)
    UnicodeDecodeError: 'utf8' codec can't decode byte 0x8b in position 1: invalid start byte
    
    <mock-chroot> sh-4.4# dodgy-3.6 
    Traceback (most recent call last):
      File "/usr/bin/dodgy-3.6", line 4, in <module>
        dodgy.run.run()
      File "/usr/lib/python3.6/site-packages/dodgy/run.py", line 56, in run
        warnings = run_checks(os.getcwd())
      File "/usr/lib/python3.6/site-packages/dodgy/run.py", line 44, in run_checks
        for msg_parts in check_file(filepath):
      File "/usr/lib/python3.6/site-packages/dodgy/checks.py", line 72, in check_file
        return check_file_contents(to_check.read())
      File "/usr/lib64/python3.6/codecs.py", line 698, in read
        return self.reader.read(size)
      File "/usr/lib64/python3.6/codecs.py", line 501, in read
        newchars, decodedbytes = self.decode(data, self.errors)
    UnicodeDecodeError: 'utf-8' codec can't decode byte 0x8b in position 1: invalid start byte
    
    
    opened by ricco386 0
  • Don't error out on compressed files or on non-Unicode files

    Don't error out on compressed files or on non-Unicode files

    Dodgy ignored the second element of mimetypes.guess_type's result, so it would try to process files that were gzipped, bzipped, etc.

    In Python 3, trying to read from a text file may throw a UnicodeDecodeError if any encoding errors are encountered.

    These two issues together meant that Dodgy would throw an exception and abort when it ran on my Django project, which had some gzipped CSS. This PR offers a (fairly minimal) fix for these issues.

    opened by joshkel 2
Owner
Landscape
Landscape
DirBruter is a Python based CLI tool. It looks for hidden or existing directories/files using brute force method. It basically works by launching a dictionary based attack against a webserver and analyse its response.

DirBruter DirBruter is a Python based CLI tool. It looks for hidden or existing directories/files using brute force method. It basically works by laun

vijay sahu 12 Dec 17, 2022
Password Manager is a simple Python project which helps users in managing their passwords in a easier way

Password Manager is a simple Python project which helps users in managing their passwords in a easier way

Manish Jalui 4 Sep 29, 2021
Small python script to look for common vulnerabilities on SMTP server.

BrokenSMTP BrokenSMTP is a python3 BugBounty/Pentesting tool to look for common vulnerabilities on SMTP server. Supported Vulnerability : Spoofing - T

null 39 Dec 16, 2022
MVT is a forensic tool to look for signs of infection in smartphone devices

Mobile Verification Toolkit Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic

null 8.3k Jan 8, 2023
Python program that generates secure passwords.

Python program that generates secure passwords. The user has the option to select the length of the password, amount of passwords,

null 4 Dec 7, 2021
A simple python-function, to gain all wlan passwords from stored wlan-profiles on a computer.

Wlan Fetcher Windows10 Description A simple python-function, to gain all wlan passwords from stored wlan-profiles on a computer. Usage This Script onl

null 2 Nov 20, 2021
PwdGen is a Python Tkinter tool for generating secure 16 digit passwords.

PwdGen ( Password Generator ) is a Python Tkinter tool for generating secure 16 digit passwords. Installation Simply install requirements pip install

zJairO 7 Jul 14, 2022
A python script to brute-force guess the passwords to Instagram accounts

Instagram-Brute-Force The purpose of this script is to brute-force guess the passwords to Instagram accounts. Specifics: Comes with 2 separate modes i

Moondog 2 Nov 16, 2021
♻️ Password Generator (PSG) 📚 This plugin is made for more familiarity with Python, but can also be used to create passwords

About Tool This plugin is made for more familiarity with Python, but can also be used to create passwords.

STgazing 2 Jul 23, 2022
Simple python script for generating custom high-secure passwords for securing your social-apps ❤️

Opensource Project Simple Python Password Generator This repository is just for peoples who want to generate strong-passwords for there social-account

K A R T H I K 15 Dec 1, 2022
This is the fuzzer I made to fuzz Preview on macOS and iOS like 8years back when I just started fuzzing things.

Fuzzing PDFs like its 1990s This is the fuzzer I made to fuzz Preview on macOS and iOS like 8years back when I just started fuzzing things. Some discl

Chaithu 14 Sep 30, 2022
A web-app helping to create strong passwords that are easy to remember.

This is a simple Web-App that demonstrates a method of creating strong passwords that are still easy to remember. It also provides time estimates how long it would take an attacker to crack a password using the zxcvbn library developed by Dropbox.

null 2 Jun 4, 2021
A token logger for discord + steals Brave/Chrome passwords and usernames

Backdoor Machine - ❗ For educational purposes only ❗ A program made in python for stealing passwords and usernames from Google Chrome/Brave and tokenl

null 36 Jul 18, 2021
Script for automatic dump and brute-force passwords using Volatility Framework

Volatility-auto-hashdump Script for automatic dump and brute-force passwords using Volatility Framework

whoamins 11 Apr 11, 2022
PasswordManager is a command-line program that helps you manage your secret files like passwords

PasswordManager is a command-line program that helps you manage your secret files like passwords. It's very minimalistic and easy to use.

Michael 3 Dec 30, 2021
A (completely native) python3 wifi brute-force attack using the 100k most common passwords (2021)

wifi-bf [LINUX ONLY] A (completely native) python3 wifi brute-force attack using the 100k most common passwords (2021) This script is purely for educa

Finn Lancaster 20 Nov 12, 2022
A simple way to store your passwords without requiring third party applications

SimplePasswordManager A simple way to store your passwords without requiring third party applications Simple To Use. Store Your Passwords For Each Web

Leone Odinga 1 Dec 23, 2021
OpenTOTP is yet another time-based, one-time passwords (OTPs) generator/verifier inspired by RFC 6238.

OpenTOTP is yet another time-based, one-time passwords (OTPs) generator/verifier inspired by RFC 6238. It generates and validates OTPs based

null 1 Nov 15, 2021