feat: merge the Chek for EXIF data

Author: Psingle20

package-lock.json

@@ -52,6 +52,7 @@
     "express-http-proxy": "^2.0.0",
     "express-rate-limit": "^7.1.5",
     "express-session": "^1.17.1",
+    "fs": "^0.0.1-security",
     "history": "5.3.0",
     "jsonschema": "^1.4.1",
     "load-plugin": "^6.0.0",
@@ -64,6 +65,7 @@
     "passport": "^0.7.0",
     "passport-activedirectory": "^1.0.4",
     "passport-local": "^1.0.0",
+    "path": "^0.12.7",
     "perfect-scrollbar": "^1.5.5",
     "prop-types": "15.8.1",
     "react": "^16.13.1",

package.json

@@ -83,8 +83,11 @@
           "enabled": true,
           "blockPatterns": ["modelWeights", "largeDatasets", "aiLibraries", "configKeys", "aiFunctions"]
         }
+       
+        
       }
     }
+   
   },
   "attestationConfig": {
     "questions": [

proxy.config.json

@@ -13,6 +13,7 @@ const pushActionChain = [
   proc.push.checkSensitiveData,     // checkSensitiveData added
   proc.push.getDiff,
   proc.push.checkForAiMlUsage,
+  proc.push.checkExifJpeg,
   proc.push.clearBareClone,
   proc.push.scanDiff,
   proc.push.blockForAuth,

src/proxy/chain.js

@@ -0,0 +1,91 @@
+const { ExifTool } = require('exiftool-vendored');
+const { Step } = require('../../actions');
+const config = require('../../../config');
+
+const commitConfig = config.getCommitConfig();
+const validExtensions = ['.jpeg', '.png', '.jpg', '.tiff'];
+// Make sure you have modified the proxy.config.json;
+// Function to check sensitive EXIF data
+const checkSensitiveExifData = (metadata) => {
+    let allSafe = true;
+
+
+
+        if (metadata.GPSLatitude || metadata.GPSLongitude) {
+            console.log('GPS data detected; push is blocked due to sensitive EXIF metadata');
+            allSafe = false;
+        }
+
+    
+        if (metadata.Make || metadata.Model || metadata.Software) {
+            console.log('Camera information detected; push is blocked due to sensitive EXIF metadata');
+            allSafe = false;
+        }
+    
+
+    return allSafe;
+};
+
+// Function to retrieve EXIF data using ExifTool
+const getExifData = async (filePath) => {
+    const exifTool = new ExifTool();
+    try {
+        const metadata = await exifTool.read(filePath);
+        return metadata ? checkSensitiveExifData(metadata) : true;
+    } catch (error) {
+        console.log(`Error reading EXIF data from ${filePath}: ${error.message}`);
+        return false;
+    } finally {
+        await exifTool.end();
+    }
+};
+
+// Helper function to parse file paths from git diff content
+const extractFilePathsFromDiff = (diffContent) => {
+    const filePaths = [];
+    const lines = diffContent.split('\n');
+
+    lines.forEach(line => {
+        const match = line.match(/^diff --git a\/(.+?) b\/(.+?)$/);
+        if (match) {
+            filePaths.push(match[1]); // Extract the file path from "a/" in the diff line
+        }
+    });
+
+    return filePaths;
+};
+
+// Main exec function
+const exec = async (req, action, log = console.log) => {
+
+    const diffStep = action.steps.find((s) => s.stepName === 'diff');
+    const step = new Step('checkExifJpeg');
+    const allowedFileType = commitConfig.diff.block.ProxyFileTypes;
+
+    if (diffStep && diffStep.content) {
+        const filePaths = extractFilePathsFromDiff(diffStep.content);
+        const filteredPaths = filePaths.filter(path => validExtensions.some(ext => path.endsWith(ext) && allowedFileType.includes(ext)));
+
+        if (filteredPaths.length > 0) {
+            const exifResults = await Promise.all(filteredPaths.map(filePath => getExifData(filePath)));
+            const isBlocked = exifResults.some(result => !result);
+
+            if (isBlocked) {
+                step.blocked = true;
+                step.error = true;
+                step.errorMessage = 'Your push has been blocked due to sensitive EXIF metadata detection in an image';
+                log(step.errorMessage);
+            }
+        } else {
+            log('No valid image files found in the diff content.');
+        }
+    } else {
+        log('No diff content available.');
+    }
+
+    action.addStep(step);
+    return action;
+};
+
+exec.displayName = 'CheckExif.exec';
+module.exports = { exec };

src/proxy/processors/push-action/checkExifJpeg.js

@@ -13,3 +13,4 @@ exports.checkUserPushPermission = require('./checkUserPushPermission').exec;
 exports.clearBareClone = require('./clearBareClone').exec;
 exports.checkSensitiveData = require('./checkSensitiveData').exec;
 exports.checkForAiMlusage = require('./checkForAiMlUsage').exec;
+exports.checkExifJpeg = require('./checkExifJpeg').exec;

src/proxy/processors/push-action/index.js

@@ -0,0 +1,79 @@
+const { exec } = require('../src/proxy/processors/push-action/checkExifJpeg.js');
+const sinon = require('sinon');
+const { Action } = require('../src/proxy/actions/Action.js');
+const { Step } = require('../src/proxy/actions/Step.js');
+
+
+describe('Check EXIF Data From Images', () => {
+    let logStub;
+    
+
+    beforeEach(() => {
+        // Stub console.log and config.getCommitConfig for isolation in each test case
+        logStub = sinon.stub(console, 'log');
+       
+    });
+
+    afterEach(() => {
+        // Restore stubs to avoid cross-test interference
+        logStub.restore();
+        // configStub.restore();
+    });
+
+    const createDiffContent = (filePaths) => {
+        // Creates diff-like content for each file path to simulate actual git diff output
+        return filePaths.map(filePath => `diff --git a/${filePath} b/${filePath}`).join('\n');
+    };
+
+    it('Should block push when sensitive EXIF metadata is found (GPS)', async () => {
+       
+        
+        // Create action and step instances with test data that should trigger blocking
+        const action = new Action('action_id', 'push', 'create', Date.now(), 'owner/repo');
+        const step = new Step('diff');
+
+        // Set content with sensitive EXIF metadata in the test image file
+        step.setContent(createDiffContent(['test/test_data/jpg/Sensitive_EXIF.jpg']));
+        action.addStep(step);
+
+        await exec(null, action);
+
+        // Check that console.log was called with the blocking message
+        sinon.assert.calledWith(logStub, sinon.match(/Your push has been blocked due to sensitive EXIF metadata detection in an image/));
+    });
+
+    it('Should block push when sensitive EXIF metadata is found (Camera Info)', async () => {
+        
+
+        const action = new Action('action_id', 'push', 'create', Date.now(), 'owner/repo');
+        const step = new Step('diff');
+
+        // Set content for a file that contains Camera-Info EXIF data
+        step.setContent(createDiffContent(['test/test_data/jpg/Sensitive_Data_EXIF_2.jpg']));
+        action.addStep(step);
+
+        await exec(null, action);
+
+        // Assert blocking message was logged
+        sinon.assert.calledWith(logStub, sinon.match(/Your push has been blocked due to sensitive EXIF metadata detection in an image/));
+    });
+
+    it('Should allow push when no sensitive EXIF metadata is found', async () => {
+        // Configure with no sensitive EXIF parameters
+        
+
+        const action = new Action('action_id', 'push', 'create', Date.now(), 'owner/repo');
+        const step = new Step('diff');
+
+        // Set content for a non-sensitive EXIF file
+        step.setContent(createDiffContent(['test/test_data/jpg/Not_Sensitive_EXIF.jpg']));
+        action.addStep(step);
+
+        await exec(null, action);
+
+        // Ensure no blocking message was logged
+        sinon.assert.neverCalledWith(logStub, sinon.match(/Your push has been blocked due to sensitive EXIF metadata detection in an image/));
+    });
+
+    
+});

test/CheckExif.test.js

@@ -28,6 +28,7 @@ const mockPushProcessors = {
   getDiff: sinon.stub(),
   checkSensitiveData : sinon.stub(),
   clearBareClone: sinon.stub(),
+  checkExifJpeg : sinon.stub(),
   scanDiff: sinon.stub(),
   blockForAuth: sinon.stub(),
 };
@@ -41,7 +42,6 @@ mockPushProcessors.checkIfWaitingAuth.displayName = 'checkIfWaitingAuth';
 mockPushProcessors.pullRemote.displayName = 'pullRemote';
 mockPushProcessors.writePack.displayName = 'writePack';
 mockPushProcessors.getDiff.displayName = 'getDiff';
-mockPushProcessors.checkSensitiveData.displayName = 'checkSensitiveData';
 mockPushProcessors.clearBareClone.displayName = 'clearBareClone';
 mockPushProcessors.scanDiff.displayName = 'scanDiff';
 mockPushProcessors.blockForAuth.displayName = 'blockForAuth';
@@ -107,6 +107,7 @@ describe('proxy chain', function () {
     mockPushProcessors.parsePush.resolves(continuingAction);
     mockPushProcessors.checkRepoInAuthorisedList.resolves(continuingAction);
     mockPushProcessors.checkCommitMessages.resolves(continuingAction);
+    mockPushProcessors.checkEXIFJpeg.resolves(continuingAction);
     mockPushProcessors.checkAuthorEmails.resolves(continuingAction);
     mockPushProcessors.checkUserPushPermission.resolves(continuingAction);
     mockPushProcessors.checkSensitiveData.resolves(continuingAction);
@@ -124,7 +125,6 @@ describe('proxy chain', function () {
     expect(mockPushProcessors.checkIfWaitingAuth.called).to.be.true;
     expect(mockPushProcessors.pullRemote.called).to.be.false;
     expect(mockPushProcessors.audit.called).to.be.true;
-    expect(mockPushProcessors.checkSensitiveData.called).to.be.false;
 
     expect(result.type).to.equal('push');
     expect(result.allowPush).to.be.false;
@@ -140,8 +140,8 @@ describe('proxy chain', function () {
     mockPushProcessors.checkCommitMessages.resolves(continuingAction);
     mockPushProcessors.checkAuthorEmails.resolves(continuingAction);
     mockPushProcessors.checkUserPushPermission.resolves(continuingAction);
-    mockPushProcessors.checkSensitiveData.resolves(continuingAction);
     // this stops the chain from further execution
+
     mockPushProcessors.checkIfWaitingAuth.resolves({ type: 'push', continue: () => true, allowPush: true });
     const result = await chain.executeChain(req);
 
@@ -154,7 +154,6 @@ describe('proxy chain', function () {
     expect(mockPushProcessors.checkIfWaitingAuth.called).to.be.true;
     expect(mockPushProcessors.pullRemote.called).to.be.false;
     expect(mockPushProcessors.audit.called).to.be.true;
-    expect(mockPushProcessors.checkSensitiveData.called).to.be.false;
 
     expect(result.type).to.equal('push');
     expect(result.allowPush).to.be.true;
@@ -174,10 +173,10 @@ describe('proxy chain', function () {
     mockPushProcessors.pullRemote.resolves(continuingAction);
     mockPushProcessors.writePack.resolves(continuingAction);
     mockPushProcessors.getDiff.resolves(continuingAction);
+    mockPushProcessors.checkEXIFJpeg.resolves(continuingAction);
     mockPushProcessors.clearBareClone.resolves(continuingAction);
     mockPushProcessors.scanDiff.resolves(continuingAction);
     mockPushProcessors.blockForAuth.resolves(continuingAction);
-    mockPushProcessors.checkSensitiveData.resolves(continuingAction);
 
     const result = await chain.executeChain(req);
 
@@ -191,6 +190,7 @@ describe('proxy chain', function () {
     expect(mockPushProcessors.pullRemote.called).to.be.true;
     expect(mockPushProcessors.writePack.called).to.be.true;
     expect(mockPushProcessors.getDiff.called).to.be.true;
+    expect(mockPushProcessors.checkEXIFJpeg.called).to.be.true;
     expect(mockPushProcessors.clearBareClone.called).to.be.true;
     expect(mockPushProcessors.scanDiff.called).to.be.true;
     expect(mockPushProcessors.blockForAuth.called).to.be.true;