CN115774864B - Code leakage protection method and device based on git hook script - Google Patents

Code leakage protection method and device based on git hook script Download PDF

Info

Publication number
CN115774864B
CN115774864B CN202310093510.7A CN202310093510A CN115774864B CN 115774864 B CN115774864 B CN 115774864B CN 202310093510 A CN202310093510 A CN 202310093510A CN 115774864 B CN115774864 B CN 115774864B
Authority
CN
China
Prior art keywords
push
git
pushing
script
warehouse address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310093510.7A
Other languages
Chinese (zh)
Other versions
CN115774864A (en
Inventor
张黎
陈广辉
王伟
周亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Flash It Co ltd
Original Assignee
Flash It Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Flash It Co ltd filed Critical Flash It Co ltd
Priority to CN202310093510.7A priority Critical patent/CN115774864B/en
Publication of CN115774864A publication Critical patent/CN115774864A/en
Application granted granted Critical
Publication of CN115774864B publication Critical patent/CN115774864B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Abstract

The invention provides a code leakage protection method and device based on a git hook script, which detect a source code pushing event triggered by a user through a hook mechanism of a git platform, acquire a target warehouse address contained in the source code pushing event, transmit the target warehouse address to a code pushing monitoring tool based on a pre-pushing script, identify pushing authority of the target warehouse address by using the code pushing monitoring tool to obtain the pushing authority of the target warehouse address, and return the pushing authority of the target warehouse address to the git platform, so that the git platform can decide whether to push the source code into the target warehouse address based on the pushing authority of the target warehouse address, the reliability and the accuracy of source code leakage detection and control are ensured, the stability, the compatibility and the efficiency are higher, and the normal use operation of the user is not influenced while the code leakage protection is more accurately carried out.

Description

Code leakage protection method and device based on git hook script
Technical Field
The invention relates to the technical field of information security, in particular to a code leakage protection method and device based on a git hook script.
Background
git is an open-source distributed version control system, is currently the most commonly used source code management tool, and has a certain safety risk while improving the research and development efficiency. Staff may submit source code or documents to an external private repository through the git platform, revealing the company's secret. Therefore, a step of preventing leakage needs to be introduced in the source code submitting process to avoid the problem of confidential leakage.
The following two methods are generally used for monitoring protection against source code leakage: 1. based on a network flow analysis mode, when codes are pushed through the git platform, monitoring network transmission flow, performing decryption analysis on the flow, and preventing the git platform from pushing source codes to an external private warehouse; 2. based on the application monitoring mode, when pushing codes through the git platform, file access operation of the git. Exe process is monitored, and the process is prevented from reading source code content, so that pushing source codes to an external private warehouse is prevented.
However, the private encryption protocol of the git platform needs to be cracked in the network traffic analysis mode, the original content may not be restored in the cracking process, so that the leaked content is not protected, even if decryption can be performed, the network speed is reduced, and the compatibility problem of various application protocols exists, so that many network applications may not use the scheme for code leakage protection. Based on the fact that the leakage behavior cannot be accurately obtained in the application monitoring mode, local submitting operation is triggered and blocked due to the fact that the git. Exe reads and writes the source code file, the use of a user is affected, in addition, the scheme cannot obtain the address of an external code warehouse, whether codes are pushed to a local server or an external server cannot be judged, and therefore code leakage protection is difficult to accurately conduct.
Disclosure of Invention
The invention provides a code leakage protection method and device based on a glook script, which are used for solving the defect that code leakage protection is easy to fail in the prior art.
The invention provides a code leakage protection method based on a glook script, which comprises the following steps:
detecting a source code pushing event triggered by a user based on a hook mechanism of a git platform;
if a source code pushing event is detected, the git platform acquires a target warehouse address contained in the source code pushing event;
transmitting the target warehouse address to a code pushing monitoring tool based on a pre-pushing script, identifying pushing permission of the target warehouse address based on the code pushing monitoring tool, obtaining the pushing permission of the target warehouse address, and returning the pushing permission of the target warehouse address to the pre-pushing script; the pre-push script returns the push permission of the target warehouse address to a git platform;
if the pushing permission of the target warehouse address is permission for pushing, pushing the source code contained in the source code pushing event to the target warehouse address by the git platform; and if the pushing permission of the target warehouse address is blocking pushing, the git platform blocks the source code pushing event.
According to the code leakage protection method based on the glook script, the target warehouse address is transmitted to a code pushing monitoring tool based on a pre-pushing script, pushing permission identification is carried out on the target warehouse address based on the code pushing monitoring tool, the pushing permission of the target warehouse address is obtained, and the pushing permission of the target warehouse address is returned to the pre-pushing script; the pre-push script returns the push permission of the target warehouse address to a git platform, and specifically comprises the following steps:
after the pre-push script obtains the address of the code push monitoring tool, transmitting the target warehouse address obtained by the git platform to the code push monitoring tool and executing a push permission identification command of the code push monitoring tool;
and the pre-push script acquires the exit state of the push permission identification command, if the exit state of the push permission identification command is normal, acquires an execution result returned by the push permission identification command as the push permission of the target warehouse address, and returns the push permission of the target warehouse address to the git platform.
According to the code leakage protection method based on the glook script, the pre-push script is maintained based on the following steps:
When a system is initialized, performing full-disk traversal on a system disk to acquire all the git catalogs in the system disk;
modifying a pre-push script in a hook folder of a corresponding git directory aiming at each git directory, so that the modified pre-push script has the capability of transmitting a target warehouse address acquired by a git platform to the code push monitoring tool and executing a push permission identification command of the code push monitoring tool, acquiring an execution result returned by the push permission identification command as a push permission of the target warehouse address, and returning the push permission of the target warehouse address to the git platform;
and starting a file monitoring mechanism, monitoring a file modification event of the pre-push script under each of the. Git directories, and executing file restoration operation on the pre-push script under any one of the. Git directories after the file modification event of the pre-push script under any one of the. Git directories is monitored, so that the pre-push script under any one of the. Git directories is restored to a state before the file modification event occurs.
According to the code leakage protection method based on the glook script, the file monitoring mechanism is started to monitor the file modification event of the pre-push script under each of the. Git scripts, and after the file modification event of the pre-push script under any one of the. Git scripts is monitored, the file restoration operation is executed on the pre-push script under any one of the. Git scripts, so that the pre-push script under any one of the. Git scripts is restored to the state before the file modification event occurs, and the method specifically comprises the following steps:
After the current pre-push script under each of the. Git catalogues is saved and used as a reference pre-push script under the corresponding. Git catalogues, a file monitoring mechanism is started to monitor the file modification event of the pre-push script under each of the. Git catalogues;
if the file modification event of the pre-push script under any one of the git directories is monitored, acquiring the modified pre-push script, and comparing the reference pre-push script under any one of the git directories with the modified pre-push script;
if the modification position related to the modified pre-push script under any one of the. Git directories is related to the code push monitoring tool, replacing the modified pre-push script under any one of the. Git directories based on the reference pre-push script under any one of the. Git directories;
otherwise, the modified pre-push script under any one of the. Git directories is saved as a reference pre-push script under any one of the. Git directories.
According to the code leakage protection method based on the glook script, the push permission identification is performed on the target warehouse address based on the code push monitoring tool to obtain the push permission of the target warehouse address, and the method specifically comprises the following steps:
the code pushing monitoring tool reads a white list warehouse address in a white list configuration file;
Matching the white list warehouse address with the target warehouse address one by one, and determining a matching result of the target warehouse address and each white list warehouse address;
if the matching result of the target warehouse address and any white list warehouse address is successful, determining that the pushing permission of the target warehouse address is allowable to be pushed;
and if the matching results of the target warehouse address and all the white list warehouse addresses are failed in matching, determining that the push permission of the target warehouse address is blocking push.
According to the code leakage protection method based on the glook script, the white list warehouse address in the white list configuration file is a regular expression, and the matching mode of the white list warehouse address and the target warehouse address is regular matching.
The invention also provides a code leakage protection device based on the glook script, which comprises:
the event capturing unit is used for detecting a source code pushing event triggered by a user based on a hook mechanism of the git platform;
the system comprises a target warehouse address acquisition unit, a source code pushing event detection unit and a target warehouse address generation unit, wherein the target warehouse address acquisition unit is used for acquiring a target warehouse address contained in the source code pushing event by a git platform if the source code pushing event is detected;
The warehouse address identification unit is used for transmitting the target warehouse address to a code pushing monitoring tool based on a pre-pushing script, carrying out pushing authority identification on the target warehouse address based on the code pushing monitoring tool, obtaining the pushing authority of the target warehouse address, and returning the pushing authority of the target warehouse address to the pre-pushing script; the pre-push script returns the push permission of the target warehouse address to a git platform;
the code pushing control unit is used for pushing the source code contained in the source code pushing event to the target warehouse address if the pushing authority of the target warehouse address is allowable to push; and if the pushing permission of the target warehouse address is blocking pushing, the git platform blocks the source code pushing event.
According to the code leakage protection device based on the glook script, the target warehouse address is transmitted to a code pushing monitoring tool based on the pre-pushing script, pushing permission identification is carried out on the target warehouse address based on the code pushing monitoring tool, the pushing permission of the target warehouse address is obtained, and the pushing permission of the target warehouse address is returned to the pre-pushing script; the pre-push script returns the push permission of the target warehouse address to a git platform, and specifically comprises the following steps:
After the pre-push script obtains the address of the code push monitoring tool, transmitting the target warehouse address obtained by the git platform to the code push monitoring tool and executing a push permission identification command of the code push monitoring tool;
and the pre-push script acquires the exit state of the push permission identification command, if the exit state of the push permission identification command is normal, acquires an execution result returned by the push permission identification command as the push permission of the target warehouse address, and returns the push permission of the target warehouse address to the git platform.
The invention also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the code leakage protection method based on the git hook script when executing the program.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a code leakage protection method based on a git hook script as described in any of the above.
The invention also provides a computer program product comprising a computer program which when executed by a processor implements a code leakage protection method based on a glook script as described in any of the above.
According to the code leakage protection method and device based on the githook script, the source code pushing event triggered by a user is detected through the hook mechanism of the git platform, the target warehouse address contained in the source code pushing event is obtained, the target warehouse address is transmitted to the code pushing monitoring tool based on the pre-pushing script, the code pushing monitoring tool is utilized to carry out pushing authority identification on the target warehouse address, the pushing authority of the target warehouse address is obtained, and the pushing authority of the target warehouse address is returned to the git platform, so that the git platform can determine whether to push the source code into the target warehouse address based on the pushing authority of the target warehouse address, the reliability and the accuracy of source code leakage detection and control are guaranteed, and the stability, the compatibility and the efficiency are higher; in addition, the method can accurately distinguish the allowed local pushing behavior from the non-allowed external pushing behavior, so that the code leakage protection can be more accurately carried out without affecting the normal use operation of a user.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a code leakage protection method based on a git hook script;
FIG. 2 is a schematic flow chart of a method for maintaining a pre-push script provided by the invention;
FIG. 3 is a schematic flow chart of a push permission determination method provided by the invention;
FIG. 4 is a schematic diagram of a code leakage protection device based on a git hook script provided by the invention;
fig. 5 is a schematic structural diagram of an electronic device provided by the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
FIG. 1 is a schematic flow chart of a code leakage protection method based on a git hook script, which is provided by the invention, and as shown in FIG. 1, the method comprises the following steps:
step 110, detecting a source code pushing event triggered by a user based on a hook mechanism of a git platform;
Step 120, if a source code pushing event is detected, the git platform acquires a target warehouse address contained in the source code pushing event;
step 130, transmitting the target warehouse address to a code pushing monitoring tool based on a pre-pushing script, identifying pushing permission of the target warehouse address based on the code pushing monitoring tool, obtaining the pushing permission of the target warehouse address, and returning the pushing permission of the target warehouse address to the pre-pushing script; the pre-push script returns the push permission of the target warehouse address to a git platform;
step 140, if the push permission of the target warehouse address is permission to push, the git platform pushes the source code included in the source code push event to the target warehouse address; and if the pushing permission of the target warehouse address is blocking pushing, the git platform blocks the source code pushing event.
Specifically, the git platform is provided with a hook mechanism which can detect various events triggered by a user, including a source code pushing event. When a user adds code and clicks on submit and push at the git platform, a source code push event may be triggered, at which point the git platform may capture the event. After capturing the source code pushing event, the git platform can acquire a target warehouse address contained in the source code pushing event, namely a target warehouse to which the user needs to push the source code. In order to perform code leakage protection, when a user clicks a push code but the git platform does not actually perform a push operation, a push address of the code to be pushed can be identified, and whether the push address is a company internal address or an external address is determined, so that the user is prevented from pushing the code to an impermissible external address.
Here, a pre-push script may be preset in the git platform in advance, so that after the source code push event is detected, the target warehouse address acquired by the git platform is transmitted to a self-defined code push monitoring tool, so as to identify push permission for the target warehouse address. Wherein, the pre-push script can be newly built under the catalog of the git/hots. Because the standard naming system is used in the git platform to execute the corresponding script according to the preset time point, the pre-push script can be named as a pre-push script, so that the pre-push script runs before the code is pushed by the git platform. In the pre-push script, a data transmission command is executed, the target warehouse address is transmitted to a self-defined code push monitoring tool, and a return result of the code push monitoring tool is received and returned to the git platform. The code push monitoring tool performs push permission identification on the target warehouse address, and determines whether the target warehouse address is an allowed push address, so as to determine the push permission of the target warehouse address. If the target warehouse address is an allowed push address, determining that the push permission of the target warehouse address is allowed push; if the target warehouse address is a push address which is not allowed, the push permission of the target warehouse address can be determined to be blocking push.
And the git platform processes the source code pushing event according to the pushing authority of the target warehouse address returned by the pre-pushing script. If the pushing authority of the target warehouse address is allowable to push, the git platform pushes the source code contained in the source code pushing event into the target warehouse address; if the pushing authority of the target warehouse address is blocking pushing, the git platform blocks the source code pushing event and does not push the source code contained in the source code pushing event to the target warehouse address.
Therefore, the method and the device can accurately capture the source code pushing operation of the user by using the hook mechanism of the git platform, and can acquire the target warehouse address to be pushed by the source code, so that the user-defined code pushing monitoring tool is utilized to carry out pushing permission identification on the target warehouse address, thereby deciding whether to block the code pushing behavior, guaranteeing the reliability and the accuracy of source code leakage detection and control, and the method and the device utilize the hook mechanism of the git platform itself, are not influenced by the private encryption protocol of the git platform, do not need to analyze network traffic, and the protection mechanism operates in an application layer, do not involve bottom driving and application program injection, so that the stability, the compatibility and the efficiency are higher. In addition, the method can acquire the target warehouse address of code pushing and carry out logic judgment on the target warehouse address, so that the allowed local pushing behavior and the disallowed external pushing behavior can be accurately distinguished, and the normal use operation of a user is not influenced while code leakage protection is carried out more accurately.
According to the method provided by the embodiment of the invention, the hook mechanism of the git platform is used for detecting the source code pushing event triggered by the user and acquiring the target warehouse address contained in the source code pushing event, then the target warehouse address is transmitted to the code pushing monitoring tool based on the pre-pushing script, the code pushing monitoring tool is used for carrying out pushing authority identification on the target warehouse address to obtain the pushing authority of the target warehouse address, and the pushing authority of the target warehouse address is returned to the git platform, so that the git platform can determine whether to push the source code into the target warehouse address based on the pushing authority of the target warehouse address, the reliability and the accuracy of source code leakage detection and control are ensured, and the stability, the compatibility and the efficiency are higher; in addition, the method can accurately distinguish the allowed local pushing behavior from the non-allowed external pushing behavior, so that the code leakage protection can be more accurately carried out without affecting the normal use operation of a user.
Based on the above embodiment, the pre-push script-based transmitting the target warehouse address to a code push monitoring tool, performing push permission identification on the target warehouse address based on the code push monitoring tool to obtain the push permission of the target warehouse address, and returning the push permission of the target warehouse address to the pre-push script; the pre-push script returns the push permission of the target warehouse address to a git platform, and specifically comprises the following steps:
After the pre-push script obtains the address of the code push monitoring tool, transmitting the target warehouse address obtained by the git platform to the code push monitoring tool and executing a push permission identification command of the code push monitoring tool;
and the pre-push script acquires the exit state of the push permission identification command, if the exit state of the push permission identification command is normal, acquires an execution result returned by the push permission identification command as the push permission of the target warehouse address, and returns the push permission of the target warehouse address to the git platform.
Specifically, the pre-push script acquires an address of a code push monitoring tool, transmits a target warehouse address acquired by a git platform to the code push monitoring tool, and executes a push permission identification command of the code push monitoring tool. After the execution of the push permission identification command is finished and the push permission identification command is exited, the pre-push script can acquire the exiting state of the push permission identification command. If the exit state of the push permission identification command is normal, the fact that no error occurs in the execution process of the push permission identification command is indicated, so that an execution result returned by the push permission identification command can be obtained and used as the push permission of the target warehouse address, and the push permission of the target warehouse address is returned to the git platform.
Based on any of the above embodiments, as shown in fig. 2, the pre-push script is maintained based on the following steps:
step 210, when the system is initialized, performing full disk traversal on a system disk, and acquiring all the git catalogs in the system disk;
step 220, for each of the git directories, modifying a pre-push script in a hook folder of the corresponding git directory, so that the modified pre-push script has the capability of transmitting a target warehouse address acquired by a git platform to the code push monitoring tool and executing a push permission identification command of the code push monitoring tool, and acquiring an execution result returned by the push permission identification command as a push permission of the target warehouse address and returning the push permission of the target warehouse address to the git platform;
step 230, starting a file monitoring mechanism, monitoring a file modification event of a pre-push script under each. Git catalog, and executing a file restoration operation on the pre-push script under any. Git catalog after monitoring the file modification event of the pre-push script under any. Git catalog, so that the pre-push script under any. Git catalog is restored to a state before the file modification event occurs.
Specifically, the code leakage protection scheme uses the hook mechanism of the git and the pre-push script, so that a user may maliciously avoid the monitoring method, and therefore, in order to ensure the effectiveness of the code leakage protection method, a reliability guarantee mechanism can be increased, and the reliability of the monitoring function of the pre-push script is ensured. When the system is initialized, the system disk can be subjected to full disk traversal, and all the git catalogs in the system disk are obtained. And modifying the original pre-push script in the hook folder of the corresponding git directory aiming at each git directory, so that the modified pre-push script has the capability of transmitting the target warehouse address acquired by the git platform to the code push monitoring tool and executing the push permission identification command of the code push monitoring tool, and has the capability of acquiring the execution result returned by the push permission identification command as the push permission of the target warehouse address and returning the push permission of the target warehouse address to the git platform.
And then, starting a file monitoring mechanism to monitor the disk file, and monitoring file modification events of the pre-push script under each of the git directories. After the file modification event of the pre-push script under any one of the. Git directories is monitored, a file restoring operation is executed on the pre-push script under the. Git directory, so that the pre-push script under the. Git directory is restored to a state before the file modification event occurs, and the fact that the script has the monitoring capability is ensured.
Based on any one of the above embodiments, the file monitoring mechanism is configured to monitor a file modification event of a pre-push script under each of the. Git directories, and execute a file restoration operation on the pre-push script under any one of the. Git directories after monitoring the file modification event of the pre-push script under any one of the. Git directories, so that the pre-push script under any one of the. Git directories is restored to a state before the file modification event occurs, and specifically includes:
after the current pre-push script under each of the. Git catalogues is saved and used as a reference pre-push script under the corresponding. Git catalogues, a file monitoring mechanism is started to monitor the file modification event of the pre-push script under each of the. Git catalogues;
if the file modification event of the pre-push script under any one of the git directories is monitored, acquiring the modified pre-push script, and comparing the reference pre-push script under any one of the git directories with the modified pre-push script;
if the modification position related to the modified pre-push script under any one of the. Git directories is related to the code push monitoring tool, replacing the modified pre-push script under any one of the. Git directories based on the reference pre-push script under any one of the. Git directories;
otherwise, the modified pre-push script under any one of the. Git directories is saved as a reference pre-push script under any one of the. Git directories.
Specifically, after modifying the pre-push script in the hook folder of the corresponding. Git directory aiming at each. Git directory, so that the modified pre-push script has the capability of transmitting the target warehouse address acquired by the git directory to the code push monitoring tool and executing the push permission identification command of the code push monitoring tool, acquiring the execution result returned by the push permission identification command as the push permission of the target warehouse address, and returning the push permission of the target warehouse address to the gate directory, and then storing the current pre-push script under each. Git directory as the reference pre-push script under the corresponding. Git directory. Then, a file monitoring mechanism is started to monitor the file modification event of the pre-push script under each of the. Git directories. If the file modification event of the pre-push script under any of the git scripts is monitored, the modified pre-push script is obtained, the reference pre-push script under the git script and the modified pre-push script are compared, and the position of the distinguishing code between the modified pre-push script and the reference pre-push script is determined and used as the modification position related to the modified pre-push script.
If the modified pre-push script under the git directory is related to the code push monitoring tool, for example, a command line for transmitting the target warehouse address acquired by the git platform to the code push monitoring tool is deleted, or a command line for acquiring an execution result returned by the push permission identification command is deleted, the modified pre-push script under the git directory is replaced based on the reference pre-push script under the git directory. If the modified pre-push script in the. Git directory is not related to the code push monitoring tool, for example, other monitoring functions are added, the modified pre-push script in the. Git directory can be saved as a reference pre-push script in the. Git directory, and file restore operation is not executed.
Based on any of the foregoing embodiments, as shown in fig. 3, the identifying the push permission of the target repository address based on the code push monitoring tool, to obtain the push permission of the target repository address specifically includes:
step 310, the code pushing monitoring tool reads a white list warehouse address in a white list configuration file;
step 320, matching the white list warehouse address with the target warehouse address one by one, and determining a matching result of the target warehouse address with each white list warehouse address;
Step 330, if the matching result of the target warehouse address and any one of the white list warehouse addresses is successful, determining that the push permission of the target warehouse address is allowable for push;
and step 340, if the matching results of the target warehouse address and all the white list warehouse addresses are failed in matching, determining that the push permission of the target warehouse address is blocking push.
Specifically, the code pushing monitoring tool reads the white list configuration file and acquires the recorded white list warehouse address. The white list warehouse address is a network address or a regular expression of the network address which is allowed to be pushed by the system. And matching the white list warehouse address with the target warehouse address one by one, and determining a matching result of the target warehouse address and each white list warehouse address. When the white list warehouse address is a regular expression of the network address which the system allows to push, the matching mode of the white list warehouse address and the target warehouse address is regular matching.
If the matching result of the target warehouse address and any white list warehouse address is successful, the user is indicated to submit the code to an allowed warehouse (such as a company internal server), so that the push permission of the target warehouse address can be determined to be the push permission; if the matching results of the target warehouse address and all the white list warehouse addresses are failed in matching, the user is informed to push the codes to the impermissible warehouse, so that the pushing authority of the target warehouse address can be determined to be blocking pushing, and meanwhile, the anti-leakage component is called to upload the illegal operation to the system management end to inform an administrator.
The code leakage protection device based on the git hook script provided by the invention is described below, and the code leakage protection device based on the git hook script described below and the code leakage protection method based on the git hook script described above can be correspondingly referred to each other.
Based on any of the above embodiments, fig. 4 is a schematic structural diagram of a code leakage protection device based on a git hook script, as shown in fig. 4, where the device includes: an event capturing unit 410, a target repository address obtaining unit 420, a repository address authenticating unit 430 and a code push control unit 440.
The event capturing unit 410 is configured to detect a source code push event triggered by a user based on a hook mechanism of the git platform;
the target repository address obtaining unit 420 is configured to obtain, if a source code push event is detected, a target repository address included in the source code push event by the git platform;
the repository address identifying unit 430 is configured to transmit the target repository address to a code pushing monitoring tool based on a pre-pushing script, identify a pushing authority of the target repository address based on the code pushing monitoring tool, obtain the pushing authority of the target repository address, and return the pushing authority of the target repository address to the pre-pushing script; the pre-push script returns the push permission of the target warehouse address to a git platform;
The code pushing control unit 440 is configured to, if the pushing authority of the target repository address is permission for pushing, push the source code included in the source code pushing event to the target repository address by the git platform; and if the pushing permission of the target warehouse address is blocking pushing, the git platform blocks the source code pushing event.
According to the device provided by the embodiment of the invention, the hook mechanism of the git platform is used for detecting the source code pushing event triggered by the user and acquiring the target warehouse address contained in the source code pushing event, then the target warehouse address is transmitted to the code pushing monitoring tool based on the pre-pushing script, the code pushing monitoring tool is used for carrying out pushing authority identification on the target warehouse address to obtain the pushing authority of the target warehouse address, and the pushing authority of the target warehouse address is returned to the git platform, so that the git platform can determine whether to push the source code into the target warehouse address based on the pushing authority of the target warehouse address, the reliability and the accuracy of source code leakage detection and control are ensured, and the stability, the compatibility and the efficiency are higher; in addition, the method can accurately distinguish the allowed local pushing behavior from the non-allowed external pushing behavior, so that the code leakage protection can be more accurately carried out without affecting the normal use operation of a user.
Based on any one of the above embodiments, the pre-push script-based transmitting the target warehouse address to a code push monitoring tool, performing push permission identification on the target warehouse address based on the code push monitoring tool to obtain the push permission of the target warehouse address, and returning the push permission of the target warehouse address to the pre-push script; the pre-push script returns the push permission of the target warehouse address to a git platform, and specifically comprises the following steps:
after the pre-push script obtains the address of the code push monitoring tool, transmitting the target warehouse address obtained by the git platform to the code push monitoring tool and executing a push permission identification command of the code push monitoring tool;
and the pre-push script acquires the exit state of the push permission identification command, if the exit state of the push permission identification command is normal, acquires an execution result returned by the push permission identification command as the push permission of the target warehouse address, and returns the push permission of the target warehouse address to the git platform.
Based on any of the above embodiments, the pre-push script is maintained based on the following steps:
When a system is initialized, performing full-disk traversal on a system disk to acquire all the git catalogs in the system disk;
modifying a pre-push script in a hook folder of a corresponding git directory aiming at each git directory, so that the modified pre-push script has the capability of transmitting a target warehouse address acquired by a git platform to the code push monitoring tool and executing a push permission identification command of the code push monitoring tool, acquiring an execution result returned by the push permission identification command as a push permission of the target warehouse address, and returning the push permission of the target warehouse address to the git platform;
and starting a file monitoring mechanism, monitoring a file modification event of the pre-push script under each of the. Git directories, and executing file restoration operation on the pre-push script under any one of the. Git directories after the file modification event of the pre-push script under any one of the. Git directories is monitored, so that the pre-push script under any one of the. Git directories is restored to a state before the file modification event occurs.
Based on any one of the above embodiments, the file monitoring mechanism is configured to monitor a file modification event of a pre-push script under each of the. Git directories, and execute a file restoration operation on the pre-push script under any one of the. Git directories after monitoring the file modification event of the pre-push script under any one of the. Git directories, so that the pre-push script under any one of the. Git directories is restored to a state before the file modification event occurs, and specifically includes:
After the current pre-push script under each of the. Git catalogues is saved and used as a reference pre-push script under the corresponding. Git catalogues, a file monitoring mechanism is started to monitor the file modification event of the pre-push script under each of the. Git catalogues;
if the file modification event of the pre-push script under any one of the git directories is monitored, acquiring the modified pre-push script, and comparing the reference pre-push script under any one of the git directories with the modified pre-push script;
if the modification position related to the modified pre-push script under any one of the. Git directories is related to the code push monitoring tool, replacing the modified pre-push script under any one of the. Git directories based on the reference pre-push script under any one of the. Git directories;
otherwise, the modified pre-push script under any one of the. Git directories is saved as a reference pre-push script under any one of the. Git directories.
Based on any one of the foregoing embodiments, the performing, by the code push monitoring tool, push permission identification on the target repository address to obtain a push permission of the target repository address specifically includes:
the code pushing monitoring tool reads a white list warehouse address in a white list configuration file;
matching the white list warehouse address with the target warehouse address one by one, and determining a matching result of the target warehouse address and each white list warehouse address;
If the matching result of the target warehouse address and any white list warehouse address is successful, determining that the pushing permission of the target warehouse address is allowable to be pushed;
and if the matching results of the target warehouse address and all the white list warehouse addresses are failed in matching, determining that the push permission of the target warehouse address is blocking push.
Based on any one of the above embodiments, the white list repository address in the white list configuration file is a regular expression, and the matching manner of the white list repository address and the target repository address is regular matching.
Fig. 5 is a schematic structural diagram of an electronic device according to the present invention, and as shown in fig. 5, the electronic device may include: processor (processor) 510, memory (memory) 520, communication interface (communication interface) 530, and communication bus 540, wherein processor 510, memory 520, and communication interface 530 accomplish communication with each other through communication bus 540. The processor 510 may invoke logic instructions in the memory 520 to perform a code leakage protection method based on a glook script, the method comprising: detecting a source code pushing event triggered by a user based on a hook mechanism of a git platform; if a source code pushing event is detected, the git platform acquires a target warehouse address contained in the source code pushing event; transmitting the target warehouse address to a code pushing monitoring tool based on a pre-pushing script, identifying pushing permission of the target warehouse address based on the code pushing monitoring tool, obtaining the pushing permission of the target warehouse address, and returning the pushing permission of the target warehouse address to the pre-pushing script; the pre-push script returns the push permission of the target warehouse address to a git platform; if the pushing permission of the target warehouse address is permission for pushing, pushing the source code contained in the source code pushing event to the target warehouse address by the git platform; and if the pushing permission of the target warehouse address is blocking pushing, the git platform blocks the source code pushing event.
Further, the logic instructions in the memory 520 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-only memory (ROM), a random access memory (RAM, randomAccessMemory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the method of gate hook script-based code leakage protection provided by the above methods, the method comprising: detecting a source code pushing event triggered by a user based on a hook mechanism of a git platform; if a source code pushing event is detected, the git platform acquires a target warehouse address contained in the source code pushing event; transmitting the target warehouse address to a code pushing monitoring tool based on a pre-pushing script, identifying pushing permission of the target warehouse address based on the code pushing monitoring tool, obtaining the pushing permission of the target warehouse address, and returning the pushing permission of the target warehouse address to the pre-pushing script; the pre-push script returns the push permission of the target warehouse address to a git platform; if the pushing permission of the target warehouse address is permission for pushing, pushing the source code contained in the source code pushing event to the target warehouse address by the git platform; and if the pushing permission of the target warehouse address is blocking pushing, the git platform blocks the source code pushing event.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform the above-provided code leakage protection method based on a git hook script, the method comprising: detecting a source code pushing event triggered by a user based on a hook mechanism of a git platform; if a source code pushing event is detected, the git platform acquires a target warehouse address contained in the source code pushing event; transmitting the target warehouse address to a code pushing monitoring tool based on a pre-pushing script, identifying pushing permission of the target warehouse address based on the code pushing monitoring tool, obtaining the pushing permission of the target warehouse address, and returning the pushing permission of the target warehouse address to the pre-pushing script; the pre-push script returns the push permission of the target warehouse address to a git platform; if the pushing permission of the target warehouse address is permission for pushing, pushing the source code contained in the source code pushing event to the target warehouse address by the git platform; and if the pushing permission of the target warehouse address is blocking pushing, the git platform blocks the source code pushing event.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (10)

1. The code leakage protection method based on the git hook script is characterized by comprising the following steps of:
detecting a source code pushing event triggered by a user based on a hook mechanism of a git platform;
if a source code pushing event is detected, the git platform acquires a target warehouse address contained in the source code pushing event;
transmitting the target warehouse address to a code pushing monitoring tool based on a pre-pushing script, identifying pushing permission of the target warehouse address based on the code pushing monitoring tool, obtaining the pushing permission of the target warehouse address, and returning the pushing permission of the target warehouse address to the pre-pushing script; the pre-push script returns the push permission of the target warehouse address to a git platform;
If the pushing permission of the target warehouse address is permission for pushing, pushing the source code contained in the source code pushing event to the target warehouse address by the git platform; and if the pushing permission of the target warehouse address is blocking pushing, the git platform blocks the source code pushing event.
2. The code leakage protection method based on the git hook script according to claim 1, wherein the target warehouse address is transmitted to a code pushing monitoring tool based on a pre-pushing script, pushing permission identification is carried out on the target warehouse address based on the code pushing monitoring tool, the pushing permission of the target warehouse address is obtained, and the pushing permission of the target warehouse address is returned to the pre-pushing script; the pre-push script returns the push permission of the target warehouse address to a git platform, and specifically comprises the following steps:
after the pre-push script obtains the address of the code push monitoring tool, transmitting the target warehouse address obtained by the git platform to the code push monitoring tool and executing a push permission identification command of the code push monitoring tool;
and the pre-push script acquires the exit state of the push permission identification command, if the exit state of the push permission identification command is normal, acquires an execution result returned by the push permission identification command as the push permission of the target warehouse address, and returns the push permission of the target warehouse address to the git platform.
3. The code leakage protection method based on the githook script according to claim 2, wherein the pre-push script is maintained based on the following steps:
when a system is initialized, performing full-disk traversal on a system disk to acquire all the git catalogs in the system disk;
modifying a pre-push script in a hook folder of a corresponding git directory aiming at each git directory, so that the modified pre-push script has the capability of transmitting a target warehouse address acquired by a git platform to the code push monitoring tool and executing a push permission identification command of the code push monitoring tool, acquiring an execution result returned by the push permission identification command as a push permission of the target warehouse address, and returning the push permission of the target warehouse address to the git platform;
and starting a file monitoring mechanism, monitoring a file modification event of the pre-push script under each of the. Git directories, and executing file restoration operation on the pre-push script under any one of the. Git directories after the file modification event of the pre-push script under any one of the. Git directories is monitored, so that the pre-push script under any one of the. Git directories is restored to a state before the file modification event occurs.
4. The code leakage protection method based on a git hook script according to claim 3, wherein the starting a file monitoring mechanism monitors a file modification event of a pre-push script under each git directory, and after monitoring the file modification event of the pre-push script under any git directory, executes a file restoring operation on the pre-push script under any git directory, so that the pre-push script under any git directory is restored to a state before the file modification event occurs, specifically comprising:
after the current pre-push script under each of the. Git catalogues is saved and used as a reference pre-push script under the corresponding. Git catalogues, a file monitoring mechanism is started to monitor the file modification event of the pre-push script under each of the. Git catalogues;
if the file modification event of the pre-push script under any one of the git directories is monitored, acquiring the modified pre-push script, and comparing the reference pre-push script under any one of the git directories with the modified pre-push script;
if the modification position related to the modified pre-push script under any one of the. Git directories is related to the code push monitoring tool, replacing the modified pre-push script under any one of the. Git directories based on the reference pre-push script under any one of the. Git directories;
Otherwise, the modified pre-push script under any one of the. Git directories is saved as a reference pre-push script under any one of the. Git directories.
5. The code leakage protection method based on the git hook script according to claim 1, wherein the code pushing monitoring tool performs pushing authority identification on the target warehouse address to obtain the pushing authority of the target warehouse address, and specifically comprises the following steps:
the code pushing monitoring tool reads a white list warehouse address in a white list configuration file;
matching the white list warehouse address with the target warehouse address one by one, and determining a matching result of the target warehouse address and each white list warehouse address;
if the matching result of the target warehouse address and any white list warehouse address is successful, determining that the pushing permission of the target warehouse address is allowable to be pushed;
and if the matching results of the target warehouse address and all the white list warehouse addresses are failed in matching, determining that the push permission of the target warehouse address is blocking push.
6. The code leakage protection method based on the git hook script according to claim 5, wherein a white list warehouse address in the white list configuration file is a regular expression, and a matching mode of the white list warehouse address and the target warehouse address is regular matching.
7. A code leakage protection device based on a githook script, comprising:
the event capturing unit is used for detecting a source code pushing event triggered by a user based on a hook mechanism of the git platform;
the system comprises a target warehouse address acquisition unit, a source code pushing event detection unit and a target warehouse address generation unit, wherein the target warehouse address acquisition unit is used for acquiring a target warehouse address contained in the source code pushing event by a git platform if the source code pushing event is detected;
the warehouse address identification unit is used for transmitting the target warehouse address to a code pushing monitoring tool based on a pre-pushing script, carrying out pushing authority identification on the target warehouse address based on the code pushing monitoring tool, obtaining the pushing authority of the target warehouse address, and returning the pushing authority of the target warehouse address to the pre-pushing script; the pre-push script returns the push permission of the target warehouse address to a git platform;
the code pushing control unit is used for pushing the source code contained in the source code pushing event to the target warehouse address if the pushing authority of the target warehouse address is allowable to push; and if the pushing permission of the target warehouse address is blocking pushing, the git platform blocks the source code pushing event.
8. The code leakage protection device based on the git hook script according to claim 7, wherein the code leakage protection device based on the pre-push script transmits the target warehouse address to a code push monitoring tool, carries out push permission identification on the target warehouse address based on the code push monitoring tool, obtains the push permission of the target warehouse address, and returns the push permission of the target warehouse address to the pre-push script; the pre-push script returns the push permission of the target warehouse address to a git platform, and specifically comprises the following steps:
after the pre-push script obtains the address of the code push monitoring tool, transmitting the target warehouse address obtained by the git platform to the code push monitoring tool and executing a push permission identification command of the code push monitoring tool;
and the pre-push script acquires the exit state of the push permission identification command, if the exit state of the push permission identification command is normal, acquires an execution result returned by the push permission identification command as the push permission of the target warehouse address, and returns the push permission of the target warehouse address to the git platform.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of gate hook script-based code leakage protection as claimed in any one of claims 1 to 6 when the program is executed by the processor.
10. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the code leakage protection method based on the git hook script of any of claims 1 to 6.
CN202310093510.7A 2023-02-10 2023-02-10 Code leakage protection method and device based on git hook script Active CN115774864B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310093510.7A CN115774864B (en) 2023-02-10 2023-02-10 Code leakage protection method and device based on git hook script

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310093510.7A CN115774864B (en) 2023-02-10 2023-02-10 Code leakage protection method and device based on git hook script

Publications (2)

Publication Number Publication Date
CN115774864A CN115774864A (en) 2023-03-10
CN115774864B true CN115774864B (en) 2023-06-16

Family

ID=85393472

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310093510.7A Active CN115774864B (en) 2023-02-10 2023-02-10 Code leakage protection method and device based on git hook script

Country Status (1)

Country Link
CN (1) CN115774864B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108228256A (en) * 2018-02-05 2018-06-29 武汉斗鱼网络科技有限公司 Code synchronisation method, apparatus, computer-readable medium and terminal
CN113268956A (en) * 2021-05-25 2021-08-17 浙江工业大学 Method for identifying YAML file and converting YAML file into XML file

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013078269A1 (en) * 2011-11-22 2013-05-30 Solano Labs, Inc. System of distributed software quality improvement
US10545737B2 (en) * 2017-06-13 2020-01-28 Microsoft Technology Licensing, Llc Model binding for command line parsers
CN108196876B (en) * 2017-11-29 2020-07-07 贝壳找房(北京)科技有限公司 PHP service configuration method based on file and central server
CN110704298A (en) * 2019-08-23 2020-01-17 北京奇艺世纪科技有限公司 Code verification method and device, terminal equipment and storage medium
CN114880227B (en) * 2022-05-11 2024-04-05 云合智网(上海)技术有限公司 Code warehouse management method and system applied to chip field

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108228256A (en) * 2018-02-05 2018-06-29 武汉斗鱼网络科技有限公司 Code synchronisation method, apparatus, computer-readable medium and terminal
CN113268956A (en) * 2021-05-25 2021-08-17 浙江工业大学 Method for identifying YAML file and converting YAML file into XML file

Also Published As

Publication number Publication date
CN115774864A (en) 2023-03-10

Similar Documents

Publication Publication Date Title
US10509906B2 (en) Automated code lockdown to reduce attack surface for software
Guido et al. Automated identification of installed malicious Android applications
CN110245495B (en) BIOS checking method, configuration method, device and system
TWI607338B (en) Storage device, data protection method therefor, and data protection system
EP3563548B1 (en) Historic data breach detection
CN109214179B (en) Program module security detection method and device
CN115774864B (en) Code leakage protection method and device based on git hook script
CN117370296A (en) Method and system for acquiring log file of vehicle-mounted device and vehicle-mounted terminal
CN117032908A (en) Integrated computing device deployment operation method and system based on redundancy architecture
CN109583206B (en) Method, device, equipment and storage medium for monitoring access process of application program
US20230015273A1 (en) Verification information revising device, verification information revising method, and verification information revising program
Vassilev et al. Avoiding cyberspace catastrophes through smarter testing
CN110677483B (en) Information processing system and trusted security management system
US20200244461A1 (en) Data Processing Method and Apparatus
CN113987435A (en) Illegal copyright detection method and device, electronic equipment and storage medium
RU2468427C1 (en) System and method to protect computer system against activity of harmful objects
CN117648100B (en) Application deployment method, device, equipment and storage medium
CN113923012B (en) Fingerprint generation method and tamper-proof method of client device
JP2019012442A (en) Secure element, computer program, device, server, and file information matching method
CN118074992A (en) Method and device for identifying unauthorized loopholes
CN109150863B (en) Desktop cloud access control method and device and desktop cloud terminal equipment
Bircan et al. Analysis of Windows Operating Systems in Incident Response Processes in Cyber Wars: Use of Open Source Tools
CN113722774A (en) Information elimination method, system, equipment and storage medium based on authorization and authentication
CN115774698A (en) Log processing method and device, electronic equipment and storage medium
CN114491493A (en) Data evidence obtaining method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant