[PATCH] Exclude `*/.extensions` from grep/reencrypt

Axel Tripier axel at tripier.fr
Fri Jul 2 17:40:44 UTC 2021 

The `.extensions` directory can contain extensions code, for example as
git submodules, that have `.gpg` files as part of their code but that
are not files encrypted with the PGP keys of our password store.

One example is `pass-tomb`, that contains `.gpg` files in `tests/gnupg`,
but there are more, like `pass-update`, `pass-otp`, etc.

However those `.gpg` files in the `.extensions` directory are currently
processed by the `grep` and `reencrypt` functions of `pass`.

At best this can cause errors to be shown to the user when
grepping/reencrypting, and at worst it can cause files in the
`.extensions` directory to be decrypted and returned as part of a
search, or reencrypted with the incorrect PGP keys.

This patch tries to mitigate that issue by removing the `*/.extensions`
directories from the list of processed `.gpg` files for the
grep/reencrypt functions.

However this patch is not perfect as it does not take into account the
fact that the `.extensions` directory can be renamed to something else
using `PASSWORD_STORE_EXTENSIONS_DIR`. But knowing if this
`PASSWORD_STORE_EXTENSIONS_DIR` is inside the `PREFIX` or not and
formatting the path exclusion for `find` accordingly could require a
fair bit of additional logic that I am not sure how you want to
implement.
---
 src/password-store.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/password-store.sh b/src/password-store.sh
index a0dcf2e..3bf0391 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -137,7 +137,7 @@ reencrypt_path() {
 			mv "$passfile_temp" "$passfile" || rm -f "$passfile_temp"
 		fi
 		prev_gpg_recipients="${GPG_RECIPIENTS[*]}"
-	done < <(find "$1" -path '*/.git' -prune -o -iname '*.gpg' -print0)
+	done < <(find "$1" -path '*/.git' -prune -o -path '*/.extensions' -prune -o -iname '*.gpg' -print0)
 }
 check_sneaky_paths() {
 	local path
@@ -430,7 +430,7 @@ cmd_grep() {
 		passfile="${passfile##*/}"
 		printf "\e[94m%s\e[1m%s\e[0m:\n" "$passfile_dir" "$passfile"
 		echo "$grepresults"
-	done < <(find -L "$PREFIX" -path '*/.git' -prune -o -iname '*.gpg' -print0)
+	done < <(find -L "$PREFIX" -path '*/.git' -prune -o -path '*/.extensions' -prune -o -iname '*.gpg' -print0)
 }
 
 cmd_insert() {
-- 
2.31.1

More information about the Password-Store mailing list