fix: updated script to run on system directories

vvyas123 · vvyas123 · commit 2c0b599e1646 · 2026-02-02T19:26:27.000+05:30
diff --git a/update-all-repos.sh b/update-all-repos.sh
@@ -5,16 +5,45 @@
 # Based on git-secrets update-all-repos.sh
 
 # Usage examples:
-#   ./update-all-repos.sh                    # Updates all repos in current directory
-#   ./update-all-repos.sh ~/Projects         # Updates all repos in ~/Projects
+#   ./update-all-repos.sh                    # Updates all repos in current directory (recursively)
+#   ./update-all-repos.sh ~/Projects         # Updates all repos in ~/Projects (recursively)
 #   ./update-all-repos.sh ~/Sites ~/Projects # Updates repos in multiple directories
+#   sudo ./update-all-repos.sh /var          # Updates repos in system directories (requires root)
+#
+# Environment variables:
+#   MAX_DEPTH=3 ./update-all-repos.sh ~/     # Limit recursion depth (default: unlimited)
+#
+# WARNING: Scanning large directories like ~ or / can take a very long time!
+#          It's better to specify specific project directories.
 
 HIGHLIGHT="\e[01;34m"
 SUCCESS="\e[01;32m"
 ERROR="\e[01;31m"
 WARNING="\e[01;33m"
 NORMAL='\e[00m'
 
+# Configuration
+MAX_DEPTH="${MAX_DEPTH:-}"  # Default: unlimited depth
+
+# Temporary files for tracking stats across subshells
+STATS_DIR=$(mktemp -d)
+trap "rm -rf $STATS_DIR" EXIT
+
+touch "$STATS_DIR/found"
+touch "$STATS_DIR/updated"
+touch "$STATS_DIR/failed"
+touch "$STATS_DIR/skipped"
+
+function increment_stat {
+  local stat_file="$STATS_DIR/$1"
+  echo "1" >> "$stat_file"
+}
+
+function get_stat {
+  local stat_file="$STATS_DIR/$1"
+  wc -l < "$stat_file" 2>/dev/null | tr -d ' ' || echo "0"
+}
+
 # Check if gitleaks is installed
 if ! command -v gitleaks &> /dev/null; then
     echo -e "${ERROR}Error: gitleaks is not installed${NORMAL}"
@@ -27,8 +56,14 @@ fi
 
 # Check if global template is set up
 TEMPLATE_DIR="$HOME/.git-template"
+# Handle case when running with sudo - use the actual user's home
+if [ -n "$SUDO_USER" ]; then
+  TEMPLATE_DIR=$(eval echo ~$SUDO_USER)/.git-template
+fi
+
 if [ ! -d "$TEMPLATE_DIR/hooks" ]; then
     echo -e "${ERROR}Error: Git template directory not found${NORMAL}"
+    echo "Expected location: $TEMPLATE_DIR/hooks"
     echo "Please run ./install-gitleaks-global.sh first"
     exit 1
 fi
@@ -224,111 +259,232 @@ function install_native_hooks {
   return 0
 }
 
-function update_repo {
-  local d="$1"
+# Function to process a single git repository
+function process_repo {
+  local repodir="$1"
   
-  # Skip if not a directory or is a symbolic link
-  if [ ! -d "$d" ] || [ -L "$d" ]; then
-    return 0
-  fi
+  cd "$repodir" 2>/dev/null || {
+    echo -e "${WARNING}⚠${NORMAL}  Cannot access repository: $repodir (permission denied)"
+    increment_stat "skipped"
+    return 1
+  }
   
-  # Try to enter directory, return if fails
-  cd "$d" > /dev/null 2>&1 || return 0
+  increment_stat "found"
+  printf "%b\n" "${HIGHLIGHT}Installing gitleaks hooks in $(pwd)${NORMAL}"
   
-  if [ -d ".git" ]; then
-    printf "%b\n" "${HIGHLIGHT}Installing gitleaks hooks in $(pwd)${NORMAL}"
-    
-    # CRITICAL: Check if core.hooksPath is configured but directory doesn't exist
-    HOOKS_PATH=$(git config core.hooksPath 2>/dev/null || echo "")
-    if [ -n "$HOOKS_PATH" ] && [ ! -d "$HOOKS_PATH" ]; then
-      echo -e "  ${ERROR}🚨 CRITICAL${NORMAL}: Git is configured to use hooks from '$HOOKS_PATH' but directory doesn't exist!"
-      echo -e "  ${WARNING}⚠${NORMAL}  This means NO hooks are running - security bypass!"
-      echo -e "  ${HIGHLIGHT}→${NORMAL} Fixing: Unsetting core.hooksPath and installing native hooks"
-      git config --unset core.hooksPath
-      install_native_hooks
+  # Check if .git directory is writable
+  if [ ! -w ".git" ]; then
+    echo -e "  ${ERROR}✗${NORMAL} Cannot write to .git directory (permission denied)"
+    echo -e "  ${WARNING}⚠${NORMAL}  Repository owned by: $(stat -c '%U:%G' .git 2>/dev/null || echo 'unknown')"
+    echo -e "  ${WARNING}⚠${NORMAL}  Current user: $(whoami)"
+    if [ "$EUID" -ne 0 ]; then
+      echo -e "  ${HIGHLIGHT}→${NORMAL} Tip: Run script with sudo to update system repositories"
+    fi
+    increment_stat "failed"
+    return 1
+  fi
+  
+  # CRITICAL: Check if core.hooksPath is configured but directory doesn't exist
+  HOOKS_PATH=$(git config core.hooksPath 2>/dev/null || echo "")
+  if [ -n "$HOOKS_PATH" ] && [ ! -d "$HOOKS_PATH" ]; then
+    echo -e "  ${ERROR}🚨 CRITICAL${NORMAL}: Git is configured to use hooks from '$HOOKS_PATH' but directory doesn't exist!"
+    echo -e "  ${WARNING}⚠${NORMAL}  This means NO hooks are running - security bypass!"
+    echo -e "  ${HIGHLIGHT}→${NORMAL} Fixing: Unsetting core.hooksPath and installing native hooks"
+    git config --unset core.hooksPath
+    if install_native_hooks; then
+      increment_stat "updated"
       return 0
+    else
+      increment_stat "failed"
+      return 1
     fi
+  fi
+  
+  # Detect if this repo uses Husky
+  if [ -d ".husky" ]; then
+    echo -e "  ${HIGHLIGHT}→${NORMAL} Detected Husky repository"
     
-    # Detect if this repo uses Husky
-    if [ -d ".husky" ]; then
-      echo -e "  ${HIGHLIGHT}→${NORMAL} Detected Husky repository"
-      
-      # Check if pre-commit exists
-      if [ -f ".husky/pre-commit" ]; then
-        inject_gitleaks_husky ".husky/pre-commit"
+    # Check if pre-commit exists
+    if [ -f ".husky/pre-commit" ]; then
+      if inject_gitleaks_husky ".husky/pre-commit"; then
+        increment_stat "updated"
+        return 0
       else
-        # Check if husky.sh exists to confirm it's a valid Husky setup
-        if [ -f ".husky/_/husky.sh" ] || [ -f ".husky/husky.sh" ]; then
-          create_husky_precommit ".husky/pre-commit"
-        else
-          echo -e "  ${WARNING}⚠${NORMAL}  Husky directory exists but appears incomplete"
-          echo -e "  ${HIGHLIGHT}→${NORMAL} Installing native Git hooks as fallback"
-          install_native_hooks
-        fi
+        increment_stat "failed"
+        return 1
       fi
     else
-      # Check if core.hooksPath points to .husky but .husky doesn't exist
-      if [ "$HOOKS_PATH" = ".husky/_" ] || [ "$HOOKS_PATH" = ".husky" ]; then
-        echo -e "  ${WARNING}⚠${NORMAL}  Repo was using Husky but .husky/ is missing"
-        echo -e "  ${HIGHLIGHT}→${NORMAL} Unsetting core.hooksPath and using native hooks"
-        git config --unset core.hooksPath
+      # Check if husky.sh exists to confirm it's a valid Husky setup
+      if [ -f ".husky/_/husky.sh" ] || [ -f ".husky/husky.sh" ]; then
+        if create_husky_precommit ".husky/pre-commit"; then
+          increment_stat "updated"
+          return 0
+        else
+          increment_stat "failed"
+          return 1
+        fi
+      else
+        echo -e "  ${WARNING}⚠${NORMAL}  Husky directory exists but appears incomplete"
+        echo -e "  ${HIGHLIGHT}→${NORMAL} Installing native Git hooks as fallback"
+        if install_native_hooks; then
+          increment_stat "updated"
+          return 0
+        else
+          increment_stat "failed"
+          return 1
+        fi
       fi
-      
-      # Standard git hooks installation
-      echo -e "  ${HIGHLIGHT}→${NORMAL} Using native Git hooks"
-      install_native_hooks
     fi
   else
-    # Not a git repo, scan subdirectories (but with protection)
-    scan_dirs * 2>/dev/null || true
-  fi
-  
-  cd .. > /dev/null 2>&1 || true
-}
-
-function scan_dirs {
-  for x in "$@"; do
-    # Skip hidden directories and problematic directories
-    if [[ "$x" == .* ]] || [[ "$x" == "__MACOSX" ]] || [[ "$x" == "node_modules" ]]; then
-      continue
+    # Check if core.hooksPath points to .husky but .husky doesn't exist
+    if [ "$HOOKS_PATH" = ".husky/_" ] || [ "$HOOKS_PATH" = ".husky" ]; then
+      echo -e "  ${WARNING}⚠${NORMAL}  Repo was using Husky but .husky/ is missing"
+      echo -e "  ${HIGHLIGHT}→${NORMAL} Unsetting core.hooksPath and using native hooks"
+      git config --unset core.hooksPath
     fi
-    update_repo "$x" || true  # Continue even if update_repo fails
-  done
+    
+    # Standard git hooks installation
+    echo -e "  ${HIGHLIGHT}→${NORMAL} Using native Git hooks"
+    if install_native_hooks; then
+      increment_stat "updated"
+      return 0
+    else
+      increment_stat "failed"
+      return 1
+    fi
+  fi
 }
 
 function update_directory {
-  if [ "$1" != "" ]; then 
-    cd "$1" > /dev/null 2>&1 || {
-      echo -e "${ERROR}✗${NORMAL} Cannot access directory: $1"
+  local target_dir="$1"
+  
+  # Use current directory if none specified
+  if [ -z "$target_dir" ]; then
+    target_dir="$PWD"
+  fi
+  
+  # Convert to absolute path
+  if [[ "$target_dir" != /* ]]; then
+    target_dir="$PWD/$target_dir"
+  fi
+  
+  # Check if directory exists and is accessible
+  if [ ! -d "$target_dir" ]; then
+    echo -e "${ERROR}✗${NORMAL} Directory does not exist: $target_dir"
+    return 1
+  fi
+  
+  if [ ! -r "$target_dir" ]; then
+    echo -e "${ERROR}✗${NORMAL} Cannot read directory: $target_dir (permission denied)"
+    if [ "$EUID" -ne 0 ]; then
+      echo -e "${HIGHLIGHT}→${NORMAL} Try running with sudo: sudo ./update-all-repos.sh $target_dir"
+    fi
+    return 1
+  fi
+  
+  # Warn if trying to update system directories
+  if [[ "$target_dir" == "/var"* ]] || [[ "$target_dir" == "/etc"* ]] || [[ "$target_dir" == "/sys"* ]] || [[ "$target_dir" == "/proc"* ]]; then
+    echo -e "${WARNING}⚠${NORMAL}  WARNING: Scanning system directory: ${target_dir}"
+    if [ "$EUID" -ne 0 ]; then
+      echo -e "${ERROR}✗${NORMAL} ERROR: System directories require root privileges"
+      echo -e "${HIGHLIGHT}→${NORMAL} Please run with sudo: sudo ./update-all-repos.sh \"$target_dir\""
       return 1
-    }
+    fi
+    echo -e "${SUCCESS}✓${NORMAL} Running with root privileges"
   fi
-  printf "%b\n" "${HIGHLIGHT}Scanning ${PWD} for git repositories...${NORMAL}\n"
-  scan_dirs * 2>/dev/null || true
+  
+  printf "%b\n" "${HIGHLIGHT}Scanning ${target_dir} recursively for git repositories...${NORMAL}"
+  
+  # Build find command with optional depth limit
+  local find_cmd="find \"$target_dir\""
+  if [ -n "$MAX_DEPTH" ]; then
+    find_cmd="$find_cmd -maxdepth $MAX_DEPTH"
+    echo -e "${HIGHLIGHT}→${NORMAL} Maximum depth: $MAX_DEPTH levels"
+  else
+    echo -e "${WARNING}⚠${NORMAL}  WARNING: Unlimited depth - this may take a very long time for large directories!"
+    echo -e "${HIGHLIGHT}→${NORMAL} Tip: Set MAX_DEPTH to limit recursion (e.g., MAX_DEPTH=3 ./update-all-repos.sh ~)"
+  fi
+  echo -e "${HIGHLIGHT}→${NORMAL} Press Ctrl+C to cancel if this takes too long"
+  echo ""
+  
+  # Use find to recursively locate all .git directories
+  # Exclude common large directories to speed up search
+  # The -print0 and read -d '' handle filenames with spaces and special characters
+  local count=0
+  while IFS= read -r -d '' gitdir; do
+    local repodir=$(dirname "$gitdir")
+    
+    # Skip submodules (git repos inside .git directories)
+    if [[ "$repodir" == *"/.git/"* ]] || [[ "$repodir" == *"/.git" ]]; then
+      continue
+    fi
+    
+    count=$((count + 1))
+    echo -e "${HIGHLIGHT}[$count]${NORMAL} Found: $repodir"
+    
+    # Process this repository in current shell (not subshell) to track stats
+    (process_repo "$repodir")
+    echo ""
+    
+  done < <(find "$target_dir" \
+    ${MAX_DEPTH:+-maxdepth $MAX_DEPTH} \
+    -type d \
+    \( -name "node_modules" -o -name ".npm" -o -name ".cache" -o -name "__pycache__" -o -name ".venv" -o -name "venv" -o -name ".local" -o -name ".cargo" -o -name ".rustup" -o -name ".m2" -o -name ".gradle" -o -name "target" -o -name "build" -o -name "dist" -o -name "vendor" -o -name ".bundle" \) -prune -o \
+    -type d -name ".git" -print0 2>/dev/null)
 }
 
 # Main execution
 echo -e "${HIGHLIGHT}========================================${NORMAL}"
 echo -e "${HIGHLIGHT}Gitleaks Hook Installer${NORMAL}"
 echo -e "${HIGHLIGHT}========================================${NORMAL}\n"
 
-if [ "$1" == "" ]; then
-  update_directory
+if [ "$EUID" -eq 0 ]; then
+  echo -e "${WARNING}⚠${NORMAL}  Running as root (sudo)"
+  echo -e "${HIGHLIGHT}→${NORMAL} Will be able to update system-owned repositories"
+  echo ""
+fi
+
+if [ "$#" -eq 0 ]; then
+  update_directory "$PWD"
 else
   for dir in "$@"; do
     update_directory "$dir"
+    echo ""
   done
 fi
 
+# Get final statistics
+REPOS_FOUND=$(get_stat "found")
+REPOS_UPDATED=$(get_stat "updated")
+REPOS_FAILED=$(get_stat "failed")
+REPOS_SKIPPED=$(get_stat "skipped")
+
 echo -e "\n${SUCCESS}========================================${NORMAL}"
 echo -e "${SUCCESS}Update Complete!${NORMAL}"
 echo -e "${SUCCESS}========================================${NORMAL}\n"
 
 echo -e "${HIGHLIGHT}Summary:${NORMAL}"
-echo "  • Gitleaks pre-commit hooks have been installed in all git repositories"
+echo "  • Git repositories found:      $REPOS_FOUND"
+echo "  • Successfully updated:         $REPOS_UPDATED"
+echo "  • Failed (permission denied):   $REPOS_FAILED"
+echo "  • Skipped (inaccessible):       $REPOS_SKIPPED"
 echo "  • Both Husky and native Git hooks are supported"
 echo "  • Future commits will be scanned for blockchain private keys and secrets"
 echo ""
+
+# Show warning if there were permission failures
+if [ "$REPOS_FAILED" -gt 0 ] || [ "$REPOS_SKIPPED" -gt 0 ]; then
+  echo -e "${WARNING}⚠${NORMAL}  ${WARNING}WARNING: Some repositories could not be updated due to permission issues${NORMAL}"
+  if [ "$EUID" -ne 0 ]; then
+    echo -e "${HIGHLIGHT}→${NORMAL} To update system repositories (in /var, /etc, etc.), run with sudo:"
+    echo -e "   ${HIGHLIGHT}sudo ./update-all-repos.sh /var${NORMAL}"
+  else
+    echo -e "${HIGHLIGHT}→${NORMAL} Some repositories may have additional access restrictions"
+    echo -e "   Check ownership and permissions of failed repositories"
+  fi
+  echo ""
+fi
+
 echo -e "${HIGHLIGHT}Test the hooks:${NORMAL}"
 echo "  cd /path/to/any/repo"
 echo "  echo 'const key = \"abc\"' > test.js"
