Resolve Empty AWS Credentials Issue

[ksoeder]

Issue #, if available:
When committing anything on your machine where there are empty entries in your default aws credentials file such as
aws_access_key_id=
aws_secret_access_key=
aws_session_token=
git-secrets triggers on every file everywhere.
Description of changes:
This will prevent the empty values from getting pull in to check the regexes against.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[nettrino]

Thank you for this fix! Would it be easy to also add a test in the PR?

[ksoeder]

Unfortunately I don't see anywhere in your bats where you set up an /aws/credentials file for creating a test for this. I'm not sure how you'd like to test this stuff.

[creswick]

I think something along these lines would work to test this change:

@test "empty AWS Creds doesn't cause FPs" {
  setup_good_repo
  mkdir -p $HOME/.aws
  echo 'aws_access_key_id=' > $HOME/.aws/credentials
  echo 'aws_secret_access_key_id=' > $HOME/.aws/credentials
  repo_run git-secrets --aws-provider
  [ $status -eq 0 ]
}

That example, as-written, doesn't seem to be sufficient to reproduce the original issue, however, so it will need some adjusting.

[sparr]

This is my attempt to extend the test to actually use the provider, but it also passes.

@test "empty AWS Creds don't cause false positives" {
  setup_good_repo
  mkdir -p $HOME/.aws
  echo 'aws_access_key_id=' > $HOME/.aws/credentials
  echo 'aws_secret_access_key_id=' > $HOME/.aws/credentials
  repo_run git-secrets --register-aws
  repo_run git-secrets --scan
  [ $status -eq 0 ]
}

I also cannot reproduce the failure mode outside of a test case, running the script directly in my home environment with the credentials file in question in place.

[cbarreholm]

Maybe this comment #208 (comment) can be used to build test data?
Using that data I can see that the statement currently used at https://github.com/awslabs/git-secrets/blob/master/git-secrets#L252

awk -F "=" '/aws_access_key_id|aws_secret_access_key/ {print $2}' $fi \
      | tr -d ' "' \
      | sed 's/[]\.|$(){}?+*^]/\\&/g' 

could be altered to

    awk -F "=" '/aws_access_key_id|aws_secret_access_key/ {print $2}' $fi \
      | tr -d ' "' \
      | sed 's/[]\.|$(){}?+*^]/\\&/g' \
      | sed '/^[[:space:]]*$/d'

To get rid of blank lines.
Assuming a credentials file with

[default]
aws_secret_access_key=
aws_session_token=

[123456789012_RandomPermission]
aws_access_key_id=SOMERANDOMID

Then compare

$ awk -F "=" '/aws_access_key_id|aws_secret_access_key/ {print $2}' $fi       | tr -d ' "'       | sed 's/[]\.|$(){}?+*^]/\\&/g'

SOMERANDOMID
$ awk -F "=" '/aws_access_key_id|aws_secret_access_key/ {print $2}' $fi \
      | tr -d ' "' \
      | sed 's/[]\.|$(){}?+*^]/\\&/g' \
      | sed '/^[[:space:]]*$/d'
SOMERANDOMID
$