Skip to content

Commit

Permalink
Add secrets rules for Private Packagist
Browse files Browse the repository at this point in the history
Private Packagist (Packagist.com) is a package repository for Composer,
the dependency manager for PHP.
Private Packagist generates user and organization tokens for
authentication.

All tokens are generated with a prefix and a checksum to help with
automated secret scanning.
See https://packagist.com/docs/composer-authentication#token-format.
  • Loading branch information
nicwortel committed Nov 17, 2024
1 parent 6fab88d commit 9038224
Show file tree
Hide file tree
Showing 3 changed files with 137 additions and 0 deletions.
10 changes: 10 additions & 0 deletions pkg/fanal/secret/builtin-rules.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ var (
CategoryNewRelic = types.SecretRuleCategory("NewRelic")
CategoryNpm = types.SecretRuleCategory("Npm")
CategoryPlanetscale = types.SecretRuleCategory("Planetscale")
CategoryPrivatePackagist = types.SecretRuleCategory("Private Packagist")
CategoryPostman = types.SecretRuleCategory("Postman")
CategoryPulumi = types.SecretRuleCategory("Pulumi")
CategoryRubyGems = types.SecretRuleCategory("RubyGems")
Expand Down Expand Up @@ -743,6 +744,15 @@ var builtinRules = []Rule{
Regex: MustCompile(`pscale_tkn_(?i)[a-z0-9\-_\.]{43}`),
Keywords: []string{"pscale_tkn_"},
},
{
ID: "private-packagist-token",
Category: CategoryPrivatePackagist,
Title: "Private Packagist token",
Severity: "HIGH",
// https://packagist.com/docs/composer-authentication#token-format
Regex: MustCompile(`packagist_[ou][ru]t_(?i)[a-f0-9]{68}`),
Keywords: []string{"packagist_uut_", "packagist_ort_", "packagist_out_"},
},
{
ID: "postman-api-token",
Category: CategoryPostman,
Expand Down
124 changes: 124 additions & 0 deletions pkg/fanal/secret/scanner_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -668,6 +668,117 @@ func TestSecretScanner(t *testing.T) {
},
},
}
wantFindingPrivatePackagistOrgReadToken := types.SecretFinding{
RuleID: "private-packagist-token",
Category: secret.CategoryPrivatePackagist,
Title: "Private Packagist token",
Severity: "HIGH",
StartLine: 1,
EndLine: 1,
Match: "ORG_READ_TOKEN=**********************************************************************************",
Code: types.Code{
Lines: []types.Line{
{
Number: 1,
Content: "ORG_READ_TOKEN=**********************************************************************************",
Highlighted: "ORG_READ_TOKEN=**********************************************************************************",
IsCause: true,
FirstCause: true,
LastCause: true,
},
{
Number: 2,
Content: "ORG_WRITE_TOKEN=**********************************************************************************",
Highlighted: "ORG_WRITE_TOKEN=**********************************************************************************",
IsCause: false,
FirstCause: false,
LastCause: false,
},
},
},
}
wantFindingPrivatePackagistOrgUpdateToken := types.SecretFinding{
RuleID: "private-packagist-token",
Category: secret.CategoryPrivatePackagist,
Title: "Private Packagist token",
Severity: "HIGH",
StartLine: 2,
EndLine: 2,
Match: "ORG_WRITE_TOKEN=**********************************************************************************",
Code: types.Code{
Lines: []types.Line{
{
Number: 1,
Content: "ORG_READ_TOKEN=**********************************************************************************",
Highlighted: "ORG_READ_TOKEN=**********************************************************************************",
IsCause: false,
FirstCause: false,
LastCause: false,
},
{
Number: 2,
Content: "ORG_WRITE_TOKEN=**********************************************************************************",
Highlighted: "ORG_WRITE_TOKEN=**********************************************************************************",
IsCause: true,
FirstCause: true,
LastCause: true,
},
{
Number: 3,
Content: "USER_TOKEN=**********************************************************************************",
Highlighted: "USER_TOKEN=**********************************************************************************",
IsCause: false,
FirstCause: false,
LastCause: false,
},
},
},
}
wantFindingPrivatePackagistUserToken := types.SecretFinding{
RuleID: "private-packagist-token",
Category: secret.CategoryPrivatePackagist,
Title: "Private Packagist token",
Severity: "HIGH",
StartLine: 3,
EndLine: 3,
Match: "USER_TOKEN=**********************************************************************************",
Code: types.Code{
Lines: []types.Line{
{
Number: 1,
Content: "ORG_READ_TOKEN=**********************************************************************************",
Highlighted: "ORG_READ_TOKEN=**********************************************************************************",
IsCause: false,
FirstCause: false,
LastCause: false,
},
{
Number: 2,
Content: "ORG_WRITE_TOKEN=**********************************************************************************",
Highlighted: "ORG_WRITE_TOKEN=**********************************************************************************",
IsCause: false,
FirstCause: false,
LastCause: false,
},
{
Number: 3,
Content: "USER_TOKEN=**********************************************************************************",
Highlighted: "USER_TOKEN=**********************************************************************************",
IsCause: true,
FirstCause: true,
LastCause: true,
},
{
Number: 4,
Content: "",
Highlighted: "",
IsCause: false,
FirstCause: false,
LastCause: false,
},
},
},
}
wantFindingHuggingFace := types.SecretFinding{
RuleID: "hugging-face-access-token",
Category: secret.CategoryHuggingFace,
Expand Down Expand Up @@ -941,6 +1052,19 @@ func TestSecretScanner(t *testing.T) {
Findings: []types.SecretFinding{wantFindingJWT},
},
},
{
name: "find Private Packagist tokens",
configPath: filepath.Join("testdata", "config.yaml"),
inputFilePath: filepath.Join("testdata", "private-packagist.txt"),
want: types.Secret{
FilePath: filepath.Join("testdata", "private-packagist.txt"),
Findings: []types.SecretFinding{
wantFindingPrivatePackagistOrgReadToken,
wantFindingPrivatePackagistOrgUpdateToken,
wantFindingPrivatePackagistUserToken,
},
},
},
{
name: "include when keyword found",
configPath: filepath.Join("testdata", "config-happy-keywords.yaml"),
Expand Down
3 changes: 3 additions & 0 deletions pkg/fanal/secret/testdata/private-packagist.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
ORG_READ_TOKEN=packagist_ort_6675e11a686c692f3f2e3b6ce528c3d122d22d912ea69a20713cdf51714ba710ad74
ORG_WRITE_TOKEN=packagist_out_d63bd7be741c67ca810f924225b525fa5d20e6e1b316c8bfc0a1b33c68e4861bd5a4
USER_TOKEN=packagist_uut_02f17e5917451dcdcc2995157e08cac2976a0373097b95d7021ba7a6844437973421

0 comments on commit 9038224

Please sign in to comment.