Skip to content

Commit

Permalink
[chore] - Add regex and keyword for api_org tokens (trufflesecurity#2240
Browse files Browse the repository at this point in the history
)

* Add regex and keyword for api_org tokens.

* handle org token auth struct

* update keywords
  • Loading branch information
ahrav authored Jan 16, 2024
1 parent c5af979 commit b0fd951
Showing 1 changed file with 23 additions and 8 deletions.
31 changes: 23 additions & 8 deletions pkg/detectors/huggingface/huggingface.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,13 +23,13 @@ var _ detectors.Detector = (*Scanner)(nil)
var (
defaultClient = common.SaneHttpClient()
// Make sure that your group is surrounded in boundary characters such as below to reduce false positives.
keyPat = regexp.MustCompile(`\bhf_[a-zA-Z0-9]{34}\b`)
keyPat = regexp.MustCompile(`\b(?:hf_|api_org_)[a-zA-Z0-9]{34}\b`)
)

// Keywords are used for efficiently pre-filtering chunks.
// Use identifiers in the secret preferably, or the provider name.
func (s Scanner) Keywords() []string {
return []string{"huggingface", "hugging_face", "hf"} // Huggingface docs occasionally use "hf" instead of "huggingface"
return []string{"hf_", "api_org_"} // Huggingface docs occasionally use "hf" instead of "huggingface"
}

// FromData will find and optionally verify Huggingface secrets in a given set of bytes.
Expand Down Expand Up @@ -92,15 +92,29 @@ func (s Scanner) verifyResult(ctx context.Context, apiKey string) (bool, map[str
return true, nil, err
}

t := whoamiRes.Auth.AccessToken
var tokenInfo string
switch {
case whoamiRes.Auth.AccessToken.DisplayName != "" || whoamiRes.Auth.AccessToken.Role != "":
// hf_xxxx token
t := whoamiRes.Auth.AccessToken
tokenInfo = fmt.Sprintf("%s (%s)", t.DisplayName, t.Role)

case whoamiRes.Auth.Type != "":
// api_org_xxxx token
tokenInfo = whoamiRes.Auth.Type

default:
tokenInfo = "Unknown Token Type"
}

extraData := map[string]string{
"Username": whoamiRes.Name,
"Email": whoamiRes.Email,
"Token": fmt.Sprintf("%s (%s)", t.DisplayName, t.Role),
"Token": tokenInfo,
}

// Condense a list of organizations + roles.
var orgs []string
orgs := make([]string, 0, len(whoamiRes.Organizations))
for _, org := range whoamiRes.Organizations {
orgs = append(orgs, fmt.Sprintf("%s:%s", org.Name, org.Role))
}
Expand Down Expand Up @@ -136,7 +150,8 @@ type organization struct {

type auth struct {
AccessToken struct {
DisplayName string `json:"displayName"`
Role string `json:"role"`
} `json:"accessToken"`
DisplayName string `json:"displayName,omitempty"`
Role string `json:"role,omitempty"`
} `json:"accessToken,omitempty"`
Type string `json:"type,omitempty"`
}

0 comments on commit b0fd951

Please sign in to comment.