Skip to content

Commit

Permalink
resolved comments
Browse files Browse the repository at this point in the history
  • Loading branch information
kashifkhan0771 committed Oct 21, 2024
1 parent d68510e commit 294a2fe
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 27 deletions.
35 changes: 17 additions & 18 deletions pkg/detectors/gitlab/v1/gitlab.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ type Scanner struct {
detectors.EndpointSetter
}

type gitlabMessage struct {
type GitLabMessage struct {
Message string `json:"message"`
}

Expand All @@ -39,7 +39,7 @@ var (
defaultClient = common.SaneHttpClient()
keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"gitlab"}) + `\b([a-zA-Z0-9\-=_]{20,22})\b`)

blockedUserMessage = "403 Forbidden - Your account has been blocked"
BlockedUserMessage = "403 Forbidden - Your account has been blocked"
)

// Keywords are used for efficiently pre-filtering chunks.
Expand Down Expand Up @@ -74,12 +74,9 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
}

if verify {
isVerified, isUserBlocked, verificationErr := s.verifyGitlab(ctx, resMatch)
isVerified, extraData, verificationErr := s.verifyGitlab(ctx, resMatch)
s1.Verified = isVerified
// if user account is blocked, add this information in the extra data
if isUserBlocked {
s1.ExtraData["User Account Blocked"] = "Yes"
}
s1.ExtraData = extraData

s1.SetVerificationError(verificationErr, resMatch)
}
Expand All @@ -90,7 +87,7 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
return results, nil
}

func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, bool, error) {
func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, map[string]string, error) {
// there are 4 read 'scopes' for a gitlab token: api, read_user, read_repo, and read_registry
// they all grant access to different parts of the API. I couldn't find an endpoint that every
// one of these scopes has access to, so we just check an example endpoint for each scope. If any
Expand All @@ -110,42 +107,44 @@ func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, bool,
req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", resMatch))
res, err := client.Do(req)
if err != nil {
return false, false, err
return false, nil, err
}

defer res.Body.Close()
body, err := io.ReadAll(res.Body)
if err != nil {
return false, false, err
return false, nil, err
}

// 200 means good key and has `read_user` scope
// 403 means good key but not the right scope
// 401 is bad key
switch res.StatusCode {
case http.StatusOK:
return json.Valid(body), false, nil
return json.Valid(body), nil, nil
case http.StatusForbidden:
// check if the user account is blocked or not
var apiResp gitlabMessage
var apiResp GitLabMessage
if err := json.Unmarshal(body, &apiResp); err == nil {
if apiResp.Message == blockedUserMessage {
return true, true, nil
if apiResp.Message == BlockedUserMessage {
return true, map[string]string{
"blocked": "True",
}, nil
}
}

// Good key but not the right scope
return true, false, nil
return true, nil, nil
case http.StatusUnauthorized:
// Nothing to do; zero values are the ones we want
return false, false, nil
return false, nil, nil
default:
return false, false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode)
return false, nil, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode)
}

}

return false, false, nil
return false, nil, nil
}

func (s Scanner) Type() detectorspb.DetectorType {
Expand Down
38 changes: 29 additions & 9 deletions pkg/detectors/gitlab/v2/gitlab_v2.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,17 @@ package gitlab

import (
"context"
"encoding/json"
"fmt"
"io"
"net/http"
"strings"

regexp "github.com/wasilibs/go-re2"

"github.com/trufflesecurity/trufflehog/v3/pkg/common"
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
v1 "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/gitlab/v1"
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
)

Expand Down Expand Up @@ -49,15 +52,18 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
s1 := detectors.Result{
DetectorType: detectorspb.DetectorType_Gitlab,
Raw: []byte(resMatch),
ExtraData: map[string]string{},
}
s1.ExtraData = map[string]string{
"rotation_guide": "https://howtorotate.com/docs/tutorials/gitlab/",
"version": fmt.Sprintf("%d", s.Version()),
}

if verify {
isVerified, verificationErr := s.verifyGitlab(ctx, resMatch)
isVerified, extraData, verificationErr := s.verifyGitlab(ctx, resMatch)
s1.Verified = isVerified
s1.ExtraData = extraData

s1.SetVerificationError(verificationErr, resMatch)
}

Expand All @@ -67,7 +73,7 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
return results, nil
}

func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, error) {
func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, map[string]string, error) {
// there are 4 read 'scopes' for a gitlab token: api, read_user, read_repo, and read_registry
// they all grant access to different parts of the API. I couldn't find an endpoint that every
// one of these scopes has access to, so we just check an example endpoint for each scope. If any
Expand All @@ -86,28 +92,42 @@ func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, error
req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", resMatch))
res, err := client.Do(req)
if err != nil {
return false, err
return false, nil, err
}
defer res.Body.Close()
body, err := io.ReadAll(res.Body)
if err != nil {
return false, nil, err
}
defer res.Body.Close() // The request body is unused.

// 200 means good key and has `read_user` scope
// 403 means good key but not the right scope
// 401 is bad key
switch res.StatusCode {
case http.StatusOK:
return true, nil
return true, nil, nil
case http.StatusForbidden:
// check if the user account is blocked or not
var apiResp v1.GitLabMessage
if err := json.Unmarshal(body, &apiResp); err == nil {
if apiResp.Message == v1.BlockedUserMessage {
return true, map[string]string{
"blocked": "True",
}, nil
}
}

// Good key but not the right scope
return true, nil
return true, nil, nil
case http.StatusUnauthorized:
// Nothing to do; zero values are the ones we want
return false, nil
return false, nil, nil
default:
return false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode)
return false, nil, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode)
}

}
return false, nil
return false, nil, nil
}

func (s Scanner) Type() detectorspb.DetectorType {
Expand Down

0 comments on commit 294a2fe

Please sign in to comment.