diff --git a/pkg/detectors/gitlab/v1/gitlab.go b/pkg/detectors/gitlab/v1/gitlab.go index a4d57be56b2e..b41f51133489 100644 --- a/pkg/detectors/gitlab/v1/gitlab.go +++ b/pkg/detectors/gitlab/v1/gitlab.go @@ -20,6 +20,10 @@ type Scanner struct { detectors.EndpointSetter } +type gitlabMessage struct { + Message string `json:"message"` +} + // Ensure the Scanner satisfies the interfaces at compile time. var ( _ detectors.Detector = (*Scanner)(nil) @@ -34,6 +38,8 @@ func (Scanner) CloudEndpoint() string { return "https://gitlab.com" } var ( defaultClient = common.SaneHttpClient() keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"gitlab"}) + `\b([a-zA-Z0-9\-=_]{20,22})\b`) + + blockedUserMessage = "403 Forbidden - Your account has been blocked" ) // Keywords are used for efficiently pre-filtering chunks. @@ -60,6 +66,7 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result s1 := detectors.Result{ DetectorType: detectorspb.DetectorType_Gitlab, Raw: []byte(resMatch), + ExtraData: map[string]string{}, } s1.ExtraData = map[string]string{ "rotation_guide": "https://howtorotate.com/docs/tutorials/gitlab/", @@ -67,8 +74,13 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result } if verify { - isVerified, verificationErr := s.verifyGitlab(ctx, resMatch) + isVerified, isUserBlocked, verificationErr := s.verifyGitlab(ctx, resMatch) s1.Verified = isVerified + // if user account is blocked, add this information in the extra data + if isUserBlocked { + s1.ExtraData["User Account Blocked"] = "Yes" + } + s1.SetVerificationError(verificationErr, resMatch) } @@ -78,7 +90,7 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result return results, nil } -func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, error) { +func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, bool, error) { // there are 4 read 'scopes' for a gitlab token: api, read_user, read_repo, and read_registry // they all grant access to different parts of the API. I couldn't find an endpoint that every // one of these scopes has access to, so we just check an example endpoint for each scope. If any @@ -98,13 +110,13 @@ func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, error req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", resMatch)) res, err := client.Do(req) if err != nil { - return false, err + return false, false, err } defer res.Body.Close() body, err := io.ReadAll(res.Body) if err != nil { - return false, err + return false, false, err } // 200 means good key and has `read_user` scope @@ -112,19 +124,28 @@ func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, error // 401 is bad key switch res.StatusCode { case http.StatusOK: - return json.Valid(body), nil + return json.Valid(body), false, nil case http.StatusForbidden: + // check if the user account is blocked or not + var apiResp gitlabMessage + if err := json.Unmarshal(body, &apiResp); err == nil { + if apiResp.Message == blockedUserMessage { + return true, true, nil + } + } + // Good key but not the right scope - return true, nil + return true, false, nil case http.StatusUnauthorized: // Nothing to do; zero values are the ones we want - return false, nil + return false, false, nil default: - return false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) + return false, false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) } } - return false, nil + + return false, false, nil } func (s Scanner) Type() detectorspb.DetectorType {