Update readme.go #795
Update readme.go #795
Conversation
Readme has change the way they issue their keys
now its like rdme_{70} ascii chars
|
|
pkg/detectors/readme/readme.go
Outdated
| @@ -20,7 +20,7 @@ var ( | |||
| client = common.SaneHttpClient() | |||
|
|
|||
| // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. | |||
| keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"readme"}) + `\b([a-zA-Z0-9_]{32})\b`) | |||
| keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"rdme_"}) + `\b([a-z0-9]{70})\b`) | |||
There was a problem hiding this comment.
question: Do you know if they have stopped providing support for the older format? If so I think this is okay, but if there is still support (albeit deprecated) uses of the older key we would still want to make sure we detect those. So it might make sense to leave the older one and add a new regex for the new format.
Thoughts?
There was a problem hiding this comment.
A good way to do this is to add an OR in the regex
There was a problem hiding this comment.
Readme completely invalidated all previous keys and issued a new version of readme keys where the key looks like this - "rdme_xn8s9hffe79257cd578c938791cffd1f429536d562a9e2927c30080bc87d45dbdc4c02". Notice the prefix but the regex i suggested is not working on my machine. Sorry, not so well versed in Golang
here is the regex from gitleaks - https://github.com/zricethezav/gitleaks/blob/e35cb6707a97beb6d9495bceffec351d182c3c88/cmd/generate/config/rules/readme.go
There was a problem hiding this comment.
They had a security incident so they rotated all their keys and introduced new version of the keys
There was a problem hiding this comment.
was able to fix the regex but the verifyer is still not verifying the result.
|
still the verifier is failing. I troubleshooted the response from the detector and its showing 403 which is access denied. A expired/wrong api key would give a 401 response and not 403. |
Okay so I looked into this and seem to have found the solution. Looks to be their API does not work with our |
pkg/detectors/readme/readme.go
Outdated
| @@ -20,13 +19,13 @@ var ( | |||
| client = common.SaneHttpClient() | |||
There was a problem hiding this comment.
suggestion: Try to use the default client here. http.DefaultClient. I think this will resolve the 403. I'm not entirely sure why their API does not allow for our custom client, given it only includes some timeouts and keep lives, but that seems to be the issue.
The tester seems to be working fine with the new defaultclient code
Readme has change the way they issue their keys
now its like rdme_{70} ascii chars