-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update readme.go #795
Update readme.go #795
Conversation
Readme has change the way they issue their keys now its like rdme_{70} ascii chars
pkg/detectors/readme/readme.go
Outdated
@@ -20,7 +20,7 @@ var ( | |||
client = common.SaneHttpClient() | |||
|
|||
// Make sure that your group is surrounded in boundary characters such as below to reduce false positives. | |||
keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"readme"}) + `\b([a-zA-Z0-9_]{32})\b`) | |||
keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"rdme_"}) + `\b([a-z0-9]{70})\b`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question: Do you know if they have stopped providing support for the older format? If so I think this is okay, but if there is still support (albeit deprecated) uses of the older key we would still want to make sure we detect those. So it might make sense to leave the older one and add a new regex for the new format.
Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A good way to do this is to add an OR in the regex
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Readme completely invalidated all previous keys and issued a new version of readme keys where the key looks like this - "rdme_xn8s9hffe79257cd578c938791cffd1f429536d562a9e2927c30080bc87d45dbdc4c02". Notice the prefix but the regex i suggested is not working on my machine. Sorry, not so well versed in Golang
here is the regex from gitleaks - https://github.com/zricethezav/gitleaks/blob/e35cb6707a97beb6d9495bceffec351d182c3c88/cmd/generate/config/rules/readme.go
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They had a security incident so they rotated all their keys and introduced new version of the keys
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
was able to fix the regex but the verifyer is still not verifying the result.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for the contribution and the additional context around the Readme leak. Really appreciate it 😄
still the verifier is failing. I troubleshooted the response from the detector and its showing 403 which is access denied. A expired/wrong api key would give a 401 response and not 403. |
Okay so I looked into this and seem to have found the solution. Looks to be their API does not work with our |
pkg/detectors/readme/readme.go
Outdated
@@ -20,13 +19,13 @@ var ( | |||
client = common.SaneHttpClient() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggestion: Try to use the default client here. http.DefaultClient
. I think this will resolve the 403. I'm not entirely sure why their API does not allow for our custom client, given it only includes some timeouts and keep lives, but that seems to be the issue.
The tester seems to be working fine with the new defaultclient code
Readme has change the way they issue their keys
now its like rdme_{70} ascii chars