Fork me on GitHub
#clojars
<
2024-02-07
>
tcrawley12:02:06

Interesting. It looks like this sends the token to the corresponding partner, and asks if it is a valid token. But it's not clear to me why the token would not already be considered leaked since it is in a repo? Or is the secret scanning more nuanced than that?

danielcompton09:02:49

I think the idea is that it can help teams prioritise leaked tokens in private repos

danielcompton09:02:34

So if someone has published an AWS key in a private repo, the secret scanning can check it to say whether the key is valid or not, so then the security team can prioritise/deprioritise fixing it

danielcompton09:02:08

I think it only comes into play for private repo scanning. On a public repo it would be considered leaked and then revoked automatically by the partner

tcrawley12:02:38

I think it would just be:

modified   src/clojars/routes/token_breach.clj
@@ -36,25 +36,35 @@
                   (base64/decode key-sig)
                   {:key key :alg :ecdsa+sha256}))))
 
-;; - make emails async
 ;; - add timing logs
 
+(defn- token-response
+  [{:keys [token type]} found?]
+  {:token_raw  token
+   :token_type type
+   :label      (if found? "true_positive" "false_positive")})
+
+(defn- check-token
+  [db event-emitter {:as token-data :keys [token url]}]
+  (if-some [{:as db-token :keys [id disabled user_id]}
+            (db/find-token-by-value db token)]
+    (do
+      (when (not disabled)
+        (db/disable-deploy-token db id))
+      (event/emit event-emitter :token-breached
+                  {:user-id         user_id
+                   :token-disabled? disabled
+                   :token-name      (:name db-token)
+                   :commit-url      url})
+      (token-response token-data true))
+    (token-response token-data false)))
+
 (defn- handle-github-token-breach
   [db event-emitter {:as _request :keys [headers body]}]
   (let [body-str (slurp body)]
     (if (valid-github-request? headers body-str)
       (let [data (json/parse-string body-str true)]
-        (doseq [{:keys [token url]} data]
-          (when-let [{:as db-token :keys [id disabled user_id]}
-                     (db/find-token-by-value db token)]
-            (when (not disabled)
-              (db/disable-deploy-token db id))
-            (event/emit event-emitter :token-breached
-                        {:user-id user_id
-                         :token-disabled? disabled
-                         :token-name (:name db-token)
-                         :commit-url url})))
-        (response/status 200))
+        (response/response (mapv (partial check-token db event-emitter) data)))
       (response/status 422))))
 
 (defn routes [db event-emitter]

tcrawley14:02:28

This change has been deployed and I've notified GitHub.