mirror of
https://github.com/github/codeql-action.git
synced 2026-04-26 08:48:46 +00:00
Add isAuthToken function, with tests
This commit is contained in:
Michael B. Gale
Generated
+10
-8
@@ -125447,15 +125447,17 @@ var fs5 = __toESM(require("fs"));
|
||||
var os = __toESM(require("os"));
|
||||
var path5 = __toESM(require("path"));
|
||||
var exec = __toESM(require_exec());
|
||||
var GITHUB_PAT_CLASSIC_PATTERN = {
|
||||
type: "Personal Access Token (Classic)" /* PersonalAccessClassic */,
|
||||
pattern: /\bghp_[a-zA-Z0-9]{36}\b/g
|
||||
};
|
||||
var GITHUB_PAT_FINE_GRAINED_PATTERN = {
|
||||
type: "Personal Access Token (Fine-grained)" /* PersonalAccessFineGrained */,
|
||||
pattern: /\bgithub_pat_[a-zA-Z0-9_]+\b/g
|
||||
};
|
||||
var GITHUB_TOKEN_PATTERNS = [
|
||||
{
|
||||
type: "Personal Access Token (Classic)" /* PersonalAccessClassic */,
|
||||
pattern: /\bghp_[a-zA-Z0-9]{36}\b/g
|
||||
},
|
||||
{
|
||||
type: "Personal Access Token (Fine-grained)" /* PersonalAccessFineGrained */,
|
||||
pattern: /\bgithub_pat_[a-zA-Z0-9_]+\b/g
|
||||
},
|
||||
GITHUB_PAT_CLASSIC_PATTERN,
|
||||
GITHUB_PAT_FINE_GRAINED_PATTERN,
|
||||
{
|
||||
type: "OAuth Access Token" /* OAuth */,
|
||||
pattern: /\bgho_[a-zA-Z0-9]{36}\b/g
|
||||
|
||||
Generated
+10
-8
@@ -130109,15 +130109,17 @@ var fs12 = __toESM(require("fs"));
|
||||
var os2 = __toESM(require("os"));
|
||||
var path11 = __toESM(require("path"));
|
||||
var exec = __toESM(require_exec());
|
||||
var GITHUB_PAT_CLASSIC_PATTERN = {
|
||||
type: "Personal Access Token (Classic)" /* PersonalAccessClassic */,
|
||||
pattern: /\bghp_[a-zA-Z0-9]{36}\b/g
|
||||
};
|
||||
var GITHUB_PAT_FINE_GRAINED_PATTERN = {
|
||||
type: "Personal Access Token (Fine-grained)" /* PersonalAccessFineGrained */,
|
||||
pattern: /\bgithub_pat_[a-zA-Z0-9_]+\b/g
|
||||
};
|
||||
var GITHUB_TOKEN_PATTERNS = [
|
||||
{
|
||||
type: "Personal Access Token (Classic)" /* PersonalAccessClassic */,
|
||||
pattern: /\bghp_[a-zA-Z0-9]{36}\b/g
|
||||
},
|
||||
{
|
||||
type: "Personal Access Token (Fine-grained)" /* PersonalAccessFineGrained */,
|
||||
pattern: /\bgithub_pat_[a-zA-Z0-9_]+\b/g
|
||||
},
|
||||
GITHUB_PAT_CLASSIC_PATTERN,
|
||||
GITHUB_PAT_FINE_GRAINED_PATTERN,
|
||||
{
|
||||
type: "OAuth Access Token" /* OAuth */,
|
||||
pattern: /\bgho_[a-zA-Z0-9]{36}\b/g
|
||||
|
||||
Generated
+10
-8
@@ -124387,15 +124387,17 @@ var fs2 = __toESM(require("fs"));
|
||||
var os = __toESM(require("os"));
|
||||
var path2 = __toESM(require("path"));
|
||||
var exec = __toESM(require_exec());
|
||||
var GITHUB_PAT_CLASSIC_PATTERN = {
|
||||
type: "Personal Access Token (Classic)" /* PersonalAccessClassic */,
|
||||
pattern: /\bghp_[a-zA-Z0-9]{36}\b/g
|
||||
};
|
||||
var GITHUB_PAT_FINE_GRAINED_PATTERN = {
|
||||
type: "Personal Access Token (Fine-grained)" /* PersonalAccessFineGrained */,
|
||||
pattern: /\bgithub_pat_[a-zA-Z0-9_]+\b/g
|
||||
};
|
||||
var GITHUB_TOKEN_PATTERNS = [
|
||||
{
|
||||
type: "Personal Access Token (Classic)" /* PersonalAccessClassic */,
|
||||
pattern: /\bghp_[a-zA-Z0-9]{36}\b/g
|
||||
},
|
||||
{
|
||||
type: "Personal Access Token (Fine-grained)" /* PersonalAccessFineGrained */,
|
||||
pattern: /\bgithub_pat_[a-zA-Z0-9_]+\b/g
|
||||
},
|
||||
GITHUB_PAT_CLASSIC_PATTERN,
|
||||
GITHUB_PAT_FINE_GRAINED_PATTERN,
|
||||
{
|
||||
type: "OAuth Access Token" /* OAuth */,
|
||||
pattern: /\bgho_[a-zA-Z0-9]{36}\b/g
|
||||
|
||||
Generated
+10
-8
@@ -124372,15 +124372,17 @@ var fs = __toESM(require("fs"));
|
||||
var os = __toESM(require("os"));
|
||||
var path = __toESM(require("path"));
|
||||
var exec = __toESM(require_exec());
|
||||
var GITHUB_PAT_CLASSIC_PATTERN = {
|
||||
type: "Personal Access Token (Classic)" /* PersonalAccessClassic */,
|
||||
pattern: /\bghp_[a-zA-Z0-9]{36}\b/g
|
||||
};
|
||||
var GITHUB_PAT_FINE_GRAINED_PATTERN = {
|
||||
type: "Personal Access Token (Fine-grained)" /* PersonalAccessFineGrained */,
|
||||
pattern: /\bgithub_pat_[a-zA-Z0-9_]+\b/g
|
||||
};
|
||||
var GITHUB_TOKEN_PATTERNS = [
|
||||
{
|
||||
type: "Personal Access Token (Classic)" /* PersonalAccessClassic */,
|
||||
pattern: /\bghp_[a-zA-Z0-9]{36}\b/g
|
||||
},
|
||||
{
|
||||
type: "Personal Access Token (Fine-grained)" /* PersonalAccessFineGrained */,
|
||||
pattern: /\bgithub_pat_[a-zA-Z0-9_]+\b/g
|
||||
},
|
||||
GITHUB_PAT_CLASSIC_PATTERN,
|
||||
GITHUB_PAT_FINE_GRAINED_PATTERN,
|
||||
{
|
||||
type: "OAuth Access Token" /* OAuth */,
|
||||
pattern: /\bgho_[a-zA-Z0-9]{36}\b/g
|
||||
|
||||
@@ -4,7 +4,12 @@ import * as path from "path";
|
||||
|
||||
import test from "ava";
|
||||
|
||||
import { scanArtifactsForTokens, TokenType } from "./artifact-scanner";
|
||||
import {
|
||||
GITHUB_PAT_CLASSIC_PATTERN,
|
||||
isAuthToken,
|
||||
scanArtifactsForTokens,
|
||||
TokenType,
|
||||
} from "./artifact-scanner";
|
||||
import { getRunnerLogger } from "./logging";
|
||||
import {
|
||||
checkExpectedLogMessages,
|
||||
@@ -23,6 +28,36 @@ test("makeTestToken", (t) => {
|
||||
t.is(makeTestToken(255).length, 255);
|
||||
});
|
||||
|
||||
test("isAuthToken", (t) => {
|
||||
// Undefined for strings that aren't tokens
|
||||
t.is(isAuthToken("some string"), undefined);
|
||||
t.is(isAuthToken("ghp_"), undefined);
|
||||
t.is(isAuthToken("ghp_123"), undefined);
|
||||
|
||||
// Token types for strings that are tokens.
|
||||
t.is(isAuthToken(`ghp_${makeTestToken()}`), TokenType.PersonalAccessClassic);
|
||||
t.is(
|
||||
isAuthToken(`ghs_${makeTestToken(255)}`),
|
||||
TokenType.AppInstallationAccess,
|
||||
);
|
||||
t.is(
|
||||
isAuthToken(`github_pat_${makeTestToken(22)}_${makeTestToken(59)}`),
|
||||
TokenType.PersonalAccessFineGrained,
|
||||
);
|
||||
|
||||
// With a custom pattern set
|
||||
t.is(
|
||||
isAuthToken(`ghp_${makeTestToken()}`, [GITHUB_PAT_CLASSIC_PATTERN]),
|
||||
TokenType.PersonalAccessClassic,
|
||||
);
|
||||
t.is(
|
||||
isAuthToken(`github_pat_${makeTestToken(22)}_${makeTestToken(59)}`, [
|
||||
GITHUB_PAT_CLASSIC_PATTERN,
|
||||
]),
|
||||
undefined,
|
||||
);
|
||||
});
|
||||
|
||||
const testTokens = [
|
||||
{
|
||||
type: TokenType.PersonalAccessClassic,
|
||||
|
||||
+32
-8
@@ -26,19 +26,25 @@ export interface TokenPattern {
|
||||
pattern: RegExp;
|
||||
}
|
||||
|
||||
/** The pattern for PATs (Classic) */
|
||||
export const GITHUB_PAT_CLASSIC_PATTERN: TokenPattern = {
|
||||
type: TokenType.PersonalAccessClassic,
|
||||
pattern: /\bghp_[a-zA-Z0-9]{36}\b/g,
|
||||
};
|
||||
|
||||
/** The pattern for PATs (Fine-grained) */
|
||||
export const GITHUB_PAT_FINE_GRAINED_PATTERN: TokenPattern = {
|
||||
type: TokenType.PersonalAccessFineGrained,
|
||||
pattern: /\bgithub_pat_[a-zA-Z0-9_]+\b/g,
|
||||
};
|
||||
|
||||
/**
|
||||
* GitHub token patterns to scan for.
|
||||
* These patterns match various GitHub token formats.
|
||||
*/
|
||||
const GITHUB_TOKEN_PATTERNS: TokenPattern[] = [
|
||||
{
|
||||
type: TokenType.PersonalAccessClassic,
|
||||
pattern: /\bghp_[a-zA-Z0-9]{36}\b/g,
|
||||
},
|
||||
{
|
||||
type: TokenType.PersonalAccessFineGrained,
|
||||
pattern: /\bgithub_pat_[a-zA-Z0-9_]+\b/g,
|
||||
},
|
||||
GITHUB_PAT_CLASSIC_PATTERN,
|
||||
GITHUB_PAT_FINE_GRAINED_PATTERN,
|
||||
{
|
||||
type: TokenType.OAuth,
|
||||
pattern: /\bgho_[a-zA-Z0-9]{36}\b/g,
|
||||
@@ -71,6 +77,24 @@ interface ScanResult {
|
||||
findings: TokenFinding[];
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks whether `value` matches any token `patterns`.
|
||||
* @param value The value to match against.
|
||||
* @param patterns The patterns to check.
|
||||
* @returns The type of the first matching pattern, or `undefined` if none match.
|
||||
*/
|
||||
export function isAuthToken(
|
||||
value: string,
|
||||
patterns: TokenPattern[] = GITHUB_TOKEN_PATTERNS,
|
||||
) {
|
||||
for (const { type, pattern } of patterns) {
|
||||
if (pattern.test(value)) {
|
||||
return type;
|
||||
}
|
||||
}
|
||||
return undefined;
|
||||
}
|
||||
|
||||
/**
|
||||
* Scans a file for GitHub tokens.
|
||||
*
|
||||
|
||||
Reference in New Issue
Block a user