fixed sentry auth token detector #3827
Conversation
|
|
||
| return isVerified, err | ||
| // if response contain the forbiddenError message it means the token is active but does not have the right scope for this API call | ||
| if strings.Contains(fmt.Sprintf("%v", responseBody), forbiddenError) { |
There was a problem hiding this comment.
In case the token is Active and does not have the org:<> scope the API returns 403 with a specific error message. In case token is removed the API return 401
| func TestSentryToken_FromChunk(t *testing.T) { | ||
| ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) | ||
| defer cancel() | ||
| testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors3") |
There was a problem hiding this comment.
detectors3 vault limit is full
| wantVerificationErr: true, | ||
| }, | ||
| { | ||
| name: "found, good key but wrong scope", |
There was a problem hiding this comment.
Removed some tests which are not necessary.
kashifkhan0771
force-pushed
the
fix/github-issue-3575
branch
from
52dc3cb to
b5ed85a
Compare
|
|
||
| var ( | ||
| // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. | ||
| keyPat = regexp.MustCompile(`\b(sntryu_[a-f0-9]{64})\b`) |
There was a problem hiding this comment.
It looks like this is missing sntrys_ tokens mentioned in #3575.
There was a problem hiding this comment.
That is the Sentry ORG token pattern. Organization auth tokens have a limited set of scopes and lack access to many APIs. These tokens are primarily used for sentry-cli operations; you can find more details here. If needed, I’d recommend creating a separate detector specifically for ORG tokens.
There was a problem hiding this comment.
Regardless, it was explicitly mentioned in #3575. Either the issue should be re-opened until it's added, or it should be updated with a rationale why only one was added.
There was a problem hiding this comment.
From the docs: Organization Auth Tokens can be used in many places to interact with Sentry programatically. For example, they can be used for sentry-cli, bundler plugins or similar uses cases.
I will add this in issue comments as well.
There was a problem hiding this comment.
That doesn't really say why it isn't worth detecting, though.
There was a problem hiding this comment.
We can detect them but my point is how do we verify them? The organization auth token are used in sentry-cli for mainly two purposes:
- Uploading source maps: The SolidStart guide shows an example of using an organization auth token to upload source maps using the sentrySolidStartVite plugin.
- CI/CD environments: Organization auth tokens are recommended for use in CI/CD environments, as mentioned in the SolidStart guide.
Note: This information is provided by Sentry AI Docs
There was a problem hiding this comment.
I should clarify that Sentry Organization Auth Tokens could still potentially expose sensitive information if misused. I'm not too sure how to verify it, I mean it can be verified with a simple request to the sentry API, but I don't know if it will be a detailed verification. Add this token for sure, it can have access to sensitive informations and write permission.
Some companies are using it and they can expose it accidentally.
There was a problem hiding this comment.
@dsekz I mentioned earlier in the issue that for sntrys tokens a separate detector would be required and some additional effort to know how we can verify them. I created a ticket in our backlog for a new detector.
Co-authored-by: Richard Gomez <[email protected]>
kashifkhan0771
force-pushed
the
fix/github-issue-3575
branch
from
921417d to
476f8da
Compare
4 participants
Description:
This Pull request fixes github issue #3575
Checklist:
make test-community)?make lintthis requires golangci-lint)?