Mirrors/trufflehog
2
0
Fork 0
mirror of https://github.com/trufflesecurity/trufflehog.git synced 2024-11-10 07:04:24 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'main' into refactor-return-errors

Browse source
This commit is contained in:
ahrav 2024-08-02 14:46:56 -07:00 committed by GitHub
commit aff599f205
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 463 additions and 446 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
README.md
View file

@ -301,6 +301,20 @@ trufflehog elasticsearch \
--api-key 'MlVtVjBZ...ZSYlduYnF1djh3NG5FQQ=='
```
## 15. Scan a GitHub Repository for Cross Fork Object References and Deleted Commits
The following command will enumerate deleted and hidden commits on a GitHub repository and then scan them for secrets. This is an alpha release feature.
```bash
trufflehog github-experimental --repo https://github.com/<USER>/<REPO>.git --object-discovery
```
In addition to the normal TruffleHog output, the `--object-discovery` flag creates two files in a new `$HOME/.trufflehog` directory: `valid_hidden.txt` and `invalid.txt`. These are used to track state during commit enumeration, as well as to provide users with a complete list of all hidden and deleted commits (`valid_hidden.txt`). If you'd like to automatically remove these files after scanning, please add the flag `--delete-cached-data`.
**Note**: Enumerating all valid commits on a repository using this method takes between 20 minutes and a few hours, depending on the size of your repository. We added a progress bar to keep you updated on how long the enumeration will take. The actual secret scanning runs extremely fast.
For more information on Cross Fork Object References, please [read our blog post](https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github).
# :question: FAQ
- All I see is `🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷` and the program exits, what gives?

4
go.mod
View file

@ -65,6 +65,7 @@ require (
github.com/joho/godotenv v1.5.1
github.com/jpillora/overseer v1.1.6
github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213
github.com/klauspost/pgzip v1.2.6
github.com/kylelemons/godebug v1.1.0
github.com/lib/pq v1.10.9
github.com/lrstanley/bubblezone v0.0.0-20240125042004-b7bafc493195
@ -80,7 +81,7 @@ require (
github.com/prometheus/client_golang v1.19.1
github.com/rabbitmq/amqp091-go v1.10.0
github.com/sassoftware/go-rpmutils v0.4.0
github.com/schollz/progressbar/v3 v3.14.5
github.com/schollz/progressbar/v3 v3.14.6
github.com/sendgrid/sendgrid-go v3.14.0+incompatible
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3
github.com/shuheiktgw/go-travis v0.3.1
@ -229,7 +230,6 @@ require (
github.com/kjk/lzma v0.0.0-20161016003348-3fd93898850d // indirect
github.com/klauspost/compress v1.17.9 // indirect
github.com/klauspost/cpuid/v2 v2.2.5 // indirect
github.com/klauspost/pgzip v1.2.6 // indirect
github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
github.com/magiconair/properties v1.8.7 // indirect

2
go.sum
View file

@ -669,6 +669,8 @@ github.com/sassoftware/go-rpmutils v0.4.0 h1:ojND82NYBxgwrV+mX1CWsd5QJvvEZTKddtC
github.com/sassoftware/go-rpmutils v0.4.0/go.mod h1:3goNWi7PGAT3/dlql2lv3+MSN5jNYPjT5mVcQcIsYzI=
github.com/schollz/progressbar/v3 v3.14.5 h1:97RrSxbBASxQuZN9yemnyGrFZ/swnG6IrEe2R0BseX8=
github.com/schollz/progressbar/v3 v3.14.5/go.mod h1:Nrzpuw3Nl0srLY0VlTvC4V6RL50pcEymjy6qyJAaLa0=
github.com/schollz/progressbar/v3 v3.14.6 h1:GyjwcWBAf+GFDMLziwerKvpuS7ZF+mNTAXIB2aspiZs=
github.com/schollz/progressbar/v3 v3.14.6/go.mod h1:Nrzpuw3Nl0srLY0VlTvC4V6RL50pcEymjy6qyJAaLa0=
github.com/sendgrid/rest v2.6.9+incompatible h1:1EyIcsNdn9KIisLW50MKwmSRSK+ekueiEMJ7NEoxJo0=
github.com/sendgrid/rest v2.6.9+incompatible/go.mod h1:kXX7q3jZtJXK5c5qK83bSGMdV6tsOE70KbHoqJls4lE=
github.com/sendgrid/sendgrid-go v3.14.0+incompatible h1:KDSasSTktAqMJCYClHVE94Fcif2i7P7wzISv1sU6DUA=

194
pkg/analyzer/analyzers/github/classic/classic_permissions.go
View file

@ -6,7 +6,7 @@ import "errors"
type Permission int
const (
NoAccess Permission = iota
Invalid Permission = iota
Repo Permission = iota
RepoStatus Permission = iota
RepoDeployment Permission = iota
@ -161,105 +161,105 @@ var (
}
PermissionIDs = map[Permission]int{
Repo: 0,
RepoStatus: 1,
RepoDeployment: 2,
PublicRepo: 3,
RepoInvite: 4,
SecurityEvents: 5,
Workflow: 6,
WritePackages: 7,
ReadPackages: 8,
DeletePackages: 9,
AdminOrg: 10,
WriteOrg: 11,
ReadOrg: 12,
ManageRunnersOrg: 13,
AdminPublicKey: 14,
WritePublicKey: 15,
ReadPublicKey: 16,
AdminRepoHook: 17,
WriteRepoHook: 18,
ReadRepoHook: 19,
AdminOrgHook: 20,
Gist: 21,
Notifications: 22,
User: 23,
ReadUser: 24,
UserEmail: 25,
UserFollow: 26,
DeleteRepo: 27,
WriteDiscussion: 28,
ReadDiscussion: 29,
AdminEnterprise: 30,
ManageRunnersEnterprise: 31,
ManageBillingEnterprise: 32,
ReadEnterprise: 33,
AuditLog: 34,
ReadAuditLog: 35,
Codespace: 36,
CodespaceSecrets: 37,
Copilot: 38,
ManageBillingCopilot: 39,
Project: 40,
ReadProject: 41,
AdminGpgKey: 42,
WriteGpgKey: 43,
ReadGpgKey: 44,
AdminSshSigningKey: 45,
WriteSshSigningKey: 46,
ReadSshSigningKey: 47,
Repo: 1,
RepoStatus: 2,
RepoDeployment: 3,
PublicRepo: 4,
RepoInvite: 5,
SecurityEvents: 6,
Workflow: 7,
WritePackages: 8,
ReadPackages: 9,
DeletePackages: 10,
AdminOrg: 11,
WriteOrg: 12,
ReadOrg: 13,
ManageRunnersOrg: 14,
AdminPublicKey: 15,
WritePublicKey: 16,
ReadPublicKey: 17,
AdminRepoHook: 18,
WriteRepoHook: 19,
ReadRepoHook: 20,
AdminOrgHook: 21,
Gist: 22,
Notifications: 23,
User: 24,
ReadUser: 25,
UserEmail: 26,
UserFollow: 27,
DeleteRepo: 28,
WriteDiscussion: 29,
ReadDiscussion: 30,
AdminEnterprise: 31,
ManageRunnersEnterprise: 32,
ManageBillingEnterprise: 33,
ReadEnterprise: 34,
AuditLog: 35,
ReadAuditLog: 36,
Codespace: 37,
CodespaceSecrets: 38,
Copilot: 39,
ManageBillingCopilot: 40,
Project: 41,
ReadProject: 42,
AdminGpgKey: 43,
WriteGpgKey: 44,
ReadGpgKey: 45,
AdminSshSigningKey: 46,
WriteSshSigningKey: 47,
ReadSshSigningKey: 48,
}
IdToPermission = map[int]Permission{
0: Repo,
1: RepoStatus,
2: RepoDeployment,
3: PublicRepo,
4: RepoInvite,
5: SecurityEvents,
6: Workflow,
7: WritePackages,
8: ReadPackages,
9: DeletePackages,
10: AdminOrg,
11: WriteOrg,
12: ReadOrg,
13: ManageRunnersOrg,
14: AdminPublicKey,
15: WritePublicKey,
16: ReadPublicKey,
17: AdminRepoHook,
18: WriteRepoHook,
19: ReadRepoHook,
20: AdminOrgHook,
21: Gist,
22: Notifications,
23: User,
24: ReadUser,
25: UserEmail,
26: UserFollow,
27: DeleteRepo,
28: WriteDiscussion,
29: ReadDiscussion,
30: AdminEnterprise,
31: ManageRunnersEnterprise,
32: ManageBillingEnterprise,
33: ReadEnterprise,
34: AuditLog,
35: ReadAuditLog,
36: Codespace,
37: CodespaceSecrets,
38: Copilot,
39: ManageBillingCopilot,
40: Project,
41: ReadProject,
42: AdminGpgKey,
43: WriteGpgKey,
44: ReadGpgKey,
45: AdminSshSigningKey,
46: WriteSshSigningKey,
47: ReadSshSigningKey,
1: Repo,
2: RepoStatus,
3: RepoDeployment,
4: PublicRepo,
5: RepoInvite,
6: SecurityEvents,
7: Workflow,
8: WritePackages,
9: ReadPackages,
10: DeletePackages,
11: AdminOrg,
12: WriteOrg,
13: ReadOrg,
14: ManageRunnersOrg,
15: AdminPublicKey,
16: WritePublicKey,
17: ReadPublicKey,
18: AdminRepoHook,
19: WriteRepoHook,
20: ReadRepoHook,
21: AdminOrgHook,
22: Gist,
23: Notifications,
24: User,
25: ReadUser,
26: UserEmail,
27: UserFollow,
28: DeleteRepo,
29: WriteDiscussion,
30: ReadDiscussion,
31: AdminEnterprise,
32: ManageRunnersEnterprise,
33: ManageBillingEnterprise,
34: ReadEnterprise,
35: AuditLog,
36: ReadAuditLog,
37: Codespace,
38: CodespaceSecrets,
39: Copilot,
40: ManageBillingCopilot,
41: Project,
42: ReadProject,
43: AdminGpgKey,
44: WriteGpgKey,
45: ReadGpgKey,
46: AdminSshSigningKey,
47: WriteSshSigningKey,
48: ReadSshSigningKey,
}
)

266
pkg/analyzer/analyzers/github/finegrained/finegrained.go
View file

@ -28,7 +28,7 @@ const (
RANDOM_INTEGER = 4294967289
)
var ErrNoAccess = errors.New("no access")
var ErrInvalid = errors.New("invalid")
var repoPermFuncMap = []func(client *gh.Client, repo *gh.Repository, access string) (Permission, error){
getActionsPermission,
@ -108,12 +108,12 @@ func permissionFormatter(key, val any) (string, string) {
}
func notImplementedRepoPerm(client *gh.Client, repo *gh.Repository, currentAccess string) (Permission, error) {
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
}
// notImplementedAcctPerm is a placeholder function that returns a "NOT_IMPLEMENTED" status when a GitHub account permission is not yet implemented.
func notImplementedAcctPerm(client *gh.Client, user *gh.User) (Permission, error) {
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
}
func getMetadataPermission(client *gh.Client, repo *gh.Repository, currentAccess string) (Permission, error) {
@ -122,9 +122,9 @@ func getMetadataPermission(client *gh.Client, repo *gh.Repository, currentAccess
_, resp, err := client.Repositories.ListCollaborators(context.Background(), *repo.Owner.Login, *repo.Name, nil)
if err != nil {
if resp.StatusCode == 403 {
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
}
return NoAccess, err
return Invalid, err
}
// If no error, then we have read access
@ -138,11 +138,11 @@ func getActionsPermission(client *gh.Client, repo *gh.Repository, currentAccess
_, resp, err := client.Actions.ListArtifacts(context.Background(), *repo.Owner.Login, *repo.Name, nil)
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Very, very low.
@ -158,12 +158,12 @@ func getActionsPermission(client *gh.Client, repo *gh.Repository, currentAccess
log.Fatal("This shouldn't print. We are enabling a workflow based on a random string " + RANDOM_STRING + ", which most likely doesn't exist.")
return ActionsWrite, nil
default:
return NoAccess, err
return Invalid, err
}
} else {
// Will only land here if already tested one public repo and got a 403.
if currentAccess == "UNKNOWN" {
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
}
// Risk: Very, very low.
// -> Unless the user has a workflow file named (see RANDOM_STRING above), this will always return 404 for users with READ_WRITE permissions.
@ -171,14 +171,14 @@ func getActionsPermission(client *gh.Client, repo *gh.Repository, currentAccess
resp, err := client.Actions.CreateWorkflowDispatchEventByFileName(context.Background(), *repo.Owner.Login, *repo.Name, RANDOM_STRING, gh.CreateWorkflowDispatchEventRequest{})
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 404:
return ActionsWrite, nil
case 200:
log.Fatal("This shouldn't print. We are enabling a workflow based on a random string " + RANDOM_STRING + ", which most likely doesn't exist.")
return ActionsWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
}
@ -191,18 +191,18 @@ func getAdministrationPermission(client *gh.Client, repo *gh.Repository, current
_, resp, err := client.Repositories.GetActionsPermissions(context.Background(), *repo.Owner.Login, *repo.Name)
switch resp.StatusCode {
case 403, 404:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Extremely Low
// -> GET request to /repos/{owner}/{repo}/rulesets/rule-suites
req, err := client.NewRequest("GET", "https://api.github.com/repos/"+*repo.Owner.Login+"/"+*repo.Name+"/rulesets/rule-suites", nil)
if err != nil {
return NoAccess, err
return Invalid, err
}
resp, err = client.Do(context.Background(), req, nil)
switch resp.StatusCode {
@ -211,7 +211,7 @@ func getAdministrationPermission(client *gh.Client, repo *gh.Repository, current
case 200:
return AdministrationWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -220,7 +220,7 @@ func getCodeScanningAlertsPermission(client *gh.Client, repo *gh.Repository, cur
// -> GET request to /repos/{owner}/{repo}/code-scanning/alerts
_, resp, err := client.CodeScanning.ListAlertsForRepo(context.Background(), *repo.Owner.Login, *repo.Name, nil)
if err != nil {
return NoAccess, err
return Invalid, err
}
defer resp.Body.Close()
@ -231,18 +231,18 @@ func getCodeScanningAlertsPermission(client *gh.Client, repo *gh.Repository, cur
body := string(bodyBytes)
if strings.Contains(body, "Code scanning is not enabled for this repository") {
return NoAccess, errors.New("code scanning is not enabled")
return Invalid, errors.New("code scanning is not enabled")
}
switch {
case resp.StatusCode == 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case resp.StatusCode == 404:
break
case resp.StatusCode >= 200 && resp.StatusCode <= 299:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Very Low
@ -258,7 +258,7 @@ func getCodeScanningAlertsPermission(client *gh.Client, repo *gh.Repository, cur
log.Fatal("This should never happen. We are updating an alert with nil which should be an invalid request.")
return CodeScanningAlertsWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -268,18 +268,18 @@ func getCodespacesPermission(client *gh.Client, repo *gh.Repository, currentAcce
_, resp, err := client.Codespaces.ListInRepo(context.Background(), *repo.Owner.Login, *repo.Name, nil)
switch resp.StatusCode {
case 403, 404:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Extremely Low
// GET request to /repos/{owner}/{repo}/codespaces/permissions_check
req, err := client.NewRequest("GET", "https://api.github.com/repos/"+*repo.Owner.Login+"/"+*repo.Name+"/codespaces/permissions_check", nil)
if err != nil {
return NoAccess, err
return Invalid, err
}
resp, err = client.Do(context.Background(), req, nil)
switch resp.StatusCode {
@ -290,7 +290,7 @@ func getCodespacesPermission(client *gh.Client, repo *gh.Repository, currentAcce
case 200:
return CodespacesWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -299,16 +299,16 @@ func getCodespacesMetadataPermission(client *gh.Client, repo *gh.Repository, cur
// GET request to /repos/{owner}/{repo}/codespaces/machines
req, err := client.NewRequest("GET", "https://api.github.com/repos/"+*repo.Owner.Login+"/"+*repo.Name+"/codespaces/machines", nil)
if err != nil {
return NoAccess, err
return Invalid, err
}
resp, err := client.Do(context.Background(), req, nil)
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
return CodespacesMetadataRead, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -318,13 +318,13 @@ func getCodespacesSecretsPermission(client *gh.Client, repo *gh.Repository, curr
_, resp, err := client.Codespaces.GetRepoSecret(context.Background(), *repo.Owner.Login, *repo.Name, RANDOM_STRING)
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 404:
return CodespacesSecretsWrite, nil
case 200:
return CodespacesSecretsWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -339,11 +339,11 @@ func getCommitStatusesPermission(client *gh.Client, repo *gh.Repository, current
_, resp, err := client.Repositories.ListStatuses(context.Background(), *repo.Owner.Login, *repo.Name, RANDOM_STRING, nil)
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 404:
break
default:
return NoAccess, err
return Invalid, err
}
// At this point we have read access
@ -357,12 +357,12 @@ func getCommitStatusesPermission(client *gh.Client, repo *gh.Repository, current
case 422:
return CommitStatusesWrite, nil
default:
return NoAccess, err
return Invalid, err
}
} else {
// Will only land here if already tested one public repo and got a 403.
if currentAccess == "UNKNOWN" {
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
}
// Risk: Extremely Low
// -> We're POSTing a commit status to a commit that cannot exist. This should always return 422 if valid access.
@ -371,11 +371,11 @@ func getCommitStatusesPermission(client *gh.Client, repo *gh.Repository, current
switch resp.StatusCode {
case 403:
// All we know is we don't have READ_WRITE
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 422:
return CommitStatusesWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
}
@ -391,13 +391,13 @@ func getContentsPermission(client *gh.Client, repo *gh.Repository, currentAccess
_, resp, err := client.Repositories.ListCommits(context.Background(), *repo.Owner.Login, *repo.Name, &gh.CommitsListOptions{})
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
case 409:
break
default:
return NoAccess, err
return Invalid, err
}
// At this point we have read access
@ -414,12 +414,12 @@ func getContentsPermission(client *gh.Client, repo *gh.Repository, currentAccess
case 400, 422:
return ContentsWrite, nil
default:
return NoAccess, err
return Invalid, err
}
} else {
// Will only land here if already tested one public repo and got a 403.
if currentAccess == "UNKNOWN" {
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
}
// Risk: Low-Medium
// -> We're creating a file with an invalid payload. Worst case is a file with a random string and no content is created. But this should never happen.
@ -427,14 +427,14 @@ func getContentsPermission(client *gh.Client, repo *gh.Repository, currentAccess
_, resp, err := client.Repositories.CreateFile(context.Background(), *repo.Owner.Login, *repo.Name, RANDOM_STRING, &gh.RepositoryContentFileOptions{})
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
log.Fatal("This should never happen. We are creating a file with an invalid payload.")
return ContentsWrite, nil
case 400, 422:
return ContentsWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
}
@ -454,13 +454,13 @@ func getDependabotAlertsPermission(client *gh.Client, repo *gh.Repository, curre
body := string(bodyBytes)
if strings.Contains(body, "Dependabot alerts are disabled for this repository.") {
return NoAccess, errors.New("dependabot alerts are disabled")
return Invalid, errors.New("dependabot alerts are disabled")
}
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
default:
return NoAccess, err
return Invalid, err
}
// PATCH /repos/{owner}/{repo}/dependabot/alerts/{alert_number}
@ -474,7 +474,7 @@ func getDependabotAlertsPermission(client *gh.Client, repo *gh.Repository, curre
log.Fatal("This should never happen. We are updating an alert with nil which should be an invalid request.")
return DependabotAlertsWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -484,11 +484,11 @@ func getDependabotSecretsPermission(client *gh.Client, repo *gh.Repository, curr
_, resp, err := client.Dependabot.ListRepoSecrets(context.Background(), *repo.Owner.Login, *repo.Name, &gh.ListOptions{})
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Very Low
@ -504,7 +504,7 @@ func getDependabotSecretsPermission(client *gh.Client, repo *gh.Repository, curr
log.Fatal("This should never happen. We are creating a secret with an invalid payload.")
return DependabotSecretsWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -514,11 +514,11 @@ func getDeploymentsPermission(client *gh.Client, repo *gh.Repository, currentAcc
_, resp, err := client.Repositories.ListDeployments(context.Background(), *repo.Owner.Login, *repo.Name, &gh.DeploymentsListOptions{})
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Very Low
@ -534,7 +534,7 @@ func getDeploymentsPermission(client *gh.Client, repo *gh.Repository, currentAcc
log.Fatal("This should never happen. We are creating a deployment with an invalid payload.")
return DeploymentsWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -543,11 +543,11 @@ func getEnvironmentsPermission(client *gh.Client, repo *gh.Repository, currentAc
// GET /repos/{owner}/{repo}/environments
envResp, resp, _ := client.Repositories.ListEnvironments(context.Background(), *repo.Owner.Login, *repo.Name, &gh.EnvironmentListOptions{})
if resp.StatusCode != 200 {
return NoAccess, errors.New("unknown status code")
return Invalid, errors.New("unknown status code")
}
// If no environments exist, then we return UNKNOWN
if len(envResp.Environments) == 0 {
return NoAccess, errors.New("no environments found")
return Invalid, errors.New("no environments found")
}
// Risk: Extremely Low
@ -555,11 +555,11 @@ func getEnvironmentsPermission(client *gh.Client, repo *gh.Repository, currentAc
_, resp, err := client.Actions.ListEnvVariables(context.Background(), *repo.Owner.Login, *repo.Name, *envResp.Environments[0].Name, &gh.ListOptions{})
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Very Low
@ -575,7 +575,7 @@ func getEnvironmentsPermission(client *gh.Client, repo *gh.Repository, currentAc
log.Fatal("This should never happen. We are updating an environment variable with an invalid payload.")
return EnvironmentsWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -588,11 +588,11 @@ func getIssuesPermission(client *gh.Client, repo *gh.Repository, currentAccess s
_, resp, err := client.Issues.ListByRepo(context.Background(), *repo.Owner.Login, *repo.Name, &gh.IssueListByRepoOptions{})
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200, 301:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Very Low
@ -608,12 +608,12 @@ func getIssuesPermission(client *gh.Client, repo *gh.Repository, currentAccess s
log.Fatal("This should never happen. We are editing a label with an invalid payload.")
return IssuesWrite, nil
default:
return NoAccess, err
return Invalid, err
}
} else {
// Will only land here if already tested one public repo and got a 403.
if currentAccess == "UNKNOWN" {
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
}
// Risk: Very Low
// -> We're editing an issue label that does not exist. Even if we did, the name would be (see RANDOM_STRING above).
@ -621,14 +621,14 @@ func getIssuesPermission(client *gh.Client, repo *gh.Repository, currentAccess s
_, resp, err := client.Issues.EditLabel(context.Background(), *repo.Owner.Login, *repo.Name, RANDOM_STRING, &gh.Label{})
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 404:
return IssuesWrite, nil
case 200:
log.Fatal("This should never happen. We are editing a label with an invalid payload.")
return IssuesWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
}
@ -640,11 +640,11 @@ func getPagesPermission(client *gh.Client, repo *gh.Repository, currentAccess st
_, resp, err := client.Repositories.GetPagesInfo(context.Background(), *repo.Owner.Login, *repo.Name)
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200, 404:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Very Low
@ -652,7 +652,7 @@ func getPagesPermission(client *gh.Client, repo *gh.Repository, currentAccess st
// POST /repos/{owner}/{repo}/pages/deployments/{deployment_id}/cancel
req, err := client.NewRequest("POST", "https://api.github.com/repos/"+*repo.Owner.Login+"/"+*repo.Name+"/pages/deployments/"+RANDOM_STRING+"/cancel", nil)
if err != nil {
return NoAccess, err
return Invalid, err
}
resp, err = client.Do(context.Background(), req, nil)
switch resp.StatusCode {
@ -664,31 +664,31 @@ func getPagesPermission(client *gh.Client, repo *gh.Repository, currentAccess st
log.Fatal("This should never happen. We are cancelling a deployment with an invalid ID.")
return PagesWrite, nil
default:
return NoAccess, err
return Invalid, err
}
} else {
// Will only land here if already tested one public repo and got a 403.
if currentAccess == "UNKNOWN" {
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
}
// Risk: Very Low
// -> We're cancelling a GitHub Pages deployment that does not exist (see RANDOM_STRING above).
// POST /repos/{owner}/{repo}/pages/deployments/{deployment_id}/cancel
req, err := client.NewRequest("POST", "https://api.github.com/repos/"+*repo.Owner.Login+"/"+*repo.Name+"/pages/deployments/"+RANDOM_STRING+"/cancel", nil)
if err != nil {
return NoAccess, err
return Invalid, err
}
resp, err := client.Do(context.Background(), req, nil)
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 404:
return PagesWrite, nil
case 200:
log.Fatal("This should never happen. We are cancelling a deployment with an invalid ID.")
return PagesWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
}
@ -700,11 +700,11 @@ func getPullRequestsPermission(client *gh.Client, repo *gh.Repository, currentAc
_, resp, err := client.PullRequests.List(context.Background(), *repo.Owner.Login, *repo.Name, &gh.PullRequestListOptions{})
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Very Low
@ -720,12 +720,12 @@ func getPullRequestsPermission(client *gh.Client, repo *gh.Repository, currentAc
log.Fatal("This should never happen. We are creating a pull request with an invalid payload.")
return PullRequestsWrite, nil
default:
return NoAccess, err
return Invalid, err
}
} else {
// Will only land here if already tested one public repo and got a 403.
if currentAccess == "UNKNOWN" {
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
}
// Risk: Very Low
// -> We're creating a pull request with an invalid payload.
@ -733,14 +733,14 @@ func getPullRequestsPermission(client *gh.Client, repo *gh.Repository, currentAc
_, resp, err := client.PullRequests.Create(context.Background(), *repo.Owner.Login, *repo.Name, &gh.NewPullRequest{})
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 422:
return PullRequestsWrite, nil
case 200:
log.Fatal("This should never happen. We are creating a pull request with an invalid payload.")
return PullRequestsWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
}
@ -753,11 +753,11 @@ func getRepoSecurityPermission(client *gh.Client, repo *gh.Repository, currentAc
_, resp, err := client.SecurityAdvisories.ListRepositorySecurityAdvisories(context.Background(), *repo.Owner.Login, *repo.Name, nil)
switch resp.StatusCode {
case 403, 404:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Very Low
@ -765,7 +765,7 @@ func getRepoSecurityPermission(client *gh.Client, repo *gh.Repository, currentAc
// POST /repos/{owner}/{repo}/security-advisories
req, err := client.NewRequest("POST", "https://api.github.com/repos/"+*repo.Owner.Login+"/"+*repo.Name+"/security-advisories", nil)
if err != nil {
return NoAccess, err
return Invalid, err
}
resp, err = client.Do(context.Background(), req, nil)
switch resp.StatusCode {
@ -777,31 +777,31 @@ func getRepoSecurityPermission(client *gh.Client, repo *gh.Repository, currentAc
log.Fatal("This should never happen. We are creating a security advisory with an invalid payload.")
return RepoSecurityWrite, nil
default:
return NoAccess, err
return Invalid, err
}
} else {
// Will only land here if already tested one public repo and got a 403.
if currentAccess == "UNKNOWN" {
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
}
// Risk: Very Low
// -> We're creating a security advisory with an invalid payload.
// POST /repos/{owner}/{repo}/security-advisories
req, err := client.NewRequest("POST", "https://api.github.com/repos/"+*repo.Owner.Login+"/"+*repo.Name+"/security-advisories", nil)
if err != nil {
return NoAccess, err
return Invalid, err
}
resp, err := client.Do(context.Background(), req, nil)
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 422:
return RepoSecurityWrite, nil
case 200:
log.Fatal("This should never happen. We are creating a security advisory with an invalid payload.")
return RepoSecurityWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
}
@ -812,11 +812,11 @@ func getSecretScanningPermission(client *gh.Client, repo *gh.Repository, current
_, resp, err := client.SecretScanning.ListAlertsForRepo(context.Background(), *repo.Owner.Login, *repo.Name, nil)
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200, 404:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Very Low
@ -832,7 +832,7 @@ func getSecretScanningPermission(client *gh.Client, repo *gh.Repository, current
log.Fatal("This should never happen. We are updating a secret scanning alert that doesn't exist.")
return SecretScanningWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -842,11 +842,11 @@ func getSecretsPermission(client *gh.Client, repo *gh.Repository, currentAccess
_, resp, err := client.Actions.ListRepoSecrets(context.Background(), *repo.Owner.Login, *repo.Name, &gh.ListOptions{})
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Very Low
@ -862,7 +862,7 @@ func getSecretsPermission(client *gh.Client, repo *gh.Repository, currentAccess
log.Fatal("This should never happen. We are creating a secret with an invalid payload.")
return SecretsWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -872,11 +872,11 @@ func getVariablesPermission(client *gh.Client, repo *gh.Repository, currentAcces
_, resp, err := client.Actions.ListRepoVariables(context.Background(), *repo.Owner.Login, *repo.Name, &gh.ListOptions{})
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Very Low
@ -892,7 +892,7 @@ func getVariablesPermission(client *gh.Client, repo *gh.Repository, currentAcces
log.Fatal("This should never happen. We are patching a variable with an invalid payload and no name.")
return VariablesWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -902,11 +902,11 @@ func getWebhooksPermission(client *gh.Client, repo *gh.Repository, currentAccess
_, resp, err := client.Repositories.ListHooks(context.Background(), *repo.Owner.Login, *repo.Name, &gh.ListOptions{})
switch resp.StatusCode {
case 403, 404:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Very Low
@ -922,7 +922,7 @@ func getWebhooksPermission(client *gh.Client, repo *gh.Repository, currentAccess
log.Fatal("This should never happen. We are updating a webhook with an invalid payload.")
return WebhooksWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -938,7 +938,7 @@ func analyzeRepositoryPermissions(client *gh.Client, repos []*gh.Repository) ([]
if err != nil {
return nil, err
}
if access != NoAccess {
if access != Invalid {
perms = append(perms, access)
}
}
@ -952,11 +952,11 @@ func getBlockUserPermission(client *gh.Client, user *gh.User) (Permission, error
_, resp, err := client.Users.ListBlockedUsers(context.Background(), nil)
switch resp.StatusCode {
case 403, 404:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Extremely Low
@ -972,7 +972,7 @@ func getBlockUserPermission(client *gh.Client, user *gh.User) (Permission, error
log.Fatal("This should never happen. We are blocking a user that doesn't exist.")
return BlockUserWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -982,11 +982,11 @@ func getCodespacesUserPermission(client *gh.Client, user *gh.User) (Permission,
_, resp, err := client.Codespaces.ListUserSecrets(context.Background(), nil)
switch resp.StatusCode {
case 403, 404:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Low
@ -1002,7 +1002,7 @@ func getCodespacesUserPermission(client *gh.Client, user *gh.User) (Permission,
log.Fatal("This should never happen. We are creating a user secret with an invalid payload.")
return CodespaceUserSecretsWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -1012,11 +1012,11 @@ func getEmailPermission(client *gh.Client, user *gh.User) (Permission, error) {
_, resp, err := client.Users.ListEmails(context.Background(), nil)
switch resp.StatusCode {
case 403, 404:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Low
@ -1031,7 +1031,7 @@ func getEmailPermission(client *gh.Client, user *gh.User) (Permission, error) {
log.Fatal("This should never happen. We are setting email visibility with an invalid payload.")
return EmailWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -1041,11 +1041,11 @@ func getFollowersPermission(client *gh.Client, user *gh.User) (Permission, error
_, resp, err := client.Users.ListFollowers(context.Background(), "", nil)
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Low - Medium
@ -1060,7 +1060,7 @@ func getFollowersPermission(client *gh.Client, user *gh.User) (Permission, error
case 204:
return FollowersWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -1070,11 +1070,11 @@ func getGPGKeysPermission(client *gh.Client, user *gh.User) (Permission, error)
_, resp, err := client.Users.ListGPGKeys(context.Background(), "", nil)
switch resp.StatusCode {
case 403, 404:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Low - Medium
@ -1090,7 +1090,7 @@ func getGPGKeysPermission(client *gh.Client, user *gh.User) (Permission, error)
log.Fatal("This should never happen. We are creating a GPG key with an invalid payload.")
return GpgKeysWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -1101,14 +1101,14 @@ func getGistsPermission(client *gh.Client, user *gh.User) (Permission, error) {
_, resp, err := client.Gists.Create(context.Background(), &gh.Gist{})
switch resp.StatusCode {
case 403, 404:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 422:
return GistsWrite, nil
case 200, 201, 204:
log.Fatal("This should never happen. We are creating a Gist with an invalid payload.")
return GistsWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -1118,11 +1118,11 @@ func getGitKeysPermission(client *gh.Client, user *gh.User) (Permission, error)
_, resp, err := client.Users.ListKeys(context.Background(), "", nil)
switch resp.StatusCode {
case 403, 404:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Low - Medium
@ -1138,7 +1138,7 @@ func getGitKeysPermission(client *gh.Client, user *gh.User) (Permission, error)
log.Fatal("This should never happen. We are creating a key with an invalid payload.")
return GitKeysWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -1147,16 +1147,16 @@ func getLimitsPermission(client *gh.Client, user *gh.User) (Permission, error) {
// GET request to /user/interaction-limits
req, err := client.NewRequest("GET", "https://api.github.com/user/interaction-limits", nil)
if err != nil {
return NoAccess, err
return Invalid, err
}
resp, err := client.Do(context.Background(), req, nil)
switch resp.StatusCode {
case 403:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200, 204:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Low
@ -1164,7 +1164,7 @@ func getLimitsPermission(client *gh.Client, user *gh.User) (Permission, error) {
// Payload is invalid, so it shouldn't actually post.
req, err = client.NewRequest("PUT", "https://api.github.com/user/interaction-limits", nil)
if err != nil {
return NoAccess, err
return Invalid, err
}
resp, err = client.Do(context.Background(), req, nil)
switch resp.StatusCode {
@ -1176,7 +1176,7 @@ func getLimitsPermission(client *gh.Client, user *gh.User) (Permission, error) {
log.Fatal("This should never happen. We are setting interaction limits with an invalid payload.")
return LimitsWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -1186,11 +1186,11 @@ func getPlanPermission(client *gh.Client, user *gh.User) (Permission, error) {
_, resp, err := client.Billing.GetActionsBillingUser(context.Background(), *user.Login)
switch resp.StatusCode {
case 403, 404:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
return PlanRead, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -1200,19 +1200,19 @@ func getProfilePermission(client *gh.Client, user *gh.User) (Permission, error)
// Payload is invalid, so it shouldn't actually patch.
req, err := client.NewRequest("POST", "https://api.github.com/user/social_accounts", nil)
if err != nil {
return NoAccess, err
return Invalid, err
}
resp, err := client.Do(context.Background(), req, nil)
switch resp.StatusCode {
case 403, 404:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 422:
return ProfileWrite, nil
case 200, 201, 204:
log.Fatal("This should never happen. We are creating a social account with an invalid payload.")
return ProfileWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -1222,11 +1222,11 @@ func getSigningKeysPermission(client *gh.Client, user *gh.User) (Permission, err
_, resp, err := client.Users.ListSSHSigningKeys(context.Background(), "", nil)
switch resp.StatusCode {
case 403, 404:
return NoAccess, ErrNoAccess
return Invalid, ErrInvalid
case 200:
break
default:
return NoAccess, err
return Invalid, err
}
// Risk: Low - Medium
@ -1242,7 +1242,7 @@ func getSigningKeysPermission(client *gh.Client, user *gh.User) (Permission, err
log.Fatal("This should never happen. We are creating a SSH key with an invalid payload.")
return SigningKeysWrite, nil
default:
return NoAccess, err
return Invalid, err
}
}
@ -1288,7 +1288,7 @@ func AnalyzeFineGrainedToken(client *gh.Client, meta *common.TokenMetadata, shal
if err != nil {
return nil, err
}
if perm != NoAccess {
if perm != Invalid {
accessibleRepos = append(accessibleRepos, repo)
}
}
@ -1363,12 +1363,12 @@ func printFineGrainedPermissions(accessMap map[string]Permission, showAll bool,
for _, key := range keys {
value := accessMap[key]
if value == NoAccess {
if value == Invalid {
// don't change permissionCount
} else {
permissionCount++
}
if !showAll && value == NoAccess {
if !showAll && value == Invalid {
continue
} else {
k, v := permissionFormatter(key, value)

314
pkg/analyzer/analyzers/github/finegrained/finegrained_permissions.go
View file

@ -6,7 +6,7 @@ import "errors"
type Permission int
const (
NoAccess Permission = iota
Invalid Permission = iota
ActionsRead Permission = iota
ActionsWrite Permission = iota
AdministrationRead Permission = iota
@ -251,165 +251,165 @@ var (
}
PermissionIDs = map[Permission]int{
ActionsRead: 0,
ActionsWrite: 1,
AdministrationRead: 2,
AdministrationWrite: 3,
CodeScanningAlertsRead: 4,
CodeScanningAlertsWrite: 5,
CodespacesRead: 6,
CodespacesWrite: 7,
CodespacesLifecycleRead: 8,
CodespacesLifecycleWrite: 9,
CodespacesMetadataRead: 10,
CodespacesMetadataWrite: 11,
CodespacesSecretsRead: 12,
CodespacesSecretsWrite: 13,
CommitStatusesRead: 14,
CommitStatusesWrite: 15,
ContentsRead: 16,
ContentsWrite: 17,
CustomPropertiesRead: 18,
CustomPropertiesWrite: 19,
DependabotAlertsRead: 20,
DependabotAlertsWrite: 21,
DependabotSecretsRead: 22,
DependabotSecretsWrite: 23,
DeploymentsRead: 24,
DeploymentsWrite: 25,
EnvironmentsRead: 26,
EnvironmentsWrite: 27,
IssuesRead: 28,
IssuesWrite: 29,
MergeQueuesRead: 30,
MergeQueuesWrite: 31,
MetadataRead: 32,
MetadataWrite: 33,
PagesRead: 34,
PagesWrite: 35,
PullRequestsRead: 36,
PullRequestsWrite: 37,
RepoSecurityRead: 38,
RepoSecurityWrite: 39,
SecretScanningRead: 40,
SecretScanningWrite: 41,
SecretsRead: 42,
SecretsWrite: 43,
VariablesRead: 44,
VariablesWrite: 45,
WebhooksRead: 46,
WebhooksWrite: 47,
WorkflowsRead: 48,
WorkflowsWrite: 49,
BlockUserRead: 50,
BlockUserWrite: 51,
CodespaceUserSecretsRead: 52,
CodespaceUserSecretsWrite: 53,
EmailRead: 54,
EmailWrite: 55,
FollowersRead: 56,
FollowersWrite: 57,
GpgKeysRead: 58,
GpgKeysWrite: 59,
GistsRead: 60,
GistsWrite: 61,
GitKeysRead: 62,
GitKeysWrite: 63,
LimitsRead: 64,
LimitsWrite: 65,
PlanRead: 66,
PlanWrite: 67,
PrivateInvitesRead: 68,
PrivateInvitesWrite: 69,
ProfileRead: 70,
ProfileWrite: 71,
SigningKeysRead: 72,
SigningKeysWrite: 73,
StarringRead: 74,
StarringWrite: 75,
WatchingRead: 76,
WatchingWrite: 77,
ActionsRead: 1,
ActionsWrite: 2,
AdministrationRead: 3,
AdministrationWrite: 4,
CodeScanningAlertsRead: 5,
CodeScanningAlertsWrite: 6,
CodespacesRead: 7,
CodespacesWrite: 8,
CodespacesLifecycleRead: 9,
CodespacesLifecycleWrite: 10,
CodespacesMetadataRead: 11,
CodespacesMetadataWrite: 12,
CodespacesSecretsRead: 13,
CodespacesSecretsWrite: 14,
CommitStatusesRead: 15,
CommitStatusesWrite: 16,
ContentsRead: 17,
ContentsWrite: 18,
CustomPropertiesRead: 19,
CustomPropertiesWrite: 20,
DependabotAlertsRead: 21,
DependabotAlertsWrite: 22,
DependabotSecretsRead: 23,
DependabotSecretsWrite: 24,
DeploymentsRead: 25,
DeploymentsWrite: 26,
EnvironmentsRead: 27,
EnvironmentsWrite: 28,
IssuesRead: 29,
IssuesWrite: 30,
MergeQueuesRead: 31,
MergeQueuesWrite: 32,
MetadataRead: 33,
MetadataWrite: 34,
PagesRead: 35,
PagesWrite: 36,
PullRequestsRead: 37,
PullRequestsWrite: 38,
RepoSecurityRead: 39,
RepoSecurityWrite: 40,
SecretScanningRead: 41,
SecretScanningWrite: 42,
SecretsRead: 43,
SecretsWrite: 44,
VariablesRead: 45,
VariablesWrite: 46,
WebhooksRead: 47,
WebhooksWrite: 48,
WorkflowsRead: 49,
WorkflowsWrite: 50,
BlockUserRead: 51,
BlockUserWrite: 52,
CodespaceUserSecretsRead: 53,
CodespaceUserSecretsWrite: 54,
EmailRead: 55,
EmailWrite: 56,
FollowersRead: 57,
FollowersWrite: 58,
GpgKeysRead: 59,
GpgKeysWrite: 60,
GistsRead: 61,
GistsWrite: 62,
GitKeysRead: 63,
GitKeysWrite: 64,
LimitsRead: 65,
LimitsWrite: 66,
PlanRead: 67,
PlanWrite: 68,
PrivateInvitesRead: 69,
PrivateInvitesWrite: 70,
ProfileRead: 71,
ProfileWrite: 72,
SigningKeysRead: 73,
SigningKeysWrite: 74,
StarringRead: 75,
StarringWrite: 76,
WatchingRead: 77,
WatchingWrite: 78,
}
IdToPermission = map[int]Permission{
0: ActionsRead,
1: ActionsWrite,
2: AdministrationRead,
3: AdministrationWrite,
4: CodeScanningAlertsRead,
5: CodeScanningAlertsWrite,
6: CodespacesRead,
7: CodespacesWrite,
8: CodespacesLifecycleRead,
9: CodespacesLifecycleWrite,
10: CodespacesMetadataRead,
11: CodespacesMetadataWrite,
12: CodespacesSecretsRead,
13: CodespacesSecretsWrite,
14: CommitStatusesRead,
15: CommitStatusesWrite,
16: ContentsRead,
17: ContentsWrite,
18: CustomPropertiesRead,
19: CustomPropertiesWrite,
20: DependabotAlertsRead,
21: DependabotAlertsWrite,
22: DependabotSecretsRead,
23: DependabotSecretsWrite,
24: DeploymentsRead,
25: DeploymentsWrite,
26: EnvironmentsRead,
27: EnvironmentsWrite,
28: IssuesRead,
29: IssuesWrite,
30: MergeQueuesRead,
31: MergeQueuesWrite,
32: MetadataRead,
33: MetadataWrite,
34: PagesRead,
35: PagesWrite,
36: PullRequestsRead,
37: PullRequestsWrite,
38: RepoSecurityRead,
39: RepoSecurityWrite,
40: SecretScanningRead,
41: SecretScanningWrite,
42: SecretsRead,
43: SecretsWrite,
44: VariablesRead,
45: VariablesWrite,
46: WebhooksRead,
47: WebhooksWrite,
48: WorkflowsRead,
49: WorkflowsWrite,
50: BlockUserRead,
51: BlockUserWrite,
52: CodespaceUserSecretsRead,
53: CodespaceUserSecretsWrite,
54: EmailRead,
55: EmailWrite,
56: FollowersRead,
57: FollowersWrite,
58: GpgKeysRead,
59: GpgKeysWrite,
60: GistsRead,
61: GistsWrite,
62: GitKeysRead,
63: GitKeysWrite,
64: LimitsRead,
65: LimitsWrite,
66: PlanRead,
67: PlanWrite,
68: PrivateInvitesRead,
69: PrivateInvitesWrite,
70: ProfileRead,
71: ProfileWrite,
72: SigningKeysRead,
73: SigningKeysWrite,
74: StarringRead,
75: StarringWrite,
76: WatchingRead,
77: WatchingWrite,
1: ActionsRead,
2: ActionsWrite,
3: AdministrationRead,
4: AdministrationWrite,
5: CodeScanningAlertsRead,
6: CodeScanningAlertsWrite,
7: CodespacesRead,
8: CodespacesWrite,
9: CodespacesLifecycleRead,
10: CodespacesLifecycleWrite,
11: CodespacesMetadataRead,
12: CodespacesMetadataWrite,
13: CodespacesSecretsRead,
14: CodespacesSecretsWrite,
15: CommitStatusesRead,
16: CommitStatusesWrite,
17: ContentsRead,
18: ContentsWrite,
19: CustomPropertiesRead,
20: CustomPropertiesWrite,
21: DependabotAlertsRead,
22: DependabotAlertsWrite,
23: DependabotSecretsRead,
24: DependabotSecretsWrite,
25: DeploymentsRead,
26: DeploymentsWrite,
27: EnvironmentsRead,
28: EnvironmentsWrite,
29: IssuesRead,
30: IssuesWrite,
31: MergeQueuesRead,
32: MergeQueuesWrite,
33: MetadataRead,
34: MetadataWrite,
35: PagesRead,
36: PagesWrite,
37: PullRequestsRead,
38: PullRequestsWrite,
39: RepoSecurityRead,
40: RepoSecurityWrite,
41: SecretScanningRead,
42: SecretScanningWrite,
43: SecretsRead,
44: SecretsWrite,
45: VariablesRead,
46: VariablesWrite,
47: WebhooksRead,
48: WebhooksWrite,
49: WorkflowsRead,
50: WorkflowsWrite,
51: BlockUserRead,
52: BlockUserWrite,
53: CodespaceUserSecretsRead,
54: CodespaceUserSecretsWrite,
55: EmailRead,
56: EmailWrite,
57: FollowersRead,
58: FollowersWrite,
59: GpgKeysRead,
60: GpgKeysWrite,
61: GistsRead,
62: GistsWrite,
63: GitKeysRead,
64: GitKeysWrite,
65: LimitsRead,
66: LimitsWrite,
67: PlanRead,
68: PlanWrite,
69: PrivateInvitesRead,
70: PrivateInvitesWrite,
71: ProfileRead,
72: ProfileWrite,
73: SigningKeysRead,
74: SigningKeysWrite,
75: StarringRead,
76: StarringWrite,
77: WatchingRead,
78: WatchingWrite,
}
)

42
pkg/analyzer/analyzers/openai/permissions.go
View file

@ -6,7 +6,7 @@ import "errors"
type Permission int
const (
NoAccess Permission = iota
Invalid Permission = iota
ModelsRead Permission = iota
ModelCapabilitiesWrite Permission = iota
AssistantsRead Permission = iota
@ -47,29 +47,29 @@ var (
}
PermissionIDs = map[Permission]int{
ModelsRead: 0,
ModelCapabilitiesWrite: 1,
AssistantsRead: 2,
AssistantsWrite: 3,
ThreadsRead: 4,
ThreadsWrite: 5,
FineTuningRead: 6,
FineTuningWrite: 7,
FilesRead: 8,
FilesWrite: 9,
ModelsRead: 1,
ModelCapabilitiesWrite: 2,
AssistantsRead: 3,
AssistantsWrite: 4,
ThreadsRead: 5,
ThreadsWrite: 6,
FineTuningRead: 7,
FineTuningWrite: 8,
FilesRead: 9,
FilesWrite: 10,
}
IdToPermission = map[int]Permission{
0: ModelsRead,
1: ModelCapabilitiesWrite,
2: AssistantsRead,
3: AssistantsWrite,
4: ThreadsRead,
5: ThreadsWrite,
6: FineTuningRead,
7: FineTuningWrite,
8: FilesRead,
9: FilesWrite,
1: ModelsRead,
2: ModelCapabilitiesWrite,
3: AssistantsRead,
4: AssistantsWrite,
5: ThreadsRead,
6: ThreadsWrite,
7: FineTuningRead,
8: FineTuningWrite,
9: FilesRead,
10: FilesWrite,
}
)

66
pkg/analyzer/analyzers/twilio/permissions.go
View file

@ -6,7 +6,7 @@ import "errors"
type Permission int
const (
NoAccess Permission = iota
Invalid Permission = iota
AccountManagementRead Permission = iota
AccountManagementWrite Permission = iota
SubaccountConfigurationRead Permission = iota
@ -65,41 +65,41 @@ var (
}
PermissionIDs = map[Permission]int{
AccountManagementRead: 0,
AccountManagementWrite: 1,
SubaccountConfigurationRead: 2,
SubaccountConfigurationWrite: 3,
KeyManagementRead: 4,
KeyManagementWrite: 5,
ServiceVerificationRead: 6,
ServiceVerificationWrite: 7,
SmsRead: 8,
SmsWrite: 9,
VoiceRead: 10,
VoiceWrite: 11,
MessagingRead: 12,
MessagingWrite: 13,
CallManagementRead: 14,
CallManagementWrite: 15,
AccountManagementRead: 1,
AccountManagementWrite: 2,
SubaccountConfigurationRead: 3,
SubaccountConfigurationWrite: 4,
KeyManagementRead: 5,
KeyManagementWrite: 6,
ServiceVerificationRead: 7,
ServiceVerificationWrite: 8,
SmsRead: 9,
SmsWrite: 10,
VoiceRead: 11,
VoiceWrite: 12,
MessagingRead: 13,
MessagingWrite: 14,
CallManagementRead: 15,
CallManagementWrite: 16,
}
IdToPermission = map[int]Permission{
0: AccountManagementRead,
1: AccountManagementWrite,
2: SubaccountConfigurationRead,
3: SubaccountConfigurationWrite,
4: KeyManagementRead,
5: KeyManagementWrite,
6: ServiceVerificationRead,
7: ServiceVerificationWrite,
8: SmsRead,
9: SmsWrite,
10: VoiceRead,
11: VoiceWrite,
12: MessagingRead,
13: MessagingWrite,
14: CallManagementRead,
15: CallManagementWrite,
1: AccountManagementRead,
2: AccountManagementWrite,
3: SubaccountConfigurationRead,
4: SubaccountConfigurationWrite,
5: KeyManagementRead,
6: KeyManagementWrite,
7: ServiceVerificationRead,
8: ServiceVerificationWrite,
9: SmsRead,
10: SmsWrite,
11: VoiceRead,
12: VoiceWrite,
13: MessagingRead,
14: MessagingWrite,
15: CallManagementRead,
16: CallManagementWrite,
}
)

7
pkg/analyzer/generate_permissions/generate_permissions.go
View file

@ -25,7 +25,7 @@ import "errors"
type Permission int
const (
NoAccess Permission = iota
Invalid Permission = iota
{{- range $index, $permission := .Permissions }}
{{ ToCamelCase $permission }} Permission = iota
{{- end }}
@ -46,13 +46,13 @@ var (
PermissionIDs = map[Permission]int{
{{- range $index, $permission := .Permissions }}
{{ ToCamelCase $permission }}: {{ $index }},
{{ ToCamelCase $permission }}: {{ inc $index }},
{{- end }}
}
IdToPermission = map[int]Permission{
{{- range $index, $permission := .Permissions }}
{{ $index }}: {{ ToCamelCase $permission }},
{{ inc $index }}: {{ ToCamelCase $permission }},
{{- end }}
}
)
@ -123,6 +123,7 @@ func main() {
// Parse the template
tmpl, err := template.New("permissions").Funcs(template.FuncMap{
"ToCamelCase": ToCamelCase,
"inc": func(i int) int { return i + 1 },
}).Parse(templateText)
if err != nil {
log.Fatalf("Failed to parse template: %v", err)