From efc122aa05c782dc04be5fbe0ab2a57e2c34db79 Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Tue, 3 Sep 2024 08:55:41 +0200 Subject: [PATCH 1/5] fix(telegram_bot_token): Regex must match just bot tokens --- detect_secrets/plugins/telegram_token.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detect_secrets/plugins/telegram_token.py b/detect_secrets/plugins/telegram_token.py index 1054c64b..32869aba 100644 --- a/detect_secrets/plugins/telegram_token.py +++ b/detect_secrets/plugins/telegram_token.py @@ -15,7 +15,7 @@ class TelegramBotTokenDetector(RegexBasedDetector): denylist = [ # refs https://core.telegram.org/bots/api#authorizing-your-bot - re.compile(r'\d{8,10}:[0-9A-Za-z_-]{35}'), + re.compile(r'^\d{8,10}:[0-9A-Za-z_-]{35}$'), ] def verify(self, secret: str) -> VerifiedResult: # pragma: no cover From 5bafc1d347da8a258b0c1fe958329333ccd5349c Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Tue, 3 Sep 2024 08:58:22 +0200 Subject: [PATCH 2/5] test(telegram_bot_token): AWS ARN should not match --- tests/plugins/telegram_token_test.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/plugins/telegram_token_test.py b/tests/plugins/telegram_token_test.py index 74af380f..d9dfc0e1 100644 --- a/tests/plugins/telegram_token_test.py +++ b/tests/plugins/telegram_token_test.py @@ -13,6 +13,7 @@ class TestTelegramTokenDetector: ('7213808860:AAH1bjqpKKW3maRSPAxzIU-0v6xNuq2-NjM', True), ('foo:AAH1bjqpKKW3maRSPAxzIU-0v6xNuq2-NjM', False), ('foo', False), + ('arn:aws:sns:aaa:111122223333:aaaaaaaaaaaaaaaaaaassssssddddddddddddd', False) ], ) def test_analyze(self, payload, should_flag): From 41f774616d3b0a736561fecb6dad830130b8ffd7 Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Tue, 3 Sep 2024 09:09:41 +0200 Subject: [PATCH 3/5] fix(telegram_bot_token): `bot` should not be in the token `bot` is only used while verifying the token, as per https://core.telegram.org/bots/api#authorizing-your-bot --- tests/plugins/telegram_token_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/plugins/telegram_token_test.py b/tests/plugins/telegram_token_test.py index d9dfc0e1..d3abea1f 100644 --- a/tests/plugins/telegram_token_test.py +++ b/tests/plugins/telegram_token_test.py @@ -8,7 +8,7 @@ class TestTelegramTokenDetector: @pytest.mark.parametrize( 'payload, should_flag', [ - ('bot110201543:AAHdqTcvCH1vGWJxfSe1ofSAs0K5PALDsaw', True), + ('110201543:AAHdqTcvCH1vGWJxfSe1ofSAs0K5PALDsaw', True), ('110201543:AAHdqTcvCH1vGWJxfSe1ofSAs0K5PALDsaw', True), ('7213808860:AAH1bjqpKKW3maRSPAxzIU-0v6xNuq2-NjM', True), ('foo:AAH1bjqpKKW3maRSPAxzIU-0v6xNuq2-NjM', False), From 2cc49a53a41ce691cd9fe27b7f33907a5af0ed34 Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Tue, 3 Sep 2024 09:31:46 +0200 Subject: [PATCH 4/5] fix(test): something with `^bot` should not match --- tests/plugins/telegram_token_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/plugins/telegram_token_test.py b/tests/plugins/telegram_token_test.py index d3abea1f..3c62e8da 100644 --- a/tests/plugins/telegram_token_test.py +++ b/tests/plugins/telegram_token_test.py @@ -8,7 +8,7 @@ class TestTelegramTokenDetector: @pytest.mark.parametrize( 'payload, should_flag', [ - ('110201543:AAHdqTcvCH1vGWJxfSe1ofSAs0K5PALDsaw', True), + ('bot110201543:AAHdqTcvCH1vGWJxfSe1ofSAs0K5PALDsaw', False), ('110201543:AAHdqTcvCH1vGWJxfSe1ofSAs0K5PALDsaw', True), ('7213808860:AAH1bjqpKKW3maRSPAxzIU-0v6xNuq2-NjM', True), ('foo:AAH1bjqpKKW3maRSPAxzIU-0v6xNuq2-NjM', False), From fe737076babb391261741db2c84f805d1389aa56 Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Fri, 13 Sep 2024 09:39:46 +0200 Subject: [PATCH 5/5] fix: format trailing comma --- tests/plugins/telegram_token_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/plugins/telegram_token_test.py b/tests/plugins/telegram_token_test.py index 3c62e8da..a1df2d90 100644 --- a/tests/plugins/telegram_token_test.py +++ b/tests/plugins/telegram_token_test.py @@ -13,7 +13,7 @@ class TestTelegramTokenDetector: ('7213808860:AAH1bjqpKKW3maRSPAxzIU-0v6xNuq2-NjM', True), ('foo:AAH1bjqpKKW3maRSPAxzIU-0v6xNuq2-NjM', False), ('foo', False), - ('arn:aws:sns:aaa:111122223333:aaaaaaaaaaaaaaaaaaassssssddddddddddddd', False) + ('arn:aws:sns:aaa:111122223333:aaaaaaaaaaaaaaaaaaassssssddddddddddddd', False), ], ) def test_analyze(self, payload, should_flag):