-
Notifications
You must be signed in to change notification settings - Fork 480
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(telegram_bot_token): Regex must match just bot tokens #878
Conversation
Pinning @lorenzodb1 @KevinHock @domanchi to see if this can get a review soon. Thanks in advance!! |
@@ -15,7 +15,7 @@ class TelegramBotTokenDetector(RegexBasedDetector): | |||
|
|||
denylist = [ | |||
# refs https://core.telegram.org/bots/api#authorizing-your-bot | |||
re.compile(r'\d{8,10}:[0-9A-Za-z_-]{35}'), | |||
re.compile(r'^\d{8,10}:[0-9A-Za-z_-]{35}$'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reading the Telegram docs, I found that
The token looks something like 123456:ABC-DEF1234ghIkl-zyx57W2v1u123ew11
which I assume means there's a specific format in terms of which characters will be upper case and which will be lower case. If that's correct, would you mind making the regex more accurate?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @lorenzodb1 I'm not sure if that's accurate since they also states this in their documentation
The token is a string, like 110201543:AAHdqTcvCH1vGWJxfSeofSAs0K5PALDsaw, which is required to authorize the bot and send requests to the Bot API. Keep your token secure and store it safely, it can be used by anyone to control your bot.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The regex configured is the same as Trufflehog's https://github.com/trufflesecurity/trufflehog/blob/57802abf5276961426482ace808057016c714958/pkg/detectors/telegrambottoken/telegrambottoken.go#L27
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your contribution!
Hello @lorenzodb1 is there any ETA to have this included in a new release? Is something we do really need and we are trying not to vendor/fork the repository. Thank you! |
@lorenzodb1 @KevinHock @domanchi Any updates for a new release? Thanks! |
@jfagoagas we're planning to make a release soon. Either @jpdakran or myself will make one. Thank you for your patience. |
This PR fixes a bug with the TelegramBotToken since some AWS ARNs were matched against it due to the regex configured in the
deny_list
.The following AWS ARN
arn:aws:sns:aaa:111122223333:aaaaaaaaaaaaaaaaaaassssssdddddddddddd
matches against the TelegramBotToken when theverify
option is not enabled, but it should not be needed to be verified since it is not.This match because the regex is not enough restrictive from the beginning and the end.
What is the new behaviour (if this is a feature change)?
Add the start-of-line
^
and end-of-line$
character to reduce false positives.Does this PR introduce a breaking change?
No.