From 53364d58752cbeb331aa54616f603c57515b22a1 Mon Sep 17 00:00:00 2001 From: bryce case jr Date: Wed, 13 Nov 2019 16:05:31 -0800 Subject: [PATCH 1/5] feature changes --- README.md | 7 +++++++ config.py | 6 +++++- config.toml | 4 ++-- notifiers/slack.py | 5 +++++ processor.py | 6 +++++- 5 files changed, 24 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 09341cc..1400531 100644 --- a/README.md +++ b/README.md @@ -91,6 +91,13 @@ To configure Slack/Teams notifications, create the following configuration optio webhook_url='your_webhook_url' ``` +You may supply the webhook URL via the environment variable `SLACK_WEBHOOK_URL`, and setting the requisite value in `config.toml` to `env`. + +Setting Up the Webhook +---------------------- + +You may choose to pass the Github webhook secret and host via the environment variables `GITHUB_WEBHOOK_SECRET` and `GITHUB_WEBHOOK_HOST`, and setting the corresponding values in `config.toml` to `env`. + Usage ===== diff --git a/config.py b/config.py index 3e63b76..adb8338 100644 --- a/config.py +++ b/config.py @@ -25,7 +25,11 @@ def load_file(self, filepath): self.access_token = environ.get('GITHUB_WATCHER_TOKEN') self.webhook = self._config['webhook'] - + if self.webhook['secret'] == 'env': + self.webhook['secret'] = environ.get('GITHUB_WEBHOOK_SECRET') + if self.webhook['host'] == 'env': + self.webhook['host'] = environ.get('GITHUB_WEBHOOK_HOST') + for detector in self._config['detectors']: if detector not in AvailableDetectors: logging.error( diff --git a/config.toml b/config.toml index 7d9f267..bb54bf9 100644 --- a/config.toml +++ b/config.toml @@ -13,10 +13,10 @@ access_token='env' repos = [] [webhook] - secret="" + secret="env" host="0.0.0.0" [notifiers.console] [notifiers.slack_webhook] - webhook_url='' + webhook_url='env' diff --git a/notifiers/slack.py b/notifiers/slack.py index c94cb78..76fe5b3 100644 --- a/notifiers/slack.py +++ b/notifiers/slack.py @@ -1,3 +1,5 @@ +from os import environ + from notifiers.notifier import Notifier from notifiers import Registry import requests @@ -11,6 +13,9 @@ def __init__(self, config): self._webhook_url = config['webhook_url'] + if self._webhook_url == 'env': + self._webhook_url = environ.get('SLACK_WEBHOOK_URL') + def process(self, findings, detector_name): """Send a list of findings via Slack incoming webhook.""" requests.post(self._webhook_url, json={"text": "{} found the following:".format(detector_name)}) diff --git a/processor.py b/processor.py index 0dfa5a1..5abf77e 100644 --- a/processor.py +++ b/processor.py @@ -2,6 +2,8 @@ import tempfile import subprocess +from config import Config + class EventProcessor: def __init__(self): self.client = None @@ -32,7 +34,9 @@ def _clone_and_establish_baseline(self, event): logging.info( 'Cloning repository {} into {}'. format(repo_full_name, repo_dir.name)) - subprocess.run(["git", "clone", repo_url, repo_dir.name], stdout=subprocess.PIPE, stderr=subprocess.PIPE) + if Config.access_token: + repo_url_with_token = repo_url.replace("https://", "https://git:" + Config.access_token + "@") + subprocess.run(["git", "clone", repo_url_with_token, repo_dir.name], stdout=subprocess.PIPE, stderr=subprocess.PIPE) self.repo_cache[repo_url] = repo_dir # we haven't cloned this repository yet, so we don't have a baseline logging.info( From 844266287e0492a36ca7a6a24fcfb58071ade681 Mon Sep 17 00:00:00 2001 From: bryce case jr Date: Wed, 13 Nov 2019 16:43:26 -0800 Subject: [PATCH 2/5] kill conditional, sanitize token --- processor.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/processor.py b/processor.py index 5abf77e..068d9c6 100644 --- a/processor.py +++ b/processor.py @@ -1,6 +1,7 @@ import logging import tempfile import subprocess +import re from config import Config @@ -34,8 +35,7 @@ def _clone_and_establish_baseline(self, event): logging.info( 'Cloning repository {} into {}'. format(repo_full_name, repo_dir.name)) - if Config.access_token: - repo_url_with_token = repo_url.replace("https://", "https://git:" + Config.access_token + "@") + repo_url_with_token = repo_url.replace("https://", "https://git:" + re.sub('[^0-9a-zA-Z]+', '', Config.access_token) + "@") subprocess.run(["git", "clone", repo_url_with_token, repo_dir.name], stdout=subprocess.PIPE, stderr=subprocess.PIPE) self.repo_cache[repo_url] = repo_dir # we haven't cloned this repository yet, so we don't have a baseline From 454d15e59d9dba11cd6462afd190b34df1be30e4 Mon Sep 17 00:00:00 2001 From: bryce case jr Date: Wed, 13 Nov 2019 17:04:51 -0800 Subject: [PATCH 3/5] reset config for README.md guideline --- config.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config.toml b/config.toml index bb54bf9..7d9f267 100644 --- a/config.toml +++ b/config.toml @@ -13,10 +13,10 @@ access_token='env' repos = [] [webhook] - secret="env" + secret="" host="0.0.0.0" [notifiers.console] [notifiers.slack_webhook] - webhook_url='env' + webhook_url='' From 4a891d383b51f51e487fca1649a596173cbd9836 Mon Sep 17 00:00:00 2001 From: bryce case jr Date: Wed, 13 Nov 2019 17:20:00 -0800 Subject: [PATCH 4/5] added backwards compatibility for config --- README.md | 6 +++--- config.py | 6 +++--- config.toml | 2 +- notifiers/slack.py | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 1400531..7aae8ba 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ Configuration is done through `config.toml`. In this file, you set your `access_ Setting Up the Access Token --------------------------- -You may wish to avoid having the access token in a file. Instead, you can set this value to `env`, and put the access token in the `GITHUB_WATCHER_TOKEN` environment variable. +You may wish to avoid having the access token in a file. Instead, you can set this value to `env` (or leave it blank), and put the access token in the `GITHUB_WATCHER_TOKEN` environment variable. Setting Up the Monitors ----------------------- @@ -91,12 +91,12 @@ To configure Slack/Teams notifications, create the following configuration optio webhook_url='your_webhook_url' ``` -You may supply the webhook URL via the environment variable `SLACK_WEBHOOK_URL`, and setting the requisite value in `config.toml` to `env`. +You may supply the webhook URL via the environment variable `SLACK_WEBHOOK_URL`, and setting the requisite value in `config.toml` to `env` or leaving it blank. Setting Up the Webhook ---------------------- -You may choose to pass the Github webhook secret and host via the environment variables `GITHUB_WEBHOOK_SECRET` and `GITHUB_WEBHOOK_HOST`, and setting the corresponding values in `config.toml` to `env`. +You may choose to pass the Github webhook secret and host via the environment variables `GITHUB_WEBHOOK_SECRET` and `GITHUB_WEBHOOK_HOST`, and setting the corresponding values in `config.toml` to `env` or leaving them blank. Usage ===== diff --git a/config.py b/config.py index adb8338..314fbd0 100644 --- a/config.py +++ b/config.py @@ -21,13 +21,13 @@ def load_file(self, filepath): self._config = toml.load(filepath) self.access_token = self._config['auth']['access_token'] - if self.access_token == 'env': + if self.access_token == 'env' or environ.get('GITHUB_WATCHER_TOKEN') != '': self.access_token = environ.get('GITHUB_WATCHER_TOKEN') self.webhook = self._config['webhook'] - if self.webhook['secret'] == 'env': + if self.webhook['secret'] == 'env' or environ.get('GITHUB_WEBHOOK_SECRET') != '': self.webhook['secret'] = environ.get('GITHUB_WEBHOOK_SECRET') - if self.webhook['host'] == 'env': + if self.webhook['host'] == 'env' or environ.get('GITHUB_WEBHOOK_HOST') != '': self.webhook['host'] = environ.get('GITHUB_WEBHOOK_HOST') for detector in self._config['detectors']: diff --git a/config.toml b/config.toml index 7d9f267..a9fc178 100644 --- a/config.toml +++ b/config.toml @@ -5,7 +5,7 @@ detectors = [ ] [auth] -access_token='env' +access_token='' [monitors] organizations = [] diff --git a/notifiers/slack.py b/notifiers/slack.py index 76fe5b3..236475e 100644 --- a/notifiers/slack.py +++ b/notifiers/slack.py @@ -13,7 +13,7 @@ def __init__(self, config): self._webhook_url = config['webhook_url'] - if self._webhook_url == 'env': + if self._webhook_url == 'env' or environ.get('SLACK_WEBHOOK_URL') != '': self._webhook_url = environ.get('SLACK_WEBHOOK_URL') def process(self, findings, detector_name): From 017b3f4379c8d70af60ce36da1dfcb2f817eaf09 Mon Sep 17 00:00:00 2001 From: ytcracker Date: Wed, 9 Nov 2022 17:08:17 -0700 Subject: [PATCH 5/5] update inline token syntax MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://github.blog/2012-09-21-easier-builds-and-deployments-using-git-over-https-and-oauth/ ``` If you’re cloning inside a script and need to avoid the prompts, you can add the token to the clone URL: git clone https://@github.com/owner/repo.git or git clone https://:x-oauth-basic@github.com/owner/repo.git ``` --- processor.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/processor.py b/processor.py index 068d9c6..41fdca9 100644 --- a/processor.py +++ b/processor.py @@ -35,7 +35,7 @@ def _clone_and_establish_baseline(self, event): logging.info( 'Cloning repository {} into {}'. format(repo_full_name, repo_dir.name)) - repo_url_with_token = repo_url.replace("https://", "https://git:" + re.sub('[^0-9a-zA-Z]+', '', Config.access_token) + "@") + repo_url_with_token = repo_url.replace("https://", "https://" + re.sub('[^0-9a-zA-Z]+', '', Config.access_token) + "@") subprocess.run(["git", "clone", repo_url_with_token, repo_dir.name], stdout=subprocess.PIPE, stderr=subprocess.PIPE) self.repo_cache[repo_url] = repo_dir # we haven't cloned this repository yet, so we don't have a baseline