Giter VIP home page Giter VIP logo

Comments (3)

chtzvt avatar chtzvt commented on May 25, 2024

The following modifications to internal/clients/github/client.go cause Legitify to accept fine-grained PATs:

var githubTokenPattern = regexp.MustCompile("^ghp_[a-zA-Z0-9]{36}$|^github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}$")

func (c *Client) validateToken(token string) error {
	if token == "" {
		return fmt.Errorf("missing token")
	} else if !githubTokenPattern.MatchString(token) {
		return fmt.Errorf("GitHub token seems invalid (expected pattern: '%v')", githubTokenPattern)
	}

	return nil
}

Analysis runs fine until we hit a panic on github.com/Legit-Labs/legitify/cmd/progressbar.(*progressBar).handleTimedBarCreation with the message, panic: *mpb.Progress instance can't be reused after it's done!.

 ___      _______  _______  ___   _______  ___   _______  __   __
|   |    |       ||       ||   | |       ||   | |       ||  | |  |
|   |    |    ___||    ___||   | |_     _||   | |    ___||  |_|  |
|   |    |   |___ |   | __ |   |   |   |  |   | |   |___ |       |
|   |___ |    ___||   ||  ||   |   |   |  |   | |    ___||_     _|
|       ||   |___ |   |_| ||   |   |   |  |   | |   |      |   |
|_______||_______||_______||___|   |___|  |___| |___|      |___|
By Legit Security

Using Github Cloud
Note: to get the OpenSSF scorecard results for the organization repositories use the --scorecard option

metadata         6 / 6 [==============================================================] 100 %
organization     1 / 1 [==============================================================] 100 %
actions          0 / 1 [--------------------------------------------------------------] 0 %
repository   121 / 121 [==============================================================] 100 %
panic: *mpb.Progress instance can't be reused after it's done!

goroutine 30 [running]:
github.com/vbauerster/mpb/v8.(*Progress).AddFiller(0x140000ac730, 0x3b, {0x1055bcf60?, 0x1400039eea0?}, {0x140002328e8, 0x1, 0x1})
        /Users/charlton/.go/pkg/mod/github.com/vbauerster/mpb/[email protected]/progress.go:154 +0x1dc
github.com/vbauerster/mpb/v8.(*Progress).New(0x8?, 0x1400007a900?, {0x12def8008?, 0x14000199000?}, {0x140002328e8, 0x1, 0x1})
        /Users/charlton/.go/pkg/mod/github.com/vbauerster/mpb/[email protected]/progress.go:125 +0x60
github.com/vbauerster/mpb/v8.(*Progress).AddBar(0x14000bd04e0?, 0x104fa3661?, {0x140002328e8, 0x1, 0x1})
        /Users/charlton/.go/pkg/mod/github.com/vbauerster/mpb/[email protected]/progress.go:115 +0x118
github.com/Legit-Labs/legitify/cmd/progressbar.(*progressBar).handleTimedBarCreation(0x140000bb7d0, {{0x104fb5d5a, 0x14}, {0xc10ccd44d4e6bd10, 0x1f0ecb3cae, 0x105f85a40}})
        /Users/charlton/Developer/legitify/cmd/progressbar/progressbar.go:190 +0x36c
github.com/Legit-Labs/legitify/cmd/progressbar.(*progressBar).Run.func1()
        /Users/charlton/Developer/legitify/cmd/progressbar/progressbar.go:86 +0x1d8
created by github.com/Legit-Labs/legitify/cmd/progressbar.(*progressBar).Run
        /Users/charlton/Developer/legitify/cmd/progressbar/progressbar.go:72 +0x94
exit status 2

from legitify.

chtzvt avatar chtzvt commented on May 25, 2024

Note that the above results occur for an organization-scoped PAT that is still pending approval. Even so, it shouldn't cause a panic.

I am still waiting on approval for my test PAT, and will update this issue with those results.

Update: Even with an active approved PAT and patching handleTimedBarCreation to avoid the panic, it looks like there are some underlying issues authenticating requests to the API.

Legitify's error log states that certain permission scopes (such as repo and read:repo_hook) are missing, despite these being present on the active issued token.

Skipping policy: missing_default_branch_protection_deletion, missing scope: repo
Skipping policy: missing_default_branch_protection_force_push, missing scope: repo
Skipping policy: non_linear_history, missing scope: repo
Skipping policy: repository_has_too_many_admins, missing scope: read:org
Skipping policy: repository_webhook_doesnt_require_ssl, missing scope: read:repo_hook
Skipping policy: repository_webhook_no_secret, missing scope: read:repo_hook
Skipping policy: requires_status_checks, missing scope: repo
Skipping policy: code_review_by_two_members_not_required, missing scope: repo
Skipping policy: no_conversation_resolution, missing scope: repo
Skipping policy: no_signed_commits, missing scope: repo
Skipping policy: review_dismissal_allowed, missing scope: repo
Skipping policy: scorecard_score_too_low, missing prerequisite: scorecard_enabled
Skipping policy: code_review_not_limited_to_code_owners, missing scope: repo
Skipping policy: dismisses_stale_reviews, missing scope: repo
Skipping policy: pushes_are_not_restricted, missing scope: repo
Skipping policy: repository_not_maintained, missing scope: repo
Skipping policy: requires_branches_up_to_date_before_merge, missing scope: repo
Skipping policy: token_default_permissions_is_read_write, missing scope: admin:org
Skipping policy: actions_can_approve_pull_requests, missing scope: admin:org
Skipping policy: code_review_not_required, missing scope: repo
Skipping policy: forking_allowed_for_repository, missing scope: read:org
Skipping policy: ghas_dependency_review_not_enabled, missing scope: repo
Skipping policy: missing_default_branch_protection, missing scope: repo

Token Permissions

Organization Permissions

  • Read access to custom repository roles, members, organization actions variables, organization administration, organization announcement banners, organization codespaces, organization codespaces secrets, organization codespaces settings, organization dependabot secrets, organization events, organization hooks, organization plan, organization projects, organization secrets, organization self hosted runners, organization user blocking, and team discussions

Repository Permissions

  • Read access to Dependabot alerts, actions, actions variables, administration, code, codespaces, codespaces lifecycle admin, codespaces metadata, commit statuses, dependabot secrets, deployments, discussions, environments, issues, merge queues, metadata, pages, pull requests, repository advisories, repository hooks, secret scanning alerts, secrets, and security events

The token has access to all repositories owned by the organization.

Update: Looks like the issue is related to the fact that the X-OAuth-Scopes/X-Accepted-OAuth-Scopes headers returned when using classic PATs, but it doesn't look like they're returned with fine-grained ones in my testing (and thus, Legitify can't map out the scopes). I'm looking into available methods to introspect a fine-grained PAT permissions.

Update: Inquired about this with GitHub.

Q

Hey folks! Is there an easy way to retrieve OAuth scopes from the GraphQL API when using fine-grained PATs?
I'm familiar with the X-OAuth-Scopes/X-Accepted-OAuth-Scopes headers returned when using classic PATs, but it doesn't look like they're returned with fine-grained ones in my testing. Is there another method I could use to introspect the token's permissions?

A

Unfortunately not at this time [...] Right now you'll need to be an org admin and call the APIs to review token permissions. The missing link currently is that if you just have a raw token, you can't see what it does using the API as you won't know the ID of the token.

from legitify.

noamd-legit avatar noamd-legit commented on May 25, 2024

Hi @chtzvt, Thanks for doing this research!

Since fine-grained tokens don't support the headers you mentioned and non-repository API's It's not trivial to support them now.
A solution you can try is to support them only for the repository namespace and turn off scope checks (skippers.go).

We'll support fine-grained tokens when they are more mature.

I am closing the issue for now

from legitify.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.