eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions

Updating GitHub Action to generate Docker image. Added rules for Diffbot, ai21, baseten. Fixed supabase rule. Added 'alg' to JWT validation output

Browse source
This commit is contained in:
Mick Grove 2025-07-18 15:26:18 -07:00
commit 8b2c79e70f
8 changed files with 140 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

14
.github/workflows/release-docker.yml vendored
View file

@ -1,8 +1,8 @@
# .github/workflows/release-docker.yml
name: Publish Docker image
on:
push:
tags: ["v*.*.*"] # every semantic-version tag
release:
types: [published]
permissions:
contents: read
packages: write
@ -18,7 +18,13 @@ jobs:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Prepare release tag
id: tag
run: |
TAG=${RELEASE_TAG#v}
echo "tag=$TAG" >>"$GITHUB_OUTPUT"
env:
RELEASE_TAG: ${{ github.event.release.tag_name }}
- uses: docker/build-push-action@v5
with:
context: .
@ -27,4 +33,4 @@ jobs:
push: true
tags: |
ghcr.io/mongodb/kingfisher:latest
ghcr.io/mongodb/kingfisher:${{ github.ref_name }}
ghcr.io/mongodb/kingfisher:${{ steps.tag.outputs.tag }}

5
CHANGELOG.md
View file

@ -2,6 +2,11 @@
All notable changes to this project will be documented in this file.
## [1.23.0]
- Updating GitHub Action to generate Docker image
- Added rules for Diffbot, ai21, baseten
- Fixed supabase rule
## [1.22.0]
- Added rules for Google Gemini AI, Cohere, Stability.ai, Replicate, Runway, Clarifai
- Upgraded dependencies

2
Cargo.toml
View file

@ -10,7 +10,7 @@ publish = false
[package]
name = "kingfisher"
version = "1.22.0"
version = "1.23.0"
edition.workspace = true
rust-version.workspace = true
license.workspace = true

44
data/rules/ai21.yml Normal file
View file

@ -0,0 +1,44 @@
rules:
- name: AI21 Studio API Key
id: kingfisher.ai21studio.1
pattern: |
(?xi)
\b
ai21
(?:.|[\n\r]){0,32}?
\b
(
[0-9a-f]{8}
-
[0-9a-f]{4}
-
[0-9a-f]{4}
-
[0-9a-f]{4}
-
[0-9a-f]{12}
)
\b
min_entropy: 3.2
confidence: medium
examples:
- ai21 = 90cd6930-a9ae-4f15-8da0-dc1bbcd814b9
- 'ai21_key: befa7ec1-1129-4713-8e92-bb53d1a4f632'
- ai21_token = ec2e14e9-0309-459b-ba76-1e59e1f42b87
references:
- https://docs.ai21.com/reference/authentication
- https://docs.ai21.com/reference/manage-library-ref/list-library-files
validation:
type: Http
content:
request:
method: GET
url: https://api.ai21.com/studio/v1/library/files
headers:
Authorization: Bearer {{ TOKEN }}
Accept: application/json
response_matcher:
- report_response: true
- type: StatusMatch
status: [200]

42
data/rules/baseten.yml Normal file
View file

@ -0,0 +1,42 @@
rules:
- name: Baseten API Key
id: kingfisher.baseten.1
pattern: |
(?x)
\b
(
[A-Za-z0-9]{8}
\.
[A-Za-z0-9]{32}
)
\b
min_entropy: 3.4
confidence: medium
examples:
- WSsDXzCD.uOcxAp7k82IvCKyY36TnpVbP4ZszP1qw
- crXCQC3W.CgCGGY1b9IfJan5TppW0Z07C9oMN2DmR
- h2wFkhFC.3WFVwVcxGFr4Qup0gyhvIuONwQxEpL0A
- XqbIpj04.x73j1zLUOEgGIKROqVbxsmggPdL8JvAY
references:
- https://docs.baseten.co/examples/vllm
- https://docs.baseten.co/reference/management-api/api-keys/lists-the-users-api-keys
- https://docs.baseten.co/reference/training-api/overview#authentication
- https://docs.baseten.co/reference/management-api/api-keys/creates-an-api-key
validation:
type: Http
content:
request:
method: GET
url: https://api.baseten.co/v1/api_keys
headers:
Authorization: Api-Key {{ TOKEN }}
response_matcher:
- report_response: true
- type: StatusMatch
status: [200]
- type: JsonValid
- type: WordMatch
match_all_words: true
words:
- '"name"'
- '"type"'

35
data/rules/diffbot.yml Normal file
View file

@ -0,0 +1,35 @@
rules:
- name: Diffbot API Key
id: kingfisher.diffbot.1
pattern: |
(?xi)
\b
diffbot
(?:.|[\n\r]){0,32}?
\b
(
[0-9a-z]{32}
)
\b
min_entropy: 3.0
examples:
- diffbot_key = a7424adbafc4624e61482d0f60e43016
references:
- https://docs.diffbot.com/reference/account
validation:
type: Http
content:
request:
method: GET
url: >-
https://api.diffbot.com/v4/account?token={{ TOKEN }}
response_matcher:
- report_response: true
- type: StatusMatch
status: [200]
- type: JsonValid
- type: WordMatch
match_all_words: true
words:
- '"name"'
- '"email"'

3
data/rules/supabasetoken.yml → data/rules/supabase.yml
View file

@ -4,9 +4,8 @@ rules:
pattern: |
(?xi)
\b
sbp_
(
[a-z0-9_-]{40}
sbp_[a-z0-9_-]{40}
)
\b
min_entropy: 3.5

3
src/validation/jwt.rs
View file

@ -75,6 +75,7 @@ pub async fn validate_jwt(token: &str) -> Result<(bool, String)> {
if let Some(iss) = claims.iss.clone() {
// parse header now (kid, alg)
let header = decode_header(token).map_err(|e| anyhow!("decode header: {e}"))?;
let alg = header.alg;
// build discovery URL and fetch it (redirects disabled)
let config_url = format!("{}/.well-known/openid-configuration", iss.trim_end_matches('/'));
@ -161,7 +162,7 @@ pub async fn validate_jwt(token: &str) -> Result<(bool, String)> {
return Ok((
true,
format!("JWT valid (iss: {issuer}, aud: {:?})", extract_aud_strings(&claims)),
format!("JWT valid (alg: {:?}, iss: {issuer}, aud: {:?})", alg, extract_aud_strings(&claims)),
));
}