performance improvements and rule improvements

2026-04-17 16:03:43 -07:00 · 2026-04-17 16:03:43 -07:00 · f17fa2a5fb
commit f17fa2a5fb
parent 74cad26aed
2 changed files with 57 additions and 7 deletions
--- a/crates/kingfisher-rules/data/rules/calcom.yml
+++ b/crates/kingfisher-rules/data/rules/calcom.yml
@ -5,7 +5,7 @@ rules:
      (?x)
      \b
      (
-        cal(?:_live)?_[A-Za-z0-9]{24,44}
+        cal(?:_live)?_[A-Za-z0-9]{32}
      )
      \b
    pattern_requirements:
@ -13,8 +13,7 @@ rules:
    min_entropy: 3.0
    confidence: medium
    examples:
-      - 'CAL_API_KEY=cal_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6'
-      - 'CAL_API_KEY=cal_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6'
+      - 'CAL_API_KEY=cal_live_f1ec52a0b268e00fe30b63e96115c8df'
      - 'Authorization: Bearer cal_live_xK8m2LpQr5nW0vYz3cJ7aB4dE6fG8h'
    references:
      - https://cal.com/docs/api-reference/v2/introduction
--- a/crates/kingfisher-rules/data/rules/canva.yml
+++ b/crates/kingfisher-rules/data/rules/canva.yml
@ -1,11 +1,38 @@
 rules:
+  - name: Canva Connect API Client ID
+    id: kingfisher.canva.2
+    pattern: |
+      (?xi)
+      \b
+      (?:canva|CANVA_CLIENT_ID)
+      (?:.|[\n\r]){0,32}?
+      (?:client[_\s-]*id|app[_\s-]*id)
+      (?:.|[\n\r]){0,16}?
+      \b
+      (
+        OC-[A-Za-z0-9_-]{8,32}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 1
+      min_uppercase: 2
+      min_lowercase: 2
+    min_entropy: 2.5
+    confidence: medium
+    visible: false
+    examples:
+      - 'canva client id: OC-AZ2dqZiY_lec'
+      - 'CANVA_CLIENT_ID=OC-FAB12-AbCdEf'
+    references:
+      - https://www.canva.dev/docs/connect/authentication/
+
  - name: Canva Connect API Client Secret
    id: kingfisher.canva.1
    pattern: |
      (?x)
      \b
      (
-        cnvca[a-zA-Z0-9_-]{20,80}
+        cnvca[a-zA-Z0-9_-]{51}
      )
      \b
    pattern_requirements:
@ -14,10 +41,34 @@ rules:
    confidence: medium
    categories: [api, key]
    examples:
-      - 'CANVA_CLIENT_SECRET=cnvcaAbCdEfGhIjKlMnOpQrStUvWxYz123456'
+      - 'CANVA_CLIENT_SECRET=cnvcav3RRFkl36rsXClN3-Dsygjl_oGT1-xMhXV70oxnGi6s811bfada'
+    depends_on_rule:
+      - rule_id: kingfisher.canva.2
+        variable: CLIENT_ID
    references:
      - https://www.canva.dev/docs/connect/authentication/
+      - https://www.canva.dev/docs/connect/api-reference/authentication/generate-access-token/
      - https://www.canva.dev/docs/connect/guidelines/security/
-    # No standalone validation is added: Canva Connect client secrets are used
-    # in OAuth flows that require the matching client_id and PKCE flow state.
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: https://api.canva.com/rest/v1/oauth/token
+          headers:
+            Content-Type: application/x-www-form-urlencoded
+            Accept: application/json
+          body: "grant_type=authorization_code&client_id={{ CLIENT_ID | url_encode }}&client_secret={{ TOKEN | url_encode }}&code_verifier=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~abcdefgh&code=invalid"
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [400]
+            - type: JsonValid
+            - type: WordMatch
+              words:
+                - '"invalid_grant"'
+            - type: WordMatch
+              words:
+                - '"invalid_client"'
+              negative: true
    # No programmatic client-secret revocation endpoint is documented.