kingfisher/crates/kingfisher-rules/data/rules/canva.yml

rules:
  - name: Canva Connect API Client ID
    id: kingfisher.canva.2
    pattern: |
      (?x)
      \b
      (?i:canva|CANVA_CLIENT_ID)
      (?:.|[\n\r]){0,32}?
      (?i:client[_\s-]*id|app[_\s-]*id)
      (?:.|[\n\r]){0,16}?
      \b
      (
        OC-[A-Za-z0-9_-]{8,16}
      )
      \b
    pattern_requirements:
      min_digits: 1
      min_uppercase: 2
      min_lowercase: 2
    min_entropy: 2.5
    confidence: medium
    visible: false
    examples:
      - 'canva client id: OC-AZ2dqZiY_lec'
      - 'CANVA_CLIENT_ID=OC-FAB12-AbCdEf'
    references:
      - https://www.canva.dev/docs/connect/authentication/

  - name: Canva Connect API Client Secret
    id: kingfisher.canva.1
    pattern: |
      (?x)
      \b
      (
        cnvca[a-zA-Z0-9_-]{51}
      )
      \b
    pattern_requirements:
      min_digits: 2
    min_entropy: 3.5
    confidence: medium
    categories: [api, key]
    examples:
      - 'CANVA_CLIENT_SECRET=cnvcav3RRFkl36rsXClN3-Dsygjl_oGT1-xMhXV70oxnGi6s811bfada'
    depends_on_rule:
      - rule_id: kingfisher.canva.2
        variable: CLIENT_ID
    references:
      - https://www.canva.dev/docs/connect/authentication/
      - https://www.canva.dev/docs/connect/api-reference/authentication/generate-access-token/
      - https://www.canva.dev/docs/connect/guidelines/security/
    validation:
      type: Http
      content:
        request:
          method: POST
          url: https://api.canva.com/rest/v1/oauth/token
          headers:
            Content-Type: application/x-www-form-urlencoded
            Accept: application/json
          body: "grant_type=authorization_code&client_id={{ CLIENT_ID | url_encode }}&client_secret={{ TOKEN | url_encode }}&code_verifier=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~abcdefgh&code=invalid"
          response_matcher:
            - report_response: true
            - type: StatusMatch
              status: [400]
            - type: JsonValid
            - type: WordMatch
              words:
                - '"invalid_grant"'
            - type: WordMatch
              words:
                - '"invalid_client"'
              negative: true
    # No programmatic client-secret revocation endpoint is documented.