forked from mirrors/kingfisher
231 lines
8.5 KiB
YAML
231 lines
8.5 KiB
YAML
rules:
|
|
- name: Google Client ID
|
|
id: kingfisher.google.1
|
|
pattern: '(?i)\b([0-9]+-[a-z0-9_]{32})\.apps\.googleusercontent\.com'
|
|
min_entropy: 3.3
|
|
confidence: medium
|
|
visible: false
|
|
examples:
|
|
- " 'clientID' : '231545488769-4d1mcev9vifvlncrern52id2pqqf5u5l.apps.googleusercontent.com',"
|
|
- " //$google_client_id = '244082345999-o6m8f1pmb1e76tjfj9v7b96j31e53ps5.apps.googleusercontent.com';"
|
|
- " GOOGLE_OAUTH2_CLIENT_ID = '607830223128-4qgthc7ofdqce232dk690t5jgkm1ce33.apps.googleusercontent.com'"
|
|
- ' $cordovaOauth.google("653512027492-5u9blotr1521fa0lo1172nhv4pmqgttq.apps.googleusercontent.com", ["email"]).then(function(result) {'
|
|
|
|
- name: Google OAuth Client Secret
|
|
id: kingfisher.google.2
|
|
pattern: |
|
|
(?xi)
|
|
(GOCSPX-[A-Z0-9_-]{28})
|
|
(?:[^A-Z0-9_-] | $)
|
|
pattern_requirements:
|
|
min_digits: 2
|
|
min_entropy: 3.3
|
|
confidence: medium
|
|
examples:
|
|
- 'const CLIENTSECRET = "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"'
|
|
depends_on_rule:
|
|
- rule_id: "kingfisher.google.1"
|
|
variable: GOOGLE_CLIENT_ID
|
|
validation:
|
|
type: Http
|
|
content:
|
|
request:
|
|
method: POST
|
|
url: https://oauth2.googleapis.com/token
|
|
headers:
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Accept: application/json
|
|
body: >
|
|
code=invalid_code&client_id={{ GOOGLE_CLIENT_ID | url_encode }}&client_secret={{ TOKEN | url_encode }}&redirect_uri={{ "https://example.com/oauth/callback" | url_encode }}&grant_type=authorization_code
|
|
response_matcher:
|
|
- report_response: true
|
|
- type: StatusMatch
|
|
status: [400]
|
|
- type: WordMatch
|
|
match_all_words: false
|
|
words:
|
|
- invalid_grant
|
|
- Malformed auth code
|
|
- Bad Request
|
|
# Only mark as active when Google acknowledges the credentials
|
|
# and rejects the (intentionally invalid) authorization code.
|
|
- type: WordMatch
|
|
words:
|
|
- invalid_client
|
|
- unauthorized_client
|
|
- unsupported_grant_type
|
|
- invalid_request
|
|
negative: true
|
|
# Revocation not added: Google's OAuth revocation endpoint revokes tokens,
|
|
# not client secrets.
|
|
references:
|
|
- https://developers.google.com/identity/protocols/oauth2/web-server
|
|
|
|
- name: Google OAuth Client Secret
|
|
id: kingfisher.google.3
|
|
pattern: (?i)(?:client[_\-. ]?secret)(?:.|[\n\r]){0,20}?[=:][ \t]*['"]?([A-Z0-9_-]{24})['"]?(?:[^A-Z0-9_-]|$)
|
|
pattern_requirements:
|
|
min_digits: 1
|
|
min_uppercase: 3
|
|
min_lowercase: 3
|
|
min_entropy: 3.3
|
|
confidence: medium
|
|
examples:
|
|
- " //$google_client_secret = 'fnhqAakzWrX-mtFQ4PRdMoy0';"
|
|
- " 'clientSecret' : 'Ufvuj-d6alhwGKvvLh_8Nq0K'"
|
|
depends_on_rule:
|
|
- rule_id: "kingfisher.google.1"
|
|
variable: GOOGLE_CLIENT_ID
|
|
validation:
|
|
type: Http
|
|
content:
|
|
request:
|
|
method: POST
|
|
url: https://oauth2.googleapis.com/token
|
|
headers:
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Accept: application/json
|
|
body: >
|
|
code=invalid_code&client_id={{ GOOGLE_CLIENT_ID | url_encode }}&client_secret={{ TOKEN | url_encode }}&redirect_uri={{ "https://example.com/oauth/callback" | url_encode }}&grant_type=authorization_code
|
|
response_matcher:
|
|
- report_response: true
|
|
- type: StatusMatch
|
|
status: [400]
|
|
- type: WordMatch
|
|
match_all_words: false
|
|
words:
|
|
- invalid_grant
|
|
- Malformed auth code
|
|
- Bad Request
|
|
# Only mark as active when Google acknowledges the credentials
|
|
# and rejects the (intentionally invalid) authorization code.
|
|
- type: WordMatch
|
|
words:
|
|
- invalid_client
|
|
- unauthorized_client
|
|
- unsupported_grant_type
|
|
- invalid_request
|
|
negative: true
|
|
# Revocation not added: Google's OAuth revocation endpoint revokes tokens,
|
|
# not client secrets.
|
|
references:
|
|
- https://developers.google.com/identity/protocols/oauth2/web-server
|
|
|
|
- name: Google OAuth Access Token
|
|
id: kingfisher.google.4
|
|
pattern: |
|
|
(?xi)
|
|
(ya29\.[0-9A-Z_-]{20,1024})
|
|
(?: [^0-9A-Z_-])
|
|
pattern_requirements:
|
|
min_digits: 2
|
|
min_entropy: 3.3
|
|
confidence: medium
|
|
examples:
|
|
- |
|
|
const setupCredentials = () => {
|
|
const { encryptedData, iv } = encrypt({
|
|
expiry_date: 1642441058842,
|
|
access_token:
|
|
'ya29.A0ARrdaM--PV_87ebjywDJpXKb77NBFJl16meVUapYdfNv6W6ZzCu947fNaPaRjbDbOIIcp6f49cMaX5ndK9TAFnKwlVqz3nrK9nLKqgyDIhYsIq47smcAIZkK56SWPx3X3DwAFqRu2UPojpd2upWwo-3uJrod',
|
|
// This token is linked to a test Google account (typebot.test.user@gmail.com)
|
|
refresh_token:
|
|
'1//039xWRt8YaYa3CgYIARAAGAMSNwF-L9Iru9FyuTrDSa7lkSceggPho83kJt2J29Ga91EhT1C6XV1vmo6bQS9puL_R2t8FIwR3gek',
|
|
})
|
|
- |
|
|
-- Clear login if it's a new connection.
|
|
--propertyTable.access_token = 'ya29.Ci_UA7aEsvT6-oVI8f96kvB6i8oO13WgdZUviLaCVtpEPYZqhQcQycR-u2X9xtmYGA'
|
|
validation:
|
|
type: Http
|
|
content:
|
|
request:
|
|
method: GET
|
|
url: https://www.googleapis.com/oauth2/v3/tokeninfo?access_token={{ TOKEN | url_encode }}
|
|
headers:
|
|
Accept: application/json
|
|
response_matcher:
|
|
- report_response: true
|
|
- type: StatusMatch
|
|
status: [200]
|
|
- type: JsonValid
|
|
- type: WordMatch
|
|
match_all_words: true
|
|
words:
|
|
- '"aud"'
|
|
- '"expires_in"'
|
|
revocation:
|
|
type: Http
|
|
content:
|
|
request:
|
|
method: POST
|
|
url: https://oauth2.googleapis.com/revoke
|
|
headers:
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Accept: application/json
|
|
body: token={{ TOKEN | url_encode }}
|
|
response_matcher:
|
|
- report_response: true
|
|
- type: StatusMatch
|
|
status: [200]
|
|
references:
|
|
- https://developers.google.com/identity/openid-connect/openid-connect
|
|
- https://developers.google.com/data-portability/user-guide/quickstart
|
|
- https://developers.google.com/identity/protocols/oauth2/web-server
|
|
|
|
- name: Google OAuth Credentials
|
|
id: kingfisher.google.6
|
|
pattern: (?is)([0-9]+-[a-z0-9_]{32}\.apps\.googleusercontent\.com)(?:.|[\n\r]){0,120}?(?:GOCSPX-[A-Z0-9_-]{28}|(?:client[_\-. ]?secret)(?:.|[\n\r]){0,20}?[=:][ \t]*['"]?([A-Z0-9_-]{24})['"]?)(?:[^A-Z0-9_-]|$)
|
|
pattern_requirements:
|
|
min_digits: 2
|
|
min_entropy: 3.3
|
|
confidence: medium
|
|
examples:
|
|
- |
|
|
const CLIENT_ID = '204945162815-59422evifqzluuklf_09qff9pk6ehd4r.apps.googleusercontent.com';
|
|
const CLIENT_SECRET = 'P5C9REQW_6NT5NMQO8FP75VO';
|
|
- |
|
|
public static GAPIS_CREDENTIALS = {
|
|
// 1. Generate credentials: https://console.cloud.google.com/apis/
|
|
// 2. Create OAuth page and set spreadsheets and drive.metadata.readonly scopes
|
|
client_id: '024565785402-92sn01z4gfwbv4zfu79ttqg2j7uphacz.apps.googleusercontent.com',
|
|
client_secret: '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',
|
|
redirect_uri: `http://localhost:${Config.OAUTH_HTTP_PORT}/oauth2callback`
|
|
};
|
|
- name: Google Gemini API Key
|
|
id: kingfisher.google.7
|
|
pattern: |
|
|
(?xi)
|
|
\b
|
|
(
|
|
AIzaSy
|
|
[A-Za-z0-9_-]{33}
|
|
)
|
|
pattern_requirements:
|
|
min_digits: 2
|
|
min_uppercase: 1
|
|
min_lowercase: 1
|
|
min_entropy: 3.5
|
|
confidence: medium
|
|
examples:
|
|
- AIzaSyByz6BGQf8QtcQLml8spbyy8x5_327PTow
|
|
- AIzaSyDhISgbccTi6mfp2GOSmTtqdU__IdevJes
|
|
- AIzaSyA_uW1h2CF4ak3vHr7si_RFD_yWxM4tMAM
|
|
references:
|
|
- https://ai.google.dev/docs/gemini_api_overview
|
|
validation:
|
|
type: Http
|
|
content:
|
|
request:
|
|
method: GET
|
|
url: https://generativelanguage.googleapis.com/v1/models
|
|
headers:
|
|
X-goog-api-key: '{{ TOKEN }}'
|
|
response_matcher:
|
|
- report_response: true
|
|
- type: StatusMatch
|
|
status: [200]
|
|
- type: WordMatch
|
|
match_all_words: true
|
|
words:
|
|
- '"models"'
|
|
- '"name"'
|