forked from mirrors/kingfisher
50 lines
1.5 KiB
YAML
50 lines
1.5 KiB
YAML
rules:
|
|
- name: Gitea Access Token
|
|
id: kingfisher.gitea.1
|
|
pattern: |
|
|
(?xi)
|
|
\b
|
|
(?:gitea)
|
|
(?:.|[\n\r]){0,16}?
|
|
(?:token|key|secret|pat|access[_-]?token|api[_-]?key)\b
|
|
(?:.|[\n\r]){0,32}?
|
|
\b
|
|
(
|
|
[a-f0-9]{40}
|
|
)
|
|
\b
|
|
pattern_requirements:
|
|
min_digits: 4
|
|
min_entropy: 3.0
|
|
confidence: medium
|
|
examples:
|
|
- GITEA_TOKEN=5aab40e433037523cc70af7d3894a0fa8b4338b0
|
|
- "gitea_access_token: 4c1cc89e363477a554b0eb629d3bc50bc810dfa2"
|
|
- GITEA_KEY=def2fac70d12fd8ec8046ce554577298dbd99414
|
|
- |
|
|
[gitea]
|
|
token = 8b40bcd90946073dfa9df0f0cb999b21da6a372d
|
|
references:
|
|
- https://docs.gitea.com/development/api-usage
|
|
# NOTE: Gitea's token management API (/api/v1/user/tokens) requires
|
|
# Basic Auth (username/password). Self-revocation using only the token
|
|
# is not supported by the Gitea API.
|
|
validation:
|
|
type: Http
|
|
content:
|
|
request:
|
|
method: GET
|
|
url: https://gitea.com/api/v1/user
|
|
headers:
|
|
Authorization: token {{ TOKEN }}
|
|
Accept: application/json
|
|
response_matcher:
|
|
- report_response: true
|
|
# 200 = token has read:user scope; 403 = valid token with limited scopes
|
|
# (Gitea returns 401 for truly invalid/expired tokens)
|
|
- type: StatusMatch
|
|
status: [200, 403]
|
|
- type: WordMatch
|
|
words:
|
|
- '"login"'
|
|
- 'token does not have'
|