eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions
kingfisher/data/rules/lark.yml
Mick Grove a93419bd33 preparing v1.74.0
2026-01-13 14:26:50 -08:00

142 lines
No EOL
4.9 KiB
YAML
Raw Blame History

rules:
- name: LarkSuite Tenant Access Token
id: kingfisher.lark.1
pattern: |
(?xi)
(?:lark|larksuite)
(?:.|[\n\r]){0,64}?
(?:SECRET|PRIVATE|ACCESS|KEY|TOKEN|ACCESS_KEY)
(?:.|[\n\r]){0,32}?
\b
(
t-[A-Z0-9_.]{14,50}
)
\b
min_entropy: 3.2
confidence: medium
examples:
- larksuite_tenant_access_token="t-AbCdEfGhIjKlMnOpQrStUvWxYz_1234"
references:
- https://open.larksuite.com/document/home/introduction-to-scope-and-authorization/access-credentials
- https://open.larksuite.com/document/uAjLw4CM/ukTMukTMukTM/reference/im-v1/chat/list
- https://open.larksuite.com/document/faq/trouble-shooting/how-to-fix-the-99991672-error
- https://open.larksuite.com/document/ukTMukTMukTM/ugjM14COyUjL4ITN
validation:
type: Http
content:
request:
method: GET
url: https://open.larksuite.com/open-apis/im/v1/chats?page_size=1
headers:
Accept: application/json
Authorization: "Bearer {{ TOKEN }}"
response_matcher:
- report_response: true
- type: StatusMatch
status: [200, 400]
- type: JsonValid
# Verified if API says success (code=0) OR "No permission" (code=99991672),
# which still indicates the token is recognized/valid but missing scopes.
- type: WordMatch
match_all_words: false
words:
- '"code":0'
- '"code": 0'
- '"code":99991672'
- '"code": 99991672'
- name: LarkSuite User Access Token
id: kingfisher.lark.2
pattern: |
(?xi)
(?:lark|larksuite)
(?:.|[\n\r]){0,64}?
(?:SECRET|PRIVATE|ACCESS|KEY|TOKEN|ACCESS_KEY)
(?:.|[\n\r]){0,32}?
\b
(
u-[A-Z0-9_.]{14,50}
)
\b
min_entropy: 3.2
confidence: medium
examples:
- larksuite_user_access_token="u-ZyXwVuTsRqPoNmLkJiHgFeDcBa_5678"
references:
- https://open.larksuite.com/document/home/introduction-to-scope-and-authorization/access-credentials
- https://open.larksuite.com/document/uAjLw4CM/ukTMukTMukTM/reference/im-v1/chat/list
- https://open.larksuite.com/document/faq/trouble-shooting/how-to-fix-the-99991672-error
- https://open.larksuite.com/document/ukTMukTMukTM/ugjM14COyUjL4ITN
validation:
type: Http
content:
request:
method: GET
url: https://open.larksuite.com/open-apis/im/v1/chats?page_size=1
headers:
Accept: application/json
Authorization: "Bearer {{ TOKEN }}"
response_matcher:
- report_response: true
- type: StatusMatch
status: [200, 400]
- type: JsonValid
- type: WordMatch
match_all_words: false
words:
- '"code":0'
- '"code": 0'
- '"code":99991672'
- '"code": 99991672'
- name: LarkSuite App Access Token
id: kingfisher.lark.3
pattern: |
(?xi)
(?:lark|larksuite)
(?:.|[\n\r]){0,64}?
(?:SECRET|PRIVATE|ACCESS|KEY|TOKEN|ACCESS_KEY)
(?:.|[\n\r]){0,32}?
\b
(
a-[A-Z0-9_.]{30,35}
)
\b
min_entropy: 3.2
confidence: medium
examples:
- larksuite_app_access_token="a-QwBsTyUiOpBsDfGhJnLxYcVbN_9012"
references:
- https://open.larksuite.com/document/home/introduction-to-scope-and-authorization/access-credentials
- https://open.larksuite.com/document/server-docs/getting-started/api-access-token/auth-v3/tenant_access_token
- https://open.larksuite.com/document/server-docs/getting-started/api-access-token/auth-v3/app_access_token
validation:
type: Http
content:
request:
method: POST
# This endpoint checks app_access_token directly; no tenant_key involved.
url: https://open.larksuite.com/open-apis/authen/v1/oidc/refresh_access_token
headers:
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: "Bearer {{ TOKEN }}"
# Send an intentionally bogus refresh_token. If the app_access_token is valid,
# we should get some error other than "20014" (invalid app_access_token).
body: >
grant_type=refresh_token&refresh_token=kingfisher_invalid_refresh_token
response_matcher:
- report_response: true
- type: StatusMatch
status: [200]
- type: JsonValid
# If the app token is invalid, Lark uses 20014 (and sometimes 99991664 for invalid app token).
- type: WordMatch
negative: true
match_all_words: false
words:
- '"code":20014'
- '"code": 20014'
- '"code":99991664'
- '"code": 99991664'
View git blame Copy permalink