forked from mirrors/kingfisher
68 lines
No EOL
2.1 KiB
YAML
68 lines
No EOL
2.1 KiB
YAML
rules:
|
|
- name: PyPI Upload Token
|
|
id: kingfisher.pypi.1
|
|
pattern: |
|
|
(?x)
|
|
(
|
|
pypi-AgEIcHlwaS5vcmc[A-Za-z0-9_-]{50,}
|
|
)
|
|
\b
|
|
pattern_requirements:
|
|
min_digits: 2
|
|
min_entropy: 3.3
|
|
confidence: medium
|
|
examples:
|
|
- '# password = pypi-AgEIcHlwaS5vcmcABCD1234efgh5678ijklmnopqrst9098UVWXYZabcd1234EFGHIJKL'
|
|
validation:
|
|
type: Http
|
|
content:
|
|
request:
|
|
method: POST
|
|
url: https://upload.pypi.org/legacy/
|
|
response_is_html: true
|
|
response_matcher:
|
|
- report_response: true
|
|
- type: WordMatch
|
|
words:
|
|
- "isn't allowed to upload to project"
|
|
headers:
|
|
Authorization: 'Basic {{ "__token__:" | append: TOKEN | b64enc }}'
|
|
multipart:
|
|
parts:
|
|
- name: name
|
|
type: text
|
|
content: "my-package"
|
|
- name: version
|
|
type: text
|
|
content: "0.0.1"
|
|
- name: filetype
|
|
type: text
|
|
content: "sdist"
|
|
- name: metadata_version
|
|
type: text
|
|
content: "2.1"
|
|
- name: summary
|
|
type: text
|
|
content: "A simple example package"
|
|
- name: home_page
|
|
type: text
|
|
content: "https://github.com/yourusername/my_package"
|
|
- name: sha256_digest
|
|
type: text
|
|
content: "0447379dd46c4ca8b8992bda56d07b358d015efb9300e6e16f224f4536e71d64"
|
|
- name: md5_digest
|
|
type: text
|
|
content: "9b4036ab91a71124ab9f1d32a518e2bb"
|
|
- name: :action
|
|
type: text
|
|
content: "file_upload"
|
|
- name: protocol_version
|
|
type: text
|
|
content: "1"
|
|
- name: content
|
|
type: file
|
|
content: "path/to/my_package-0.0.1.tar.gz"
|
|
content_type: "application/octet-stream"
|
|
references:
|
|
- https://pypi.org/help/#apitoken
|
|
- https://warehouse.pypa.io/api-reference/ |