github.com/google/osv-scalibr@v0.4.1/veles/secrets/gcpoauth2client/detector.go (about)

     1  // Copyright 2025 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package gcpoauth2client
    16  
    17  import (
    18  	"regexp"
    19  
    20  	"github.com/google/osv-scalibr/veles"
    21  	"github.com/google/osv-scalibr/veles/secrets/common/pair"
    22  )
    23  
    24  const (
    25  	// maxIDLength is the maximum length of a valid client ID.
    26  	// There is not documented length, but examples are ~75 characters.
    27  	// 200 is a good upper bound.
    28  	maxIDLength = 200
    29  
    30  	// maxSecretLength is the maximum length of a valid client secret.
    31  	// There is not documented length, but examples are ~35 characters.
    32  	// 100 is a good upper bound.
    33  	maxSecretLength = 100
    34  
    35  	// maxDistance is the maximum distance between client IDs and secrets to be considered for pairing.
    36  	// 10 KiB is a good upper bound as we don't expect files containing credentials to be larger than this.
    37  	maxDistance = 10 * 1 << 10 // 10 KiB
    38  )
    39  
    40  var (
    41  	// clientIDRe is a regular expression that matches GCP OAuth2 client IDs.
    42  	// There is no official documentation on the exact format of GCP OAuth2 client IDs.
    43  	// But official docs include examples that end with .apps.googleusercontent.com:
    44  	// - https://developers.google.com/identity/protocols/oauth2/web-server
    45  	//
    46  	// Other references also suggest similar formats:
    47  	// - https://gofastmcp.com/integrations/google
    48  	// - https://web.archive.org/web/20250418010928/https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/google_oauth2_keys
    49  	clientIDRe = regexp.MustCompile(`[0-9]{10,15}-[a-zA-Z0-9]+\.apps\.googleusercontent\.com`)
    50  
    51  	// clientSecretRe is a regular expression that matches GCP OAuth2 client secrets.
    52  	// There is no clear documentation on the exact format of GCP OAuth2 client secrets.
    53  	// But most online references suggest they start with "GOCSPX-" prefix.
    54  	// This is a good start as it reduces false positives.
    55  	// References:
    56  	// - https://gofastmcp.com/integrations/google
    57  	// - https://web.archive.org/web/20250418010928/https://docs.gitguardian.com/secrets-detection/secrets-detection-engine/detectors/specifics/google_oauth2_keys
    58  	clientSecretRe = regexp.MustCompile(`\bGOCSPX-[a-zA-Z0-9_-]{28}`)
    59  )
    60  
    61  // NewDetector returns a detector that matches GCP OAuth2 client credentials.
    62  func NewDetector() veles.Detector {
    63  	return &pair.Detector{
    64  		MaxElementLen: max(maxIDLength, maxSecretLength), MaxDistance: maxDistance,
    65  		FindA: pair.FindAllMatches(clientIDRe),
    66  		FindB: pair.FindAllMatches(clientSecretRe),
    67  		FromPair: func(p pair.Pair) (veles.Secret, bool) {
    68  			return Credentials{ID: string(p.A.Value), Secret: string(p.B.Value)}, true
    69  		},
    70  	}
    71  }