Add support to Gitlab v1 for older self hosted versions#4881
Open
jamesgol wants to merge 1 commit intotrufflesecurity:mainfrom
Open
Add support to Gitlab v1 for older self hosted versions#4881jamesgol wants to merge 1 commit intotrufflesecurity:mainfrom
jamesgol wants to merge 1 commit intotrufflesecurity:mainfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Fixes the GitLab v1 detector not matching personal access tokens that use the dotted format (
{base}.{version}.{checksum}) without aglpat-prefix. This format is generated by older self-hosted GitLab instances that adopted the new token structure before adding the prefix.Problem: The three GitLab detectors have a gap:
glpat-prefixTokens in the dotted format without
glpat-fall through all three.Fix: Added a second regex pattern (
keyPatDotted) to the v1 detector that matches the dotted token format without requiringglpat-. The existingglpat-skip logic ensures no overlap with v2/v3. Matches from both patterns are deduplicated before processing.Tests: Added two test cases to
TestGitLab_Pattern:glpat-prefix is matchedglpat-prefix is still ignored (handled by v2/v3)Closes #4880
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Expands GitLab token detection via a new regex and match-deduping, which could slightly increase false positives/scan volume if the dotted pattern is overly permissive.
Overview
Extends the GitLab v1 detector to also match dotted-format PATs (
{base}.{version}.{checksum}) that lack theglpat-prefix (seen in older self-hosted GitLab), while continuing to ignoreglpat-tokens handled by v2/v3.Updates
FromDatato aggregate matches from both the legacy short-token regex and the new dotted regex, deduplicating tokens before entropy checking and result generation, and adds test coverage for both dotted-token scenarios (match withoutglpat-, ignore withglpat-).Reviewed by Cursor Bugbot for commit e8a70ce. Bugbot is set up for automated code reviews on this repo. Configure here.