e0f267f7bf
- GitHubActionsSource: searches GitHub code search for workflow files with provider keywords (token-gated) - TravisCISource: queries Travis CI v3 API for public build logs (credentialless) - CircleCISource: queries CircleCI v2 pipeline API for build pipelines (token-gated) - JenkinsSource: queries open Jenkins /api/json for job build consoles (credentialless) - GitLabCISource: queries GitLab projects API for CI-enabled projects (token-gated) - RegisterAll extended to 45 sources (40 Phase 10-13 + 5 Phase 14) - Integration test updated with fixtures for all 5 new sources - cmd/recon.go wires CIRCLECI_TOKEN env var
99 lines
2.3 KiB
Go
99 lines
2.3 KiB
Go
package sources
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/salvacybersec/keyhunter/pkg/providers"
|
|
"github.com/salvacybersec/keyhunter/pkg/recon"
|
|
)
|
|
|
|
const gitlabCIFixtureJSON = `[
|
|
{
|
|
"id": 100,
|
|
"path_with_namespace": "alice/project",
|
|
"web_url": "https://gitlab.com/alice/project"
|
|
},
|
|
{
|
|
"id": 200,
|
|
"path_with_namespace": "bob/app",
|
|
"web_url": ""
|
|
}
|
|
]`
|
|
|
|
func TestGitLabCI_Sweep_ExtractsFindings(t *testing.T) {
|
|
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path != "/api/v4/projects" {
|
|
t.Errorf("unexpected path: %s", r.URL.Path)
|
|
}
|
|
if r.Header.Get("PRIVATE-TOKEN") == "" {
|
|
t.Error("missing PRIVATE-TOKEN header")
|
|
}
|
|
w.Header().Set("Content-Type", "application/json")
|
|
_, _ = w.Write([]byte(gitlabCIFixtureJSON))
|
|
}))
|
|
defer srv.Close()
|
|
|
|
src := &GitLabCISource{
|
|
Token: "glpat-test",
|
|
BaseURL: srv.URL,
|
|
Registry: providers.NewRegistryFromProviders([]providers.Provider{
|
|
{Name: "openai", Keywords: []string{"sk-proj-"}},
|
|
}),
|
|
Limiters: recon.NewLimiterRegistry(),
|
|
Client: NewClient(),
|
|
}
|
|
|
|
out := make(chan recon.Finding, 16)
|
|
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
|
defer cancel()
|
|
|
|
if err := src.Sweep(ctx, "", out); err != nil {
|
|
t.Fatalf("Sweep err: %v", err)
|
|
}
|
|
close(out)
|
|
|
|
var findings []recon.Finding
|
|
for f := range out {
|
|
findings = append(findings, f)
|
|
}
|
|
if len(findings) != 2 {
|
|
t.Fatalf("expected 2 findings, got %d", len(findings))
|
|
}
|
|
if findings[0].Source != "https://gitlab.com/alice/project/-/pipelines" {
|
|
t.Errorf("unexpected source[0]: %s", findings[0].Source)
|
|
}
|
|
for _, f := range findings {
|
|
if f.SourceType != "recon:gitlab_ci" {
|
|
t.Errorf("unexpected SourceType: %s", f.SourceType)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestGitLabCI_EnabledOnlyWithToken(t *testing.T) {
|
|
s := &GitLabCISource{}
|
|
if s.Enabled(recon.Config{}) {
|
|
t.Fatal("expected Enabled=false without token")
|
|
}
|
|
s.Token = "test"
|
|
if !s.Enabled(recon.Config{}) {
|
|
t.Fatal("expected Enabled=true with token")
|
|
}
|
|
}
|
|
|
|
func TestGitLabCI_NameAndRate(t *testing.T) {
|
|
s := &GitLabCISource{}
|
|
if s.Name() != "gitlab_ci" {
|
|
t.Errorf("unexpected name: %s", s.Name())
|
|
}
|
|
if s.Burst() != 2 {
|
|
t.Errorf("burst: %d", s.Burst())
|
|
}
|
|
if s.RespectsRobots() {
|
|
t.Error("expected RespectsRobots=false")
|
|
}
|
|
}
|