detect-secrets/detect_secrets/plugins/slack.py at master · IBM/detect-secrets · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
"""
This plugin searches for Slack tokens
"""
import re

import requests

from .base import RegexBasedDetector
from detect_secrets.core.constants import VerifiedResult


class SlackDetector(RegexBasedDetector):
    """Scans for Slack tokens."""
    secret_type = 'Slack Token'

    denylist = (
        # Slack Token
        re.compile(r'xox(?:a|b|p|o|s|r)-(?:\d+-)+[a-z0-9]+', flags=re.IGNORECASE),
        # Slack Webhooks
        re.compile(
            r"""
            https://hooks.slack.com/services/T[a-zA-Z0-9_]+/B[a-zA-Z0-9_]+/[a-zA-Z0-9_]+
            """,
            flags=re.IGNORECASE | re.VERBOSE,
        ),
    )

    def verify(self, token, *args, **kwargs):  # pragma: no cover
        if token.startswith('https://hooks.slack.com/services/T'):
            response = requests.post(
                token,
                json={
                    'text': '',
                },
            )
            valid = (
                response.text == 'missing_text_or_fallback_or_attachments'
                or response.text == 'no_text'
            )
        else:
            response = requests.post(
                'https://slack.com/api/auth.test',
                data={
                    'token': token,
                },
            ).json()
            valid = response['ok']

        return (
            VerifiedResult.VERIFIED_TRUE
            if valid
            else VerifiedResult.VERIFIED_FALSE
        )