Skip to content

Commit

Permalink
Fix header check in secret scanning (#17275)
Browse files Browse the repository at this point in the history 
* add test-case for camel-cased header names

* case-insensitive header checks for _detect_origin
  • Loading branch information
@ewdurbin
ewdurbin authored Dec 12, 2024
1 parent e6bdf57 commit 87e5366
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 2 deletions.
18 changes: 17 additions & 1 deletion tests/unit/integration/secrets/test_views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@
import pretend
import pytest

from webob.headers import EnvironHeaders

from warehouse.integrations.secrets import config, utils, views


Expand All @@ -34,6 +36,18 @@ class TestDiscloseToken:
"https://api.github.com/meta/public_keys/token_scanning",
"token",
),
(
config._github_origin,
{ # Test for case-insensitivity on header names
"GitHub-Public-Key-Identifier": "foo",
"GitHub-Public-Key-Signature": "bar",
},
{
"github.token": "token",
},
"https://api.github.com/meta/public_keys/token_scanning",
"token",
),
(
config._depsdev_origin,
{
Expand All @@ -57,7 +71,9 @@ def test_disclose_token(
api_url,
api_token,
):
pyramid_request.headers = headers
pyramid_request.headers = EnvironHeaders({})
for k, v in headers.items():
pyramid_request.headers[k] = v
pyramid_request.body = "[1, 2, 3]"
pyramid_request.json_body = [1, 2, 3]
pyramid_request.registry.settings = settings
Expand Down
2 changes: 1 addition & 1 deletion warehouse/integrations/secrets/views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@

def _detect_origin(request):
for origin in config.origins:
if origin.headers.issubset(request.headers.keys()):
if all([k in request.headers for k in origin.headers]):
return origin


Expand Down

0 comments on commit 87e5366

Please sign in to comment.