Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add verifiability for Slack webhooks #232

Closed
KevinHock opened this issue Aug 23, 2019 · 4 comments · Fixed by #233
Closed

Add verifiability for Slack webhooks #232

KevinHock opened this issue Aug 23, 2019 · 4 comments · Fixed by #233
Labels
good first issue The issue can be tackled by someone who has little to no knowledge about the project.

Comments

@KevinHock
Copy link
Collaborator

As @dgzlopes helpfully linked to, https://github.com/streaak/keyhacks#slack-webhook shows how we can add this.

See #194 for an example of how we do this in detect-secrets, e.g. we already have validation for Slack tokens

detect-secrets/detect_secrets/plugins/slack.py

Lines 30 to 39 in cba0446

def verify(self, token, **kwargs): # pragma: no cover
response = requests.post(
'https://slack.com/api/auth.test',
data={
'token': token,
},
).json()
return VerifiedResult.VERIFIED_TRUE if response['ok'] \
else VerifiedResult.VERIFIED_FALSE

The parent issue (#153) is still opened but figured I'd make this as a good first issue.
@KevinHock KevinHock added enhancement good first issue The issue can be tackled by someone who has little to no knowledge about the project. labels Aug 23, 2019
@Patil2099
Copy link
Contributor

@KevinHock Can I work on this?

@KevinHock
Copy link
Collaborator Author

Sure thing @Patil2099 :)

Let me know if you have any questions.

@Patil2099
Copy link
Contributor

@KevinHock Can you help me a little bit? I might be able to do it for mailchimp and stripe also.
Thanks!

@KevinHock
Copy link
Collaborator Author

KevinHock commented Aug 28, 2019
edited
Loading

Sure @Patil2099 , for this you would change the verify function of slack.py to something like

    def verify(self, token, **kwargs):  # pragma: no cover
        if token.startswith('https://hooks.slack.com/services/T'):
            # From https://github.com/streaak/keyhacks#slack-webhook
            response = requests.post(
                token,
                json={
                    'text': '',
                },
            )
            valid = response.text == "missing_text_or_fallback_or_attachments"
        else:
            response = requests.post(
                'https://slack.com/api/auth.test',
                data={
                    'token': token,
                },
            ).json()
            valid = response['ok']

        return (
            VerifiedResult.VERIFIED_TRUE
            if valid
            else VerifiedResult.VERIFIED_FALSE
        )

where the missing_text_or_fallback_or_attachments part is from the advice given here https://github.com/streaak/keyhacks#slack-webhook.

Afterwards you can make sure the tests still pass with make test (or Travis will run tests on your PR anyways).

@Patil2099 Patil2099 mentioned this issue Aug 28, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue The issue can be tackled by someone who has little to no knowledge about the project.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added Verifiability Slack Patil2099/detect-secrets
2 participants
@KevinHock @Patil2099