Skip to content

Commit 8329e67

Browse files
didi
authored
More disclosure metrics (#17471)
* Add some more metrics around token disclosures * Minor refactor * Fix docs: there is no trailing slash
1 parent e8a0cda commit 8329e67

File tree

2 files changed

+9
-7
lines changed

2 files changed

+9
-7
lines changed

docs/user/api/secrets.md

+2-2
Original file line numberDiff line numberDiff line change
@@ -85,7 +85,7 @@ disclosure.
8585

8686
### Reporting a secret
8787

88-
Route: `POST /_/secrets/disclose-token/`
88+
Route: `POST /_/secrets/disclose-token`
8989

9090
Accepts a report of one or more arbitrary API tokens, with details on where it
9191
was located. The message body is a JSON array that contains one or more
@@ -101,7 +101,7 @@ Additional fields may be provide but will be ignored.
101101
Example request:
102102

103103
```http
104-
POST /_/secrets/disclose-token/ HTTP/1.1
104+
POST /_/secrets/disclose-token HTTP/1.1
105105
Host: pypi.org
106106
Some-Public-Key-Identifier: ...
107107
Some-Public-Key-Signature: ...

warehouse/integrations/secrets/views.py

+7-5
Original file line numberDiff line numberDiff line change
@@ -40,8 +40,11 @@ def _detect_origin(request):
4040
has_translations=False,
4141
)
4242
def disclose_token(request):
43+
metrics = request.find_service(IMetricsService, context=None)
44+
4345
# If integrator headers are missing, response will be a 404
4446
if not (origin := _detect_origin(request)):
47+
metrics.increment("warehouse.token_leak.invalid_origin")
4548
return HTTPNotFound()
4649

4750
# Disclosers calls this API view when they have identified a string matching
@@ -52,12 +55,8 @@ def disclose_token(request):
5255

5356
# The documentation for this process is at
5457
# https://developer.github.com/partnerships/token-scanning/
55-
56-
body = request.body
57-
5858
key_id = request.headers.get(origin.key_id_header)
5959
signature = request.headers.get(origin.signature_header)
60-
metrics = request.find_service(IMetricsService, context=None)
6160

6261
verifier = utils.GenericTokenScanningPayloadVerifier(
6362
session=request.http,
@@ -67,7 +66,10 @@ def disclose_token(request):
6766
api_token=request.registry.settings.get(origin.api_token),
6867
)
6968

70-
if not verifier.verify(payload=body, key_id=key_id, signature=signature):
69+
if not verifier.verify(payload=request.body, key_id=key_id, signature=signature):
70+
metrics.increment(
71+
f"warehouse.token_leak.{origin.metric_name}.error.payload.verify_error"
72+
)
7173
return HTTPBadRequest()
7274

7375
try:

0 commit comments

Comments
 (0)