From f939572a438918e63809db145ac0df0c4b56b91c Mon Sep 17 00:00:00 2001 From: Miccah Date: Fri, 2 Aug 2024 14:22:22 -0700 Subject: [PATCH] [analyze] Fix off-by-one error in generated data structures (#3162) * [analyze] Fix off-by-one error in generated data structures * Generate data structures * Fix finegrained checks --- .../github/classic/classic_permissions.go | 194 +++++------ .../github/finegrained/finegrained.go | 266 +++++++-------- .../finegrained/finegrained_permissions.go | 314 +++++++++--------- pkg/analyzer/analyzers/openai/permissions.go | 42 +-- pkg/analyzer/analyzers/twilio/permissions.go | 66 ++-- .../generate_permissions.go | 7 +- 6 files changed, 445 insertions(+), 444 deletions(-) diff --git a/pkg/analyzer/analyzers/github/classic/classic_permissions.go b/pkg/analyzer/analyzers/github/classic/classic_permissions.go index 9e6322925115..230e2fbba13c 100644 --- a/pkg/analyzer/analyzers/github/classic/classic_permissions.go +++ b/pkg/analyzer/analyzers/github/classic/classic_permissions.go @@ -6,7 +6,7 @@ import "errors" type Permission int const ( - NoAccess Permission = iota + Invalid Permission = iota Repo Permission = iota RepoStatus Permission = iota RepoDeployment Permission = iota @@ -161,105 +161,105 @@ var ( } PermissionIDs = map[Permission]int{ - Repo: 0, - RepoStatus: 1, - RepoDeployment: 2, - PublicRepo: 3, - RepoInvite: 4, - SecurityEvents: 5, - Workflow: 6, - WritePackages: 7, - ReadPackages: 8, - DeletePackages: 9, - AdminOrg: 10, - WriteOrg: 11, - ReadOrg: 12, - ManageRunnersOrg: 13, - AdminPublicKey: 14, - WritePublicKey: 15, - ReadPublicKey: 16, - AdminRepoHook: 17, - WriteRepoHook: 18, - ReadRepoHook: 19, - AdminOrgHook: 20, - Gist: 21, - Notifications: 22, - User: 23, - ReadUser: 24, - UserEmail: 25, - UserFollow: 26, - DeleteRepo: 27, - WriteDiscussion: 28, - ReadDiscussion: 29, - AdminEnterprise: 30, - ManageRunnersEnterprise: 31, - ManageBillingEnterprise: 32, - ReadEnterprise: 33, - AuditLog: 34, - ReadAuditLog: 35, - Codespace: 36, - CodespaceSecrets: 37, - Copilot: 38, - ManageBillingCopilot: 39, - Project: 40, - ReadProject: 41, - AdminGpgKey: 42, - WriteGpgKey: 43, - ReadGpgKey: 44, - AdminSshSigningKey: 45, - WriteSshSigningKey: 46, - ReadSshSigningKey: 47, + Repo: 1, + RepoStatus: 2, + RepoDeployment: 3, + PublicRepo: 4, + RepoInvite: 5, + SecurityEvents: 6, + Workflow: 7, + WritePackages: 8, + ReadPackages: 9, + DeletePackages: 10, + AdminOrg: 11, + WriteOrg: 12, + ReadOrg: 13, + ManageRunnersOrg: 14, + AdminPublicKey: 15, + WritePublicKey: 16, + ReadPublicKey: 17, + AdminRepoHook: 18, + WriteRepoHook: 19, + ReadRepoHook: 20, + AdminOrgHook: 21, + Gist: 22, + Notifications: 23, + User: 24, + ReadUser: 25, + UserEmail: 26, + UserFollow: 27, + DeleteRepo: 28, + WriteDiscussion: 29, + ReadDiscussion: 30, + AdminEnterprise: 31, + ManageRunnersEnterprise: 32, + ManageBillingEnterprise: 33, + ReadEnterprise: 34, + AuditLog: 35, + ReadAuditLog: 36, + Codespace: 37, + CodespaceSecrets: 38, + Copilot: 39, + ManageBillingCopilot: 40, + Project: 41, + ReadProject: 42, + AdminGpgKey: 43, + WriteGpgKey: 44, + ReadGpgKey: 45, + AdminSshSigningKey: 46, + WriteSshSigningKey: 47, + ReadSshSigningKey: 48, } IdToPermission = map[int]Permission{ - 0: Repo, - 1: RepoStatus, - 2: RepoDeployment, - 3: PublicRepo, - 4: RepoInvite, - 5: SecurityEvents, - 6: Workflow, - 7: WritePackages, - 8: ReadPackages, - 9: DeletePackages, - 10: AdminOrg, - 11: WriteOrg, - 12: ReadOrg, - 13: ManageRunnersOrg, - 14: AdminPublicKey, - 15: WritePublicKey, - 16: ReadPublicKey, - 17: AdminRepoHook, - 18: WriteRepoHook, - 19: ReadRepoHook, - 20: AdminOrgHook, - 21: Gist, - 22: Notifications, - 23: User, - 24: ReadUser, - 25: UserEmail, - 26: UserFollow, - 27: DeleteRepo, - 28: WriteDiscussion, - 29: ReadDiscussion, - 30: AdminEnterprise, - 31: ManageRunnersEnterprise, - 32: ManageBillingEnterprise, - 33: ReadEnterprise, - 34: AuditLog, - 35: ReadAuditLog, - 36: Codespace, - 37: CodespaceSecrets, - 38: Copilot, - 39: ManageBillingCopilot, - 40: Project, - 41: ReadProject, - 42: AdminGpgKey, - 43: WriteGpgKey, - 44: ReadGpgKey, - 45: AdminSshSigningKey, - 46: WriteSshSigningKey, - 47: ReadSshSigningKey, + 1: Repo, + 2: RepoStatus, + 3: RepoDeployment, + 4: PublicRepo, + 5: RepoInvite, + 6: SecurityEvents, + 7: Workflow, + 8: WritePackages, + 9: ReadPackages, + 10: DeletePackages, + 11: AdminOrg, + 12: WriteOrg, + 13: ReadOrg, + 14: ManageRunnersOrg, + 15: AdminPublicKey, + 16: WritePublicKey, + 17: ReadPublicKey, + 18: AdminRepoHook, + 19: WriteRepoHook, + 20: ReadRepoHook, + 21: AdminOrgHook, + 22: Gist, + 23: Notifications, + 24: User, + 25: ReadUser, + 26: UserEmail, + 27: UserFollow, + 28: DeleteRepo, + 29: WriteDiscussion, + 30: ReadDiscussion, + 31: AdminEnterprise, + 32: ManageRunnersEnterprise, + 33: ManageBillingEnterprise, + 34: ReadEnterprise, + 35: AuditLog, + 36: ReadAuditLog, + 37: Codespace, + 38: CodespaceSecrets, + 39: Copilot, + 40: ManageBillingCopilot, + 41: Project, + 42: ReadProject, + 43: AdminGpgKey, + 44: WriteGpgKey, + 45: ReadGpgKey, + 46: AdminSshSigningKey, + 47: WriteSshSigningKey, + 48: ReadSshSigningKey, } ) diff --git a/pkg/analyzer/analyzers/github/finegrained/finegrained.go b/pkg/analyzer/analyzers/github/finegrained/finegrained.go index c5f93b25deec..c663a0c7aa2e 100644 --- a/pkg/analyzer/analyzers/github/finegrained/finegrained.go +++ b/pkg/analyzer/analyzers/github/finegrained/finegrained.go @@ -28,7 +28,7 @@ const ( RANDOM_INTEGER = 4294967289 ) -var ErrNoAccess = errors.New("no access") +var ErrInvalid = errors.New("invalid") var repoPermFuncMap = []func(client *gh.Client, repo *gh.Repository, access string) (Permission, error){ getActionsPermission, @@ -108,12 +108,12 @@ func permissionFormatter(key, val any) (string, string) { } func notImplementedRepoPerm(client *gh.Client, repo *gh.Repository, currentAccess string) (Permission, error) { - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid } // notImplementedAcctPerm is a placeholder function that returns a "NOT_IMPLEMENTED" status when a GitHub account permission is not yet implemented. func notImplementedAcctPerm(client *gh.Client, user *gh.User) (Permission, error) { - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid } func getMetadataPermission(client *gh.Client, repo *gh.Repository, currentAccess string) (Permission, error) { @@ -122,9 +122,9 @@ func getMetadataPermission(client *gh.Client, repo *gh.Repository, currentAccess _, resp, err := client.Repositories.ListCollaborators(context.Background(), *repo.Owner.Login, *repo.Name, nil) if err != nil { if resp.StatusCode == 403 { - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid } - return NoAccess, err + return Invalid, err } // If no error, then we have read access @@ -138,11 +138,11 @@ func getActionsPermission(client *gh.Client, repo *gh.Repository, currentAccess _, resp, err := client.Actions.ListArtifacts(context.Background(), *repo.Owner.Login, *repo.Name, nil) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break default: - return NoAccess, err + return Invalid, err } // Risk: Very, very low. @@ -158,12 +158,12 @@ func getActionsPermission(client *gh.Client, repo *gh.Repository, currentAccess log.Fatal("This shouldn't print. We are enabling a workflow based on a random string " + RANDOM_STRING + ", which most likely doesn't exist.") return ActionsWrite, nil default: - return NoAccess, err + return Invalid, err } } else { // Will only land here if already tested one public repo and got a 403. if currentAccess == "UNKNOWN" { - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid } // Risk: Very, very low. // -> Unless the user has a workflow file named (see RANDOM_STRING above), this will always return 404 for users with READ_WRITE permissions. @@ -171,14 +171,14 @@ func getActionsPermission(client *gh.Client, repo *gh.Repository, currentAccess resp, err := client.Actions.CreateWorkflowDispatchEventByFileName(context.Background(), *repo.Owner.Login, *repo.Name, RANDOM_STRING, gh.CreateWorkflowDispatchEventRequest{}) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 404: return ActionsWrite, nil case 200: log.Fatal("This shouldn't print. We are enabling a workflow based on a random string " + RANDOM_STRING + ", which most likely doesn't exist.") return ActionsWrite, nil default: - return NoAccess, err + return Invalid, err } } } @@ -191,18 +191,18 @@ func getAdministrationPermission(client *gh.Client, repo *gh.Repository, current _, resp, err := client.Repositories.GetActionsPermissions(context.Background(), *repo.Owner.Login, *repo.Name) switch resp.StatusCode { case 403, 404: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break default: - return NoAccess, err + return Invalid, err } // Risk: Extremely Low // -> GET request to /repos/{owner}/{repo}/rulesets/rule-suites req, err := client.NewRequest("GET", "https://api.github.com/repos/"+*repo.Owner.Login+"/"+*repo.Name+"/rulesets/rule-suites", nil) if err != nil { - return NoAccess, err + return Invalid, err } resp, err = client.Do(context.Background(), req, nil) switch resp.StatusCode { @@ -211,7 +211,7 @@ func getAdministrationPermission(client *gh.Client, repo *gh.Repository, current case 200: return AdministrationWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -220,7 +220,7 @@ func getCodeScanningAlertsPermission(client *gh.Client, repo *gh.Repository, cur // -> GET request to /repos/{owner}/{repo}/code-scanning/alerts _, resp, err := client.CodeScanning.ListAlertsForRepo(context.Background(), *repo.Owner.Login, *repo.Name, nil) if err != nil { - return NoAccess, err + return Invalid, err } defer resp.Body.Close() @@ -231,18 +231,18 @@ func getCodeScanningAlertsPermission(client *gh.Client, repo *gh.Repository, cur body := string(bodyBytes) if strings.Contains(body, "Code scanning is not enabled for this repository") { - return NoAccess, errors.New("code scanning is not enabled") + return Invalid, errors.New("code scanning is not enabled") } switch { case resp.StatusCode == 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case resp.StatusCode == 404: break case resp.StatusCode >= 200 && resp.StatusCode <= 299: break default: - return NoAccess, err + return Invalid, err } // Risk: Very Low @@ -258,7 +258,7 @@ func getCodeScanningAlertsPermission(client *gh.Client, repo *gh.Repository, cur log.Fatal("This should never happen. We are updating an alert with nil which should be an invalid request.") return CodeScanningAlertsWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -268,18 +268,18 @@ func getCodespacesPermission(client *gh.Client, repo *gh.Repository, currentAcce _, resp, err := client.Codespaces.ListInRepo(context.Background(), *repo.Owner.Login, *repo.Name, nil) switch resp.StatusCode { case 403, 404: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break default: - return NoAccess, err + return Invalid, err } // Risk: Extremely Low // GET request to /repos/{owner}/{repo}/codespaces/permissions_check req, err := client.NewRequest("GET", "https://api.github.com/repos/"+*repo.Owner.Login+"/"+*repo.Name+"/codespaces/permissions_check", nil) if err != nil { - return NoAccess, err + return Invalid, err } resp, err = client.Do(context.Background(), req, nil) switch resp.StatusCode { @@ -290,7 +290,7 @@ func getCodespacesPermission(client *gh.Client, repo *gh.Repository, currentAcce case 200: return CodespacesWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -299,16 +299,16 @@ func getCodespacesMetadataPermission(client *gh.Client, repo *gh.Repository, cur // GET request to /repos/{owner}/{repo}/codespaces/machines req, err := client.NewRequest("GET", "https://api.github.com/repos/"+*repo.Owner.Login+"/"+*repo.Name+"/codespaces/machines", nil) if err != nil { - return NoAccess, err + return Invalid, err } resp, err := client.Do(context.Background(), req, nil) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: return CodespacesMetadataRead, nil default: - return NoAccess, err + return Invalid, err } } @@ -318,13 +318,13 @@ func getCodespacesSecretsPermission(client *gh.Client, repo *gh.Repository, curr _, resp, err := client.Codespaces.GetRepoSecret(context.Background(), *repo.Owner.Login, *repo.Name, RANDOM_STRING) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 404: return CodespacesSecretsWrite, nil case 200: return CodespacesSecretsWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -339,11 +339,11 @@ func getCommitStatusesPermission(client *gh.Client, repo *gh.Repository, current _, resp, err := client.Repositories.ListStatuses(context.Background(), *repo.Owner.Login, *repo.Name, RANDOM_STRING, nil) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 404: break default: - return NoAccess, err + return Invalid, err } // At this point we have read access @@ -357,12 +357,12 @@ func getCommitStatusesPermission(client *gh.Client, repo *gh.Repository, current case 422: return CommitStatusesWrite, nil default: - return NoAccess, err + return Invalid, err } } else { // Will only land here if already tested one public repo and got a 403. if currentAccess == "UNKNOWN" { - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid } // Risk: Extremely Low // -> We're POSTing a commit status to a commit that cannot exist. This should always return 422 if valid access. @@ -371,11 +371,11 @@ func getCommitStatusesPermission(client *gh.Client, repo *gh.Repository, current switch resp.StatusCode { case 403: // All we know is we don't have READ_WRITE - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 422: return CommitStatusesWrite, nil default: - return NoAccess, err + return Invalid, err } } } @@ -391,13 +391,13 @@ func getContentsPermission(client *gh.Client, repo *gh.Repository, currentAccess _, resp, err := client.Repositories.ListCommits(context.Background(), *repo.Owner.Login, *repo.Name, &gh.CommitsListOptions{}) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break case 409: break default: - return NoAccess, err + return Invalid, err } // At this point we have read access @@ -414,12 +414,12 @@ func getContentsPermission(client *gh.Client, repo *gh.Repository, currentAccess case 400, 422: return ContentsWrite, nil default: - return NoAccess, err + return Invalid, err } } else { // Will only land here if already tested one public repo and got a 403. if currentAccess == "UNKNOWN" { - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid } // Risk: Low-Medium // -> We're creating a file with an invalid payload. Worst case is a file with a random string and no content is created. But this should never happen. @@ -427,14 +427,14 @@ func getContentsPermission(client *gh.Client, repo *gh.Repository, currentAccess _, resp, err := client.Repositories.CreateFile(context.Background(), *repo.Owner.Login, *repo.Name, RANDOM_STRING, &gh.RepositoryContentFileOptions{}) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: log.Fatal("This should never happen. We are creating a file with an invalid payload.") return ContentsWrite, nil case 400, 422: return ContentsWrite, nil default: - return NoAccess, err + return Invalid, err } } } @@ -454,13 +454,13 @@ func getDependabotAlertsPermission(client *gh.Client, repo *gh.Repository, curre body := string(bodyBytes) if strings.Contains(body, "Dependabot alerts are disabled for this repository.") { - return NoAccess, errors.New("dependabot alerts are disabled") + return Invalid, errors.New("dependabot alerts are disabled") } - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break default: - return NoAccess, err + return Invalid, err } // PATCH /repos/{owner}/{repo}/dependabot/alerts/{alert_number} @@ -474,7 +474,7 @@ func getDependabotAlertsPermission(client *gh.Client, repo *gh.Repository, curre log.Fatal("This should never happen. We are updating an alert with nil which should be an invalid request.") return DependabotAlertsWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -484,11 +484,11 @@ func getDependabotSecretsPermission(client *gh.Client, repo *gh.Repository, curr _, resp, err := client.Dependabot.ListRepoSecrets(context.Background(), *repo.Owner.Login, *repo.Name, &gh.ListOptions{}) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break default: - return NoAccess, err + return Invalid, err } // Risk: Very Low @@ -504,7 +504,7 @@ func getDependabotSecretsPermission(client *gh.Client, repo *gh.Repository, curr log.Fatal("This should never happen. We are creating a secret with an invalid payload.") return DependabotSecretsWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -514,11 +514,11 @@ func getDeploymentsPermission(client *gh.Client, repo *gh.Repository, currentAcc _, resp, err := client.Repositories.ListDeployments(context.Background(), *repo.Owner.Login, *repo.Name, &gh.DeploymentsListOptions{}) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break default: - return NoAccess, err + return Invalid, err } // Risk: Very Low @@ -534,7 +534,7 @@ func getDeploymentsPermission(client *gh.Client, repo *gh.Repository, currentAcc log.Fatal("This should never happen. We are creating a deployment with an invalid payload.") return DeploymentsWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -543,11 +543,11 @@ func getEnvironmentsPermission(client *gh.Client, repo *gh.Repository, currentAc // GET /repos/{owner}/{repo}/environments envResp, resp, _ := client.Repositories.ListEnvironments(context.Background(), *repo.Owner.Login, *repo.Name, &gh.EnvironmentListOptions{}) if resp.StatusCode != 200 { - return NoAccess, errors.New("unknown status code") + return Invalid, errors.New("unknown status code") } // If no environments exist, then we return UNKNOWN if len(envResp.Environments) == 0 { - return NoAccess, errors.New("no environments found") + return Invalid, errors.New("no environments found") } // Risk: Extremely Low @@ -555,11 +555,11 @@ func getEnvironmentsPermission(client *gh.Client, repo *gh.Repository, currentAc _, resp, err := client.Actions.ListEnvVariables(context.Background(), *repo.Owner.Login, *repo.Name, *envResp.Environments[0].Name, &gh.ListOptions{}) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break default: - return NoAccess, err + return Invalid, err } // Risk: Very Low @@ -575,7 +575,7 @@ func getEnvironmentsPermission(client *gh.Client, repo *gh.Repository, currentAc log.Fatal("This should never happen. We are updating an environment variable with an invalid payload.") return EnvironmentsWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -588,11 +588,11 @@ func getIssuesPermission(client *gh.Client, repo *gh.Repository, currentAccess s _, resp, err := client.Issues.ListByRepo(context.Background(), *repo.Owner.Login, *repo.Name, &gh.IssueListByRepoOptions{}) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200, 301: break default: - return NoAccess, err + return Invalid, err } // Risk: Very Low @@ -608,12 +608,12 @@ func getIssuesPermission(client *gh.Client, repo *gh.Repository, currentAccess s log.Fatal("This should never happen. We are editing a label with an invalid payload.") return IssuesWrite, nil default: - return NoAccess, err + return Invalid, err } } else { // Will only land here if already tested one public repo and got a 403. if currentAccess == "UNKNOWN" { - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid } // Risk: Very Low // -> We're editing an issue label that does not exist. Even if we did, the name would be (see RANDOM_STRING above). @@ -621,14 +621,14 @@ func getIssuesPermission(client *gh.Client, repo *gh.Repository, currentAccess s _, resp, err := client.Issues.EditLabel(context.Background(), *repo.Owner.Login, *repo.Name, RANDOM_STRING, &gh.Label{}) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 404: return IssuesWrite, nil case 200: log.Fatal("This should never happen. We are editing a label with an invalid payload.") return IssuesWrite, nil default: - return NoAccess, err + return Invalid, err } } } @@ -640,11 +640,11 @@ func getPagesPermission(client *gh.Client, repo *gh.Repository, currentAccess st _, resp, err := client.Repositories.GetPagesInfo(context.Background(), *repo.Owner.Login, *repo.Name) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200, 404: break default: - return NoAccess, err + return Invalid, err } // Risk: Very Low @@ -652,7 +652,7 @@ func getPagesPermission(client *gh.Client, repo *gh.Repository, currentAccess st // POST /repos/{owner}/{repo}/pages/deployments/{deployment_id}/cancel req, err := client.NewRequest("POST", "https://api.github.com/repos/"+*repo.Owner.Login+"/"+*repo.Name+"/pages/deployments/"+RANDOM_STRING+"/cancel", nil) if err != nil { - return NoAccess, err + return Invalid, err } resp, err = client.Do(context.Background(), req, nil) switch resp.StatusCode { @@ -664,31 +664,31 @@ func getPagesPermission(client *gh.Client, repo *gh.Repository, currentAccess st log.Fatal("This should never happen. We are cancelling a deployment with an invalid ID.") return PagesWrite, nil default: - return NoAccess, err + return Invalid, err } } else { // Will only land here if already tested one public repo and got a 403. if currentAccess == "UNKNOWN" { - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid } // Risk: Very Low // -> We're cancelling a GitHub Pages deployment that does not exist (see RANDOM_STRING above). // POST /repos/{owner}/{repo}/pages/deployments/{deployment_id}/cancel req, err := client.NewRequest("POST", "https://api.github.com/repos/"+*repo.Owner.Login+"/"+*repo.Name+"/pages/deployments/"+RANDOM_STRING+"/cancel", nil) if err != nil { - return NoAccess, err + return Invalid, err } resp, err := client.Do(context.Background(), req, nil) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 404: return PagesWrite, nil case 200: log.Fatal("This should never happen. We are cancelling a deployment with an invalid ID.") return PagesWrite, nil default: - return NoAccess, err + return Invalid, err } } } @@ -700,11 +700,11 @@ func getPullRequestsPermission(client *gh.Client, repo *gh.Repository, currentAc _, resp, err := client.PullRequests.List(context.Background(), *repo.Owner.Login, *repo.Name, &gh.PullRequestListOptions{}) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break default: - return NoAccess, err + return Invalid, err } // Risk: Very Low @@ -720,12 +720,12 @@ func getPullRequestsPermission(client *gh.Client, repo *gh.Repository, currentAc log.Fatal("This should never happen. We are creating a pull request with an invalid payload.") return PullRequestsWrite, nil default: - return NoAccess, err + return Invalid, err } } else { // Will only land here if already tested one public repo and got a 403. if currentAccess == "UNKNOWN" { - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid } // Risk: Very Low // -> We're creating a pull request with an invalid payload. @@ -733,14 +733,14 @@ func getPullRequestsPermission(client *gh.Client, repo *gh.Repository, currentAc _, resp, err := client.PullRequests.Create(context.Background(), *repo.Owner.Login, *repo.Name, &gh.NewPullRequest{}) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 422: return PullRequestsWrite, nil case 200: log.Fatal("This should never happen. We are creating a pull request with an invalid payload.") return PullRequestsWrite, nil default: - return NoAccess, err + return Invalid, err } } } @@ -753,11 +753,11 @@ func getRepoSecurityPermission(client *gh.Client, repo *gh.Repository, currentAc _, resp, err := client.SecurityAdvisories.ListRepositorySecurityAdvisories(context.Background(), *repo.Owner.Login, *repo.Name, nil) switch resp.StatusCode { case 403, 404: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break default: - return NoAccess, err + return Invalid, err } // Risk: Very Low @@ -765,7 +765,7 @@ func getRepoSecurityPermission(client *gh.Client, repo *gh.Repository, currentAc // POST /repos/{owner}/{repo}/security-advisories req, err := client.NewRequest("POST", "https://api.github.com/repos/"+*repo.Owner.Login+"/"+*repo.Name+"/security-advisories", nil) if err != nil { - return NoAccess, err + return Invalid, err } resp, err = client.Do(context.Background(), req, nil) switch resp.StatusCode { @@ -777,31 +777,31 @@ func getRepoSecurityPermission(client *gh.Client, repo *gh.Repository, currentAc log.Fatal("This should never happen. We are creating a security advisory with an invalid payload.") return RepoSecurityWrite, nil default: - return NoAccess, err + return Invalid, err } } else { // Will only land here if already tested one public repo and got a 403. if currentAccess == "UNKNOWN" { - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid } // Risk: Very Low // -> We're creating a security advisory with an invalid payload. // POST /repos/{owner}/{repo}/security-advisories req, err := client.NewRequest("POST", "https://api.github.com/repos/"+*repo.Owner.Login+"/"+*repo.Name+"/security-advisories", nil) if err != nil { - return NoAccess, err + return Invalid, err } resp, err := client.Do(context.Background(), req, nil) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 422: return RepoSecurityWrite, nil case 200: log.Fatal("This should never happen. We are creating a security advisory with an invalid payload.") return RepoSecurityWrite, nil default: - return NoAccess, err + return Invalid, err } } } @@ -812,11 +812,11 @@ func getSecretScanningPermission(client *gh.Client, repo *gh.Repository, current _, resp, err := client.SecretScanning.ListAlertsForRepo(context.Background(), *repo.Owner.Login, *repo.Name, nil) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200, 404: break default: - return NoAccess, err + return Invalid, err } // Risk: Very Low @@ -832,7 +832,7 @@ func getSecretScanningPermission(client *gh.Client, repo *gh.Repository, current log.Fatal("This should never happen. We are updating a secret scanning alert that doesn't exist.") return SecretScanningWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -842,11 +842,11 @@ func getSecretsPermission(client *gh.Client, repo *gh.Repository, currentAccess _, resp, err := client.Actions.ListRepoSecrets(context.Background(), *repo.Owner.Login, *repo.Name, &gh.ListOptions{}) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break default: - return NoAccess, err + return Invalid, err } // Risk: Very Low @@ -862,7 +862,7 @@ func getSecretsPermission(client *gh.Client, repo *gh.Repository, currentAccess log.Fatal("This should never happen. We are creating a secret with an invalid payload.") return SecretsWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -872,11 +872,11 @@ func getVariablesPermission(client *gh.Client, repo *gh.Repository, currentAcces _, resp, err := client.Actions.ListRepoVariables(context.Background(), *repo.Owner.Login, *repo.Name, &gh.ListOptions{}) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break default: - return NoAccess, err + return Invalid, err } // Risk: Very Low @@ -892,7 +892,7 @@ func getVariablesPermission(client *gh.Client, repo *gh.Repository, currentAcces log.Fatal("This should never happen. We are patching a variable with an invalid payload and no name.") return VariablesWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -902,11 +902,11 @@ func getWebhooksPermission(client *gh.Client, repo *gh.Repository, currentAccess _, resp, err := client.Repositories.ListHooks(context.Background(), *repo.Owner.Login, *repo.Name, &gh.ListOptions{}) switch resp.StatusCode { case 403, 404: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break default: - return NoAccess, err + return Invalid, err } // Risk: Very Low @@ -922,7 +922,7 @@ func getWebhooksPermission(client *gh.Client, repo *gh.Repository, currentAccess log.Fatal("This should never happen. We are updating a webhook with an invalid payload.") return WebhooksWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -938,7 +938,7 @@ func analyzeRepositoryPermissions(client *gh.Client, repos []*gh.Repository) ([] if err != nil { return nil, err } - if access != NoAccess { + if access != Invalid { perms = append(perms, access) } } @@ -952,11 +952,11 @@ func getBlockUserPermission(client *gh.Client, user *gh.User) (Permission, error _, resp, err := client.Users.ListBlockedUsers(context.Background(), nil) switch resp.StatusCode { case 403, 404: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break default: - return NoAccess, err + return Invalid, err } // Risk: Extremely Low @@ -972,7 +972,7 @@ func getBlockUserPermission(client *gh.Client, user *gh.User) (Permission, error log.Fatal("This should never happen. We are blocking a user that doesn't exist.") return BlockUserWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -982,11 +982,11 @@ func getCodespacesUserPermission(client *gh.Client, user *gh.User) (Permission, _, resp, err := client.Codespaces.ListUserSecrets(context.Background(), nil) switch resp.StatusCode { case 403, 404: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break default: - return NoAccess, err + return Invalid, err } // Risk: Low @@ -1002,7 +1002,7 @@ func getCodespacesUserPermission(client *gh.Client, user *gh.User) (Permission, log.Fatal("This should never happen. We are creating a user secret with an invalid payload.") return CodespaceUserSecretsWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -1012,11 +1012,11 @@ func getEmailPermission(client *gh.Client, user *gh.User) (Permission, error) { _, resp, err := client.Users.ListEmails(context.Background(), nil) switch resp.StatusCode { case 403, 404: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break default: - return NoAccess, err + return Invalid, err } // Risk: Low @@ -1031,7 +1031,7 @@ func getEmailPermission(client *gh.Client, user *gh.User) (Permission, error) { log.Fatal("This should never happen. We are setting email visibility with an invalid payload.") return EmailWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -1041,11 +1041,11 @@ func getFollowersPermission(client *gh.Client, user *gh.User) (Permission, error _, resp, err := client.Users.ListFollowers(context.Background(), "", nil) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break default: - return NoAccess, err + return Invalid, err } // Risk: Low - Medium @@ -1060,7 +1060,7 @@ func getFollowersPermission(client *gh.Client, user *gh.User) (Permission, error case 204: return FollowersWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -1070,11 +1070,11 @@ func getGPGKeysPermission(client *gh.Client, user *gh.User) (Permission, error) _, resp, err := client.Users.ListGPGKeys(context.Background(), "", nil) switch resp.StatusCode { case 403, 404: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break default: - return NoAccess, err + return Invalid, err } // Risk: Low - Medium @@ -1090,7 +1090,7 @@ func getGPGKeysPermission(client *gh.Client, user *gh.User) (Permission, error) log.Fatal("This should never happen. We are creating a GPG key with an invalid payload.") return GpgKeysWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -1101,14 +1101,14 @@ func getGistsPermission(client *gh.Client, user *gh.User) (Permission, error) { _, resp, err := client.Gists.Create(context.Background(), &gh.Gist{}) switch resp.StatusCode { case 403, 404: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 422: return GistsWrite, nil case 200, 201, 204: log.Fatal("This should never happen. We are creating a Gist with an invalid payload.") return GistsWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -1118,11 +1118,11 @@ func getGitKeysPermission(client *gh.Client, user *gh.User) (Permission, error) _, resp, err := client.Users.ListKeys(context.Background(), "", nil) switch resp.StatusCode { case 403, 404: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break default: - return NoAccess, err + return Invalid, err } // Risk: Low - Medium @@ -1138,7 +1138,7 @@ func getGitKeysPermission(client *gh.Client, user *gh.User) (Permission, error) log.Fatal("This should never happen. We are creating a key with an invalid payload.") return GitKeysWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -1147,16 +1147,16 @@ func getLimitsPermission(client *gh.Client, user *gh.User) (Permission, error) { // GET request to /user/interaction-limits req, err := client.NewRequest("GET", "https://api.github.com/user/interaction-limits", nil) if err != nil { - return NoAccess, err + return Invalid, err } resp, err := client.Do(context.Background(), req, nil) switch resp.StatusCode { case 403: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200, 204: break default: - return NoAccess, err + return Invalid, err } // Risk: Low @@ -1164,7 +1164,7 @@ func getLimitsPermission(client *gh.Client, user *gh.User) (Permission, error) { // Payload is invalid, so it shouldn't actually post. req, err = client.NewRequest("PUT", "https://api.github.com/user/interaction-limits", nil) if err != nil { - return NoAccess, err + return Invalid, err } resp, err = client.Do(context.Background(), req, nil) switch resp.StatusCode { @@ -1176,7 +1176,7 @@ func getLimitsPermission(client *gh.Client, user *gh.User) (Permission, error) { log.Fatal("This should never happen. We are setting interaction limits with an invalid payload.") return LimitsWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -1186,11 +1186,11 @@ func getPlanPermission(client *gh.Client, user *gh.User) (Permission, error) { _, resp, err := client.Billing.GetActionsBillingUser(context.Background(), *user.Login) switch resp.StatusCode { case 403, 404: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: return PlanRead, nil default: - return NoAccess, err + return Invalid, err } } @@ -1200,19 +1200,19 @@ func getProfilePermission(client *gh.Client, user *gh.User) (Permission, error) // Payload is invalid, so it shouldn't actually patch. req, err := client.NewRequest("POST", "https://api.github.com/user/social_accounts", nil) if err != nil { - return NoAccess, err + return Invalid, err } resp, err := client.Do(context.Background(), req, nil) switch resp.StatusCode { case 403, 404: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 422: return ProfileWrite, nil case 200, 201, 204: log.Fatal("This should never happen. We are creating a social account with an invalid payload.") return ProfileWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -1222,11 +1222,11 @@ func getSigningKeysPermission(client *gh.Client, user *gh.User) (Permission, err _, resp, err := client.Users.ListSSHSigningKeys(context.Background(), "", nil) switch resp.StatusCode { case 403, 404: - return NoAccess, ErrNoAccess + return Invalid, ErrInvalid case 200: break default: - return NoAccess, err + return Invalid, err } // Risk: Low - Medium @@ -1242,7 +1242,7 @@ func getSigningKeysPermission(client *gh.Client, user *gh.User) (Permission, err log.Fatal("This should never happen. We are creating a SSH key with an invalid payload.") return SigningKeysWrite, nil default: - return NoAccess, err + return Invalid, err } } @@ -1288,7 +1288,7 @@ func AnalyzeFineGrainedToken(client *gh.Client, meta *common.TokenMetadata, shal if err != nil { return nil, err } - if perm != NoAccess { + if perm != Invalid { accessibleRepos = append(accessibleRepos, repo) } } @@ -1363,12 +1363,12 @@ func printFineGrainedPermissions(accessMap map[string]Permission, showAll bool, for _, key := range keys { value := accessMap[key] - if value == NoAccess { + if value == Invalid { // don't change permissionCount } else { permissionCount++ } - if !showAll && value == NoAccess { + if !showAll && value == Invalid { continue } else { k, v := permissionFormatter(key, value) diff --git a/pkg/analyzer/analyzers/github/finegrained/finegrained_permissions.go b/pkg/analyzer/analyzers/github/finegrained/finegrained_permissions.go index f7b45d7af9e6..07ff6126a25a 100644 --- a/pkg/analyzer/analyzers/github/finegrained/finegrained_permissions.go +++ b/pkg/analyzer/analyzers/github/finegrained/finegrained_permissions.go @@ -6,7 +6,7 @@ import "errors" type Permission int const ( - NoAccess Permission = iota + Invalid Permission = iota ActionsRead Permission = iota ActionsWrite Permission = iota AdministrationRead Permission = iota @@ -251,165 +251,165 @@ var ( } PermissionIDs = map[Permission]int{ - ActionsRead: 0, - ActionsWrite: 1, - AdministrationRead: 2, - AdministrationWrite: 3, - CodeScanningAlertsRead: 4, - CodeScanningAlertsWrite: 5, - CodespacesRead: 6, - CodespacesWrite: 7, - CodespacesLifecycleRead: 8, - CodespacesLifecycleWrite: 9, - CodespacesMetadataRead: 10, - CodespacesMetadataWrite: 11, - CodespacesSecretsRead: 12, - CodespacesSecretsWrite: 13, - CommitStatusesRead: 14, - CommitStatusesWrite: 15, - ContentsRead: 16, - ContentsWrite: 17, - CustomPropertiesRead: 18, - CustomPropertiesWrite: 19, - DependabotAlertsRead: 20, - DependabotAlertsWrite: 21, - DependabotSecretsRead: 22, - DependabotSecretsWrite: 23, - DeploymentsRead: 24, - DeploymentsWrite: 25, - EnvironmentsRead: 26, - EnvironmentsWrite: 27, - IssuesRead: 28, - IssuesWrite: 29, - MergeQueuesRead: 30, - MergeQueuesWrite: 31, - MetadataRead: 32, - MetadataWrite: 33, - PagesRead: 34, - PagesWrite: 35, - PullRequestsRead: 36, - PullRequestsWrite: 37, - RepoSecurityRead: 38, - RepoSecurityWrite: 39, - SecretScanningRead: 40, - SecretScanningWrite: 41, - SecretsRead: 42, - SecretsWrite: 43, - VariablesRead: 44, - VariablesWrite: 45, - WebhooksRead: 46, - WebhooksWrite: 47, - WorkflowsRead: 48, - WorkflowsWrite: 49, - BlockUserRead: 50, - BlockUserWrite: 51, - CodespaceUserSecretsRead: 52, - CodespaceUserSecretsWrite: 53, - EmailRead: 54, - EmailWrite: 55, - FollowersRead: 56, - FollowersWrite: 57, - GpgKeysRead: 58, - GpgKeysWrite: 59, - GistsRead: 60, - GistsWrite: 61, - GitKeysRead: 62, - GitKeysWrite: 63, - LimitsRead: 64, - LimitsWrite: 65, - PlanRead: 66, - PlanWrite: 67, - PrivateInvitesRead: 68, - PrivateInvitesWrite: 69, - ProfileRead: 70, - ProfileWrite: 71, - SigningKeysRead: 72, - SigningKeysWrite: 73, - StarringRead: 74, - StarringWrite: 75, - WatchingRead: 76, - WatchingWrite: 77, + ActionsRead: 1, + ActionsWrite: 2, + AdministrationRead: 3, + AdministrationWrite: 4, + CodeScanningAlertsRead: 5, + CodeScanningAlertsWrite: 6, + CodespacesRead: 7, + CodespacesWrite: 8, + CodespacesLifecycleRead: 9, + CodespacesLifecycleWrite: 10, + CodespacesMetadataRead: 11, + CodespacesMetadataWrite: 12, + CodespacesSecretsRead: 13, + CodespacesSecretsWrite: 14, + CommitStatusesRead: 15, + CommitStatusesWrite: 16, + ContentsRead: 17, + ContentsWrite: 18, + CustomPropertiesRead: 19, + CustomPropertiesWrite: 20, + DependabotAlertsRead: 21, + DependabotAlertsWrite: 22, + DependabotSecretsRead: 23, + DependabotSecretsWrite: 24, + DeploymentsRead: 25, + DeploymentsWrite: 26, + EnvironmentsRead: 27, + EnvironmentsWrite: 28, + IssuesRead: 29, + IssuesWrite: 30, + MergeQueuesRead: 31, + MergeQueuesWrite: 32, + MetadataRead: 33, + MetadataWrite: 34, + PagesRead: 35, + PagesWrite: 36, + PullRequestsRead: 37, + PullRequestsWrite: 38, + RepoSecurityRead: 39, + RepoSecurityWrite: 40, + SecretScanningRead: 41, + SecretScanningWrite: 42, + SecretsRead: 43, + SecretsWrite: 44, + VariablesRead: 45, + VariablesWrite: 46, + WebhooksRead: 47, + WebhooksWrite: 48, + WorkflowsRead: 49, + WorkflowsWrite: 50, + BlockUserRead: 51, + BlockUserWrite: 52, + CodespaceUserSecretsRead: 53, + CodespaceUserSecretsWrite: 54, + EmailRead: 55, + EmailWrite: 56, + FollowersRead: 57, + FollowersWrite: 58, + GpgKeysRead: 59, + GpgKeysWrite: 60, + GistsRead: 61, + GistsWrite: 62, + GitKeysRead: 63, + GitKeysWrite: 64, + LimitsRead: 65, + LimitsWrite: 66, + PlanRead: 67, + PlanWrite: 68, + PrivateInvitesRead: 69, + PrivateInvitesWrite: 70, + ProfileRead: 71, + ProfileWrite: 72, + SigningKeysRead: 73, + SigningKeysWrite: 74, + StarringRead: 75, + StarringWrite: 76, + WatchingRead: 77, + WatchingWrite: 78, } IdToPermission = map[int]Permission{ - 0: ActionsRead, - 1: ActionsWrite, - 2: AdministrationRead, - 3: AdministrationWrite, - 4: CodeScanningAlertsRead, - 5: CodeScanningAlertsWrite, - 6: CodespacesRead, - 7: CodespacesWrite, - 8: CodespacesLifecycleRead, - 9: CodespacesLifecycleWrite, - 10: CodespacesMetadataRead, - 11: CodespacesMetadataWrite, - 12: CodespacesSecretsRead, - 13: CodespacesSecretsWrite, - 14: CommitStatusesRead, - 15: CommitStatusesWrite, - 16: ContentsRead, - 17: ContentsWrite, - 18: CustomPropertiesRead, - 19: CustomPropertiesWrite, - 20: DependabotAlertsRead, - 21: DependabotAlertsWrite, - 22: DependabotSecretsRead, - 23: DependabotSecretsWrite, - 24: DeploymentsRead, - 25: DeploymentsWrite, - 26: EnvironmentsRead, - 27: EnvironmentsWrite, - 28: IssuesRead, - 29: IssuesWrite, - 30: MergeQueuesRead, - 31: MergeQueuesWrite, - 32: MetadataRead, - 33: MetadataWrite, - 34: PagesRead, - 35: PagesWrite, - 36: PullRequestsRead, - 37: PullRequestsWrite, - 38: RepoSecurityRead, - 39: RepoSecurityWrite, - 40: SecretScanningRead, - 41: SecretScanningWrite, - 42: SecretsRead, - 43: SecretsWrite, - 44: VariablesRead, - 45: VariablesWrite, - 46: WebhooksRead, - 47: WebhooksWrite, - 48: WorkflowsRead, - 49: WorkflowsWrite, - 50: BlockUserRead, - 51: BlockUserWrite, - 52: CodespaceUserSecretsRead, - 53: CodespaceUserSecretsWrite, - 54: EmailRead, - 55: EmailWrite, - 56: FollowersRead, - 57: FollowersWrite, - 58: GpgKeysRead, - 59: GpgKeysWrite, - 60: GistsRead, - 61: GistsWrite, - 62: GitKeysRead, - 63: GitKeysWrite, - 64: LimitsRead, - 65: LimitsWrite, - 66: PlanRead, - 67: PlanWrite, - 68: PrivateInvitesRead, - 69: PrivateInvitesWrite, - 70: ProfileRead, - 71: ProfileWrite, - 72: SigningKeysRead, - 73: SigningKeysWrite, - 74: StarringRead, - 75: StarringWrite, - 76: WatchingRead, - 77: WatchingWrite, + 1: ActionsRead, + 2: ActionsWrite, + 3: AdministrationRead, + 4: AdministrationWrite, + 5: CodeScanningAlertsRead, + 6: CodeScanningAlertsWrite, + 7: CodespacesRead, + 8: CodespacesWrite, + 9: CodespacesLifecycleRead, + 10: CodespacesLifecycleWrite, + 11: CodespacesMetadataRead, + 12: CodespacesMetadataWrite, + 13: CodespacesSecretsRead, + 14: CodespacesSecretsWrite, + 15: CommitStatusesRead, + 16: CommitStatusesWrite, + 17: ContentsRead, + 18: ContentsWrite, + 19: CustomPropertiesRead, + 20: CustomPropertiesWrite, + 21: DependabotAlertsRead, + 22: DependabotAlertsWrite, + 23: DependabotSecretsRead, + 24: DependabotSecretsWrite, + 25: DeploymentsRead, + 26: DeploymentsWrite, + 27: EnvironmentsRead, + 28: EnvironmentsWrite, + 29: IssuesRead, + 30: IssuesWrite, + 31: MergeQueuesRead, + 32: MergeQueuesWrite, + 33: MetadataRead, + 34: MetadataWrite, + 35: PagesRead, + 36: PagesWrite, + 37: PullRequestsRead, + 38: PullRequestsWrite, + 39: RepoSecurityRead, + 40: RepoSecurityWrite, + 41: SecretScanningRead, + 42: SecretScanningWrite, + 43: SecretsRead, + 44: SecretsWrite, + 45: VariablesRead, + 46: VariablesWrite, + 47: WebhooksRead, + 48: WebhooksWrite, + 49: WorkflowsRead, + 50: WorkflowsWrite, + 51: BlockUserRead, + 52: BlockUserWrite, + 53: CodespaceUserSecretsRead, + 54: CodespaceUserSecretsWrite, + 55: EmailRead, + 56: EmailWrite, + 57: FollowersRead, + 58: FollowersWrite, + 59: GpgKeysRead, + 60: GpgKeysWrite, + 61: GistsRead, + 62: GistsWrite, + 63: GitKeysRead, + 64: GitKeysWrite, + 65: LimitsRead, + 66: LimitsWrite, + 67: PlanRead, + 68: PlanWrite, + 69: PrivateInvitesRead, + 70: PrivateInvitesWrite, + 71: ProfileRead, + 72: ProfileWrite, + 73: SigningKeysRead, + 74: SigningKeysWrite, + 75: StarringRead, + 76: StarringWrite, + 77: WatchingRead, + 78: WatchingWrite, } ) diff --git a/pkg/analyzer/analyzers/openai/permissions.go b/pkg/analyzer/analyzers/openai/permissions.go index 2eebd7e7dce3..d26d557c9d57 100644 --- a/pkg/analyzer/analyzers/openai/permissions.go +++ b/pkg/analyzer/analyzers/openai/permissions.go @@ -6,7 +6,7 @@ import "errors" type Permission int const ( - NoAccess Permission = iota + Invalid Permission = iota ModelsRead Permission = iota ModelCapabilitiesWrite Permission = iota AssistantsRead Permission = iota @@ -47,29 +47,29 @@ var ( } PermissionIDs = map[Permission]int{ - ModelsRead: 0, - ModelCapabilitiesWrite: 1, - AssistantsRead: 2, - AssistantsWrite: 3, - ThreadsRead: 4, - ThreadsWrite: 5, - FineTuningRead: 6, - FineTuningWrite: 7, - FilesRead: 8, - FilesWrite: 9, + ModelsRead: 1, + ModelCapabilitiesWrite: 2, + AssistantsRead: 3, + AssistantsWrite: 4, + ThreadsRead: 5, + ThreadsWrite: 6, + FineTuningRead: 7, + FineTuningWrite: 8, + FilesRead: 9, + FilesWrite: 10, } IdToPermission = map[int]Permission{ - 0: ModelsRead, - 1: ModelCapabilitiesWrite, - 2: AssistantsRead, - 3: AssistantsWrite, - 4: ThreadsRead, - 5: ThreadsWrite, - 6: FineTuningRead, - 7: FineTuningWrite, - 8: FilesRead, - 9: FilesWrite, + 1: ModelsRead, + 2: ModelCapabilitiesWrite, + 3: AssistantsRead, + 4: AssistantsWrite, + 5: ThreadsRead, + 6: ThreadsWrite, + 7: FineTuningRead, + 8: FineTuningWrite, + 9: FilesRead, + 10: FilesWrite, } ) diff --git a/pkg/analyzer/analyzers/twilio/permissions.go b/pkg/analyzer/analyzers/twilio/permissions.go index 8985ecdd0ae8..601ca9b0c3ce 100644 --- a/pkg/analyzer/analyzers/twilio/permissions.go +++ b/pkg/analyzer/analyzers/twilio/permissions.go @@ -6,7 +6,7 @@ import "errors" type Permission int const ( - NoAccess Permission = iota + Invalid Permission = iota AccountManagementRead Permission = iota AccountManagementWrite Permission = iota SubaccountConfigurationRead Permission = iota @@ -65,41 +65,41 @@ var ( } PermissionIDs = map[Permission]int{ - AccountManagementRead: 0, - AccountManagementWrite: 1, - SubaccountConfigurationRead: 2, - SubaccountConfigurationWrite: 3, - KeyManagementRead: 4, - KeyManagementWrite: 5, - ServiceVerificationRead: 6, - ServiceVerificationWrite: 7, - SmsRead: 8, - SmsWrite: 9, - VoiceRead: 10, - VoiceWrite: 11, - MessagingRead: 12, - MessagingWrite: 13, - CallManagementRead: 14, - CallManagementWrite: 15, + AccountManagementRead: 1, + AccountManagementWrite: 2, + SubaccountConfigurationRead: 3, + SubaccountConfigurationWrite: 4, + KeyManagementRead: 5, + KeyManagementWrite: 6, + ServiceVerificationRead: 7, + ServiceVerificationWrite: 8, + SmsRead: 9, + SmsWrite: 10, + VoiceRead: 11, + VoiceWrite: 12, + MessagingRead: 13, + MessagingWrite: 14, + CallManagementRead: 15, + CallManagementWrite: 16, } IdToPermission = map[int]Permission{ - 0: AccountManagementRead, - 1: AccountManagementWrite, - 2: SubaccountConfigurationRead, - 3: SubaccountConfigurationWrite, - 4: KeyManagementRead, - 5: KeyManagementWrite, - 6: ServiceVerificationRead, - 7: ServiceVerificationWrite, - 8: SmsRead, - 9: SmsWrite, - 10: VoiceRead, - 11: VoiceWrite, - 12: MessagingRead, - 13: MessagingWrite, - 14: CallManagementRead, - 15: CallManagementWrite, + 1: AccountManagementRead, + 2: AccountManagementWrite, + 3: SubaccountConfigurationRead, + 4: SubaccountConfigurationWrite, + 5: KeyManagementRead, + 6: KeyManagementWrite, + 7: ServiceVerificationRead, + 8: ServiceVerificationWrite, + 9: SmsRead, + 10: SmsWrite, + 11: VoiceRead, + 12: VoiceWrite, + 13: MessagingRead, + 14: MessagingWrite, + 15: CallManagementRead, + 16: CallManagementWrite, } ) diff --git a/pkg/analyzer/generate_permissions/generate_permissions.go b/pkg/analyzer/generate_permissions/generate_permissions.go index 3d579aef895a..870cb0673e02 100644 --- a/pkg/analyzer/generate_permissions/generate_permissions.go +++ b/pkg/analyzer/generate_permissions/generate_permissions.go @@ -25,7 +25,7 @@ import "errors" type Permission int const ( - NoAccess Permission = iota + Invalid Permission = iota {{- range $index, $permission := .Permissions }} {{ ToCamelCase $permission }} Permission = iota {{- end }} @@ -46,13 +46,13 @@ var ( PermissionIDs = map[Permission]int{ {{- range $index, $permission := .Permissions }} - {{ ToCamelCase $permission }}: {{ $index }}, + {{ ToCamelCase $permission }}: {{ inc $index }}, {{- end }} } IdToPermission = map[int]Permission{ {{- range $index, $permission := .Permissions }} - {{ $index }}: {{ ToCamelCase $permission }}, + {{ inc $index }}: {{ ToCamelCase $permission }}, {{- end }} } ) @@ -123,6 +123,7 @@ func main() { // Parse the template tmpl, err := template.New("permissions").Funcs(template.FuncMap{ "ToCamelCase": ToCamelCase, + "inc": func(i int) int { return i + 1 }, }).Parse(templateText) if err != nil { log.Fatalf("Failed to parse template: %v", err)