Skip to content

Commit c2ed6b3

Browse files
author
Dan Gardner
committed
Use a single query to revoke and return the token when responding to an alert from GitHub and add test for false positive feedback.
1 parent 43f7796 commit c2ed6b3

File tree

2 files changed

+13
-7
lines changed

2 files changed

+13
-7
lines changed

src/controllers/github/secret_scanning.rs

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -156,14 +156,13 @@ fn alert_revoke_token(
156156
alert: &GitHubSecretAlert,
157157
) -> Result<(), Box<dyn AppError>> {
158158
let conn = req.db_write()?;
159+
159160
// not using ApiToken::find_by_api_token in order to preserve last_used_at
160-
let token = api_tokens::table
161+
// the token field has a uniqueness constraint so get_result() should be safe to use
162+
let token: ApiToken = diesel::update(api_tokens::table)
161163
.filter(api_tokens::token.eq(alert.token.as_bytes()))
162-
.first::<ApiToken>(&*conn)?;
163-
164-
diesel::update(&token)
165164
.set(api_tokens::revoked.eq(true))
166-
.execute(&*conn)?;
165+
.get_result::<ApiToken>(&*conn)?;
167166

168167
// send email notification to the token owner
169168
let user = User::find(&conn, token.user_id)?;

src/tests/github_secret_scanning.rs

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ fn github_secret_alert_revokes_token() {
4646
assert_eq!(response.status(), StatusCode::OK);
4747

4848
// Ensure feedback is a true positive
49-
let feedback: Vec<GitHubSecretAlertFeedback> = response.good();
49+
let feedback = response.good();
5050
assert_eq!(feedback.len(), 1);
5151
assert_eq!(feedback[0].token_raw, "some_token");
5252
assert_eq!(feedback[0].token_type, "some_type");
@@ -88,9 +88,16 @@ fn github_secret_alert_for_unknown_token() {
8888
request.with_body(GITHUB_ALERT);
8989
request.header("GITHUB-PUBLIC-KEY-IDENTIFIER", GITHUB_PUBLIC_KEY_IDENTIFIER);
9090
request.header("GITHUB-PUBLIC-KEY-SIGNATURE", GITHUB_PUBLIC_KEY_SIGNATURE);
91-
let response = anon.run::<()>(request);
91+
let response = anon.run::<Vec<GitHubSecretAlertFeedback>>(request);
9292
assert_eq!(response.status(), StatusCode::OK);
9393

94+
// Ensure feedback is a false positive
95+
let feedback = response.good();
96+
assert_eq!(feedback.len(), 1);
97+
assert_eq!(feedback[0].token_raw, "some_token");
98+
assert_eq!(feedback[0].token_type, "some_type");
99+
assert_eq!(feedback[0].label, "false_positive");
100+
94101
// Ensure that the token was not revoked
95102
app.db(|conn| {
96103
let tokens: Vec<ApiToken> = assert_ok!(ApiToken::belonging_to(user.as_model())

0 commit comments

Comments
 (0)