From baddead5fa62cd008fd0d7eddee63af59cc0d42d Mon Sep 17 00:00:00 2001 From: Security & Stuff <74931194+SecurityAndStuff@users.noreply.github.com> Date: Fri, 24 Mar 2023 06:55:05 +0000 Subject: [PATCH 1/2] add authorization check Signed-off-by: Security & Stuff <74931194+SecurityAndStuff@users.noreply.github.com> --- src/ghas_cli/utils/network.py | 32 ++++++++++++++++++++++- src/ghas_cli/utils/repositories.py | 42 ++++++++++++++---------------- 2 files changed, 51 insertions(+), 23 deletions(-) diff --git a/src/ghas_cli/utils/network.py b/src/ghas_cli/utils/network.py index fd14037..c25c652 100644 --- a/src/ghas_cli/utils/network.py +++ b/src/ghas_cli/utils/network.py @@ -4,7 +4,7 @@ from typing import Any, Dict from datetime import datetime import time - +import requests # If the rate-limit is reached, sleep X seconds SLEEP_1_MINUTE = 60 @@ -42,3 +42,33 @@ def check_rate_limit(response: Any) -> bool: time.sleep(SLEEP_BETWEEN_REQUESTS) return False + +def check_unauthorized(response: Any): + if response.status_code == 401: + print(response.json()["message"]) + return False + return True + +def check_response(response: any): + check_rate_limit(response) + check_unauthorized(response) + +def get(*args, **kwargs): + response = requests.get(*args, **kwargs) + check_response(response) + return response + +def post(*args, **kwargs): + response = requests.post(*args, **kwargs) + check_response(response) + return response + +def put(*args, **kwargs): + response = requests.put(*args, **kwargs) + check_response(response) + return response + +def patch(*args, **kwargs): + response = requests.patch(*args, **kwargs) + check_response(response) + return response diff --git a/src/ghas_cli/utils/repositories.py b/src/ghas_cli/utils/repositories.py index 691b5a0..68bb47e 100644 --- a/src/ghas_cli/utils/repositories.py +++ b/src/ghas_cli/utils/repositories.py @@ -164,17 +164,15 @@ def get_org_repositories( "per_page": 100, "page": page, } - repos = requests.get( + repos = network.get( url=f"https://api.github.com/orgs/{organization}/repos", params=params, headers=headers, ) - if network.check_rate_limit(repos): - break if repos.status_code != 200: break - + if [] == repos.json(): break @@ -225,7 +223,7 @@ def get_default_branch_last_updated( """ headers = network.get_github_headers(token) - branch_res = requests.get( + branch_res = network.get( url=f"https://api.github.com/repos/{organization}/{repository_name}/branches/{default_branch}", headers=headers, ) @@ -245,7 +243,7 @@ def archive(organization: str, token: str, repository: str) -> bool: payload = {"archived": True} - status = requests.patch( + status = network.patch( url=f"https://api.github.com/repos/{organization}/{repository}", headers=headers, json=payload, @@ -263,7 +261,7 @@ def check_dependabot_alerts_enabled( headers = network.get_github_headers(token) - status = requests.get( + status = network.get( url=f"https://api.github.com/orgs/{organization}/repos/vulnerability-alerts", headers=headers, ) @@ -286,7 +284,7 @@ def enable_secret_scanner(organization: str, token: str, repository: str) -> boo } } - status = requests.patch( + status = network.patch( url=f"https://api.github.com/repos/{organization}/{repository}", headers=headers, json=payload, @@ -313,7 +311,7 @@ def enable_secret_scanner_push_protection( } } - status = requests.patch( + status = network.patch( url=f"https://api.github.com/repos/{organization}/{repository}", headers=headers, json=payload, @@ -328,12 +326,12 @@ def enable_secret_scanner_push_protection( def enable_dependabot(organization: str, token: str, repository: str) -> bool: headers = network.get_github_headers(token) - status_alerts = requests.put( + status_alerts = network.put( url=f"https://api.github.com/repos/{organization}/{repository}/vulnerability-alerts", headers=headers, ) - status_fixes = requests.put( + status_fixes = network.put( url=f"https://api.github.com/repos/{organization}/{repository}/automated-security-fixes", headers=headers, ) @@ -348,7 +346,7 @@ def get_default_branch(organization: str, token: str, repository: str) -> str: """Get the default branch slug for a repository""" headers = network.get_github_headers(token) - repo = requests.get( + repo = network.get( url=f"https://api.github.com/repos/{organization}/{repository}", headers=headers, ) @@ -375,7 +373,7 @@ def get_languages( aliased_interpreted_languages = {"typescript": "javascript"} headers = network.get_github_headers(token) - languages = requests.get( + languages = network.get( url=f"https://api.github.com/repos/{organization}/{repository}/languages", headers=headers, ) @@ -460,7 +458,7 @@ def create_codeql_pr( return False # Create a branch - branch_resp = requests.get( + branch_resp = network.get( url=f"https://api.github.com/repos/{organization}/{repository}/git/refs/heads", headers=headers, ) @@ -481,7 +479,7 @@ def create_codeql_pr( "sha": sha1, } - branch_resp = requests.post( + branch_resp = network.post( url=f"https://api.github.com/repos/{organization}/{repository}/git/refs", headers=headers, json=payload, @@ -505,7 +503,7 @@ def create_codeql_pr( "branch": target_branch, } - commit_resp = requests.put( + commit_resp = network.put( url=f"https://api.github.com/repos/{organization}/{repository}/contents/.github/workflows/codeql-analysis-{lang}.yml", headers=headers, json=payload, @@ -522,7 +520,7 @@ def create_codeql_pr( "branch": target_branch, } - commit_resp = requests.put( + commit_resp = network.put( url=f"https://api.github.com/repos/{organization}/{repository}/contents/.github/codeql/codeql-config-{lang}.yml", headers=headers, json=payload, @@ -541,7 +539,7 @@ def create_codeql_pr( # Retry if rate-limited i = 0 while i < network.RETRIES: - pr_resp = requests.post( + pr_resp = network.post( url=f"https://api.github.com/repos/{organization}/{repository}/pulls", headers=headers, json=payload, @@ -589,7 +587,7 @@ def create_dependency_enforcement_pr( return False # Create a branch - branch_resp = requests.get( + branch_resp = network.get( url=f"https://api.github.com/repos/{organization}/{repository}/git/refs/heads", headers=headers, ) @@ -610,7 +608,7 @@ def create_dependency_enforcement_pr( "sha": sha1, } - branch_resp = requests.post( + branch_resp = network.post( url=f"https://api.github.com/repos/{organization}/{repository}/git/refs", headers=headers, json=payload, @@ -627,7 +625,7 @@ def create_dependency_enforcement_pr( "branch": target_branch, } - commit_resp = requests.put( + commit_resp = network.put( url=f"https://api.github.com/repos/{organization}/{repository}/contents/.github/workflows/dependency_enforcement.yml", headers=headers, json=payload, @@ -646,7 +644,7 @@ def create_dependency_enforcement_pr( # Retry if rate-limited i = 0 while i < network.RETRIES: - pr_resp = requests.post( + pr_resp = network.post( url=f"https://api.github.com/repos/{organization}/{repository}/pulls", headers=headers, json=payload, From ecbb5ce51a73243c63a7e33f4e37e8666cca51be Mon Sep 17 00:00:00 2001 From: Security & Stuff <74931194+SecurityAndStuff@users.noreply.github.com> Date: Fri, 24 Mar 2023 07:23:58 +0000 Subject: [PATCH 2/2] version Signed-off-by: Security & Stuff <74931194+SecurityAndStuff@users.noreply.github.com> --- src/cli.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cli.py b/src/cli.py index e20a8e7..5529b8e 100644 --- a/src/cli.py +++ b/src/cli.py @@ -3,7 +3,7 @@ __author__ = "jboursier" __copyright__ = "Copyright 2023, Malwarebytes" -__version__ = "1.4.1" +__version__ = "1.4.2" __maintainer__ = "jboursier" __email__ = "jboursier@malwarebytes.com" __status__ = "Production"