zendesk_apps_support 4.15.1 → 4.16.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: ad968be91116842bcb5d7d3415db37800e4818f2
-  data.tar.gz: dd9ecfdd060c47577a2836ef012b87aa4f6f6599
+SHA256:
+  metadata.gz: 7629b25072aa14d2fc633c4061efe052835f0893e221c131881124ecf1bb9989
+  data.tar.gz: 31827636b35c8b029e80e96cf7511b17f25b64319ba26725bc57fee0c38abda8
 SHA512:
-  metadata.gz: 6e4e50e7bc73b37b85c1620ec92fab05f34f0ce7b3def94d9752f608c58b41f2d665b504c369f36e110a531df8dfe471a6611d1b839ec36832ff80b0ad624abe
-  data.tar.gz: bc03e6fb2a6cd7d8c1ef16d4c342abc2267783bc7e9ab2472cfa77a6185d11e75d575fa9d89dd79f42fa3ef30a98515d76a56212a2dd4b0d9cb852107e3cc3a8
+  metadata.gz: c84e515174af4129cd536c670279113588893de7f684523edd35521dac6fa0f1d1c33e1b7648239e56e88ef697899f11bb87c64f250c960a1dd4296709e35752
+  data.tar.gz: 1279372798bf6ba5a1672408046d308ae7feaf00d99cfdddb96122ce1ad4be3780e2c49223be5311146426ed4e5549c1647c8503401659b001f648a3946a8196

data/config/locales/en.yml

@@ -6,6 +6,7 @@ en:
       admin:
         error:
           app_build:
+            listing_comma: ", "
             jshint:
               one: 'JSHint error in %{file}: %{errors}'
               other: 'JSHint errors in %{file}: %{errors}'
@@ -52,6 +53,9 @@ en:
             invalid_requirements_types:
               one: 'requirements.json contains an invalid type: %{invalid_types}'
               other: 'requirements.json contains invalid types: %{invalid_types}'
+            unsupported_mime_type_detected:
+              one: 'Unsupported MIME type detected in %{file_names}'
+              other: 'Unsupported MIME types detected in %{file_names}'
             multiple_channel_integrations: Specifying multiple channel integrations
               in requirements.json is not supported.
             invalid_cr_schema_keys:
@@ -80,10 +84,16 @@ en:
             blank_location_uri: "%{location} location does not specify a URI."
             invalid_location_uri: "%{uri} is either an invalid location URI, refers
               to a missing asset, or does not use HTTPS."
+            signed_setting_uri: The url (%{uri}) cannot use a setting because it is
+              a signed url.
             name_as_parameter_name: Can't call a parameter 'name'
             invalid_hidden_parameter:
               one: "%{invalid_params} is set to hidden and cannot be required."
               other: "%{invalid_params} are set to hidden and cannot be required."
+            blocked_request: Possible request to a %{type} ip %{uri} in %{file}.
+            blocked_request_private: private
+            blocked_request_loopback: loopback
+            blocked_request_link_local: link-local
             invalid_version: "%{target_version} is not a valid framework version.
               Available versions are: %{available_versions}."
             old_version: Iframe Only apps must target framework versions 2.0 or greater.
@@ -128,3 +138,12 @@ en:
               and may not display as intended.
             bitmap_in_svg: "%{svg} contains an embedded bitmap and cannot be used
               as an app icon. It has been replaced with a default placeholder icon."
+            generic_secrets:
+              one: Possible secrets found in %{files}. Consider reviewing the contents
+                of this file before submitting your app.
+              other: Possible secrets found in %{files}. Consider reviewing the contents
+                of these files before submitting your app.
+            insecure_http_request: Possible insecure HTTP request to %{uri} in %{file}.
+              Consider instead using the HTTPS protocol.
+            application_secret: Possible %{secret_type} found in %{file}. Consider
+              reviewing the contents of this file before submitting your app.

data/config/locales/translations/zendesk_apps_support.yml

@@ -7,6 +7,10 @@ packages:
   - apps_support
 
 parts:
+  - translation:
+      key: "txt.apps.admin.error.app_build.listing_comma"
+      title: "Punctuation for separating lists of items in a sentence"
+      value: ", "
   - translation:
       key: "txt.apps.admin.error.app_build.jshint.one"
       title: "App builder job: JSHint error message"
@@ -115,6 +119,16 @@ parts:
       key: "txt.apps.admin.error.app_build.invalid_requirements_types.other"
       title: "App builder job: requirements file contains invalid types error"
       value: "requirements.json contains invalid types: %{invalid_types}"
+  - translation:
+      key: "txt.apps.admin.error.app_build.unsupported_mime_type_detected.one"
+      title: "App builder job: directory contains unsupported mime type. MIME is an abbreviation for Multipurpose Internet Mail Extensions. https://en.wikipedia.org/wiki/MIME"
+      value: "Unsupported MIME type detected in %{file_names}."
+      screenshot: "https://drive.google.com/open?id=13sG5kRWrcVPZiFzDLYo-WavY4WbsHdvX"
+  - translation:
+      key: "txt.apps.admin.error.app_build.unsupported_mime_type_detected.other"
+      title: "App builder job: directory contains unsupported mime type. MIME is an abbreviation for Multipurpose Internet Mail Extensions. https://en.wikipedia.org/wiki/MIME"
+      value: "Unsupported MIME types detected in %{file_names}."
+      screenshot: "https://drive.google.com/open?id=1Ht4Nq4ZcQ0DMfcm6JphF66QI3e1FT8Wn"
   - translation:
       key: "txt.apps.admin.error.app_build.multiple_channel_integrations"
       title: "App builder job: requirements file contains multiple channel integrations, leave requirements.json as is (file name)"
@@ -219,6 +233,43 @@ parts:
       key: "txt.apps.admin.warning.app_build.bitmap_in_svg"
       title: "App builder job: warning that svg contains an embedded bitmap image and cannot be used"
       value: "%{svg} contains an embedded bitmap and cannot be used as an app icon. It has been replaced with a default placeholder icon."
+  - translation:
+      key: "txt.apps.admin.warning.app_build.generic_secrets.one"
+      title: "App builder job: warning for generic secrets found in app text files. %{files} will be replaced with one file name"
+      value: "Possible secrets found in %{files}. Consider reviewing the contents of this file before submitting your app."
+      screenshot: "https://drive.google.com/file/d/179IMwzJvXD1m5u-0K499Ul3-qRBXAxnT"
+  - translation:
+      key: "txt.apps.admin.warning.app_build.generic_secrets.other"
+      title: "App builder job: warning for generic secrets found in app text files. %{files} will be replaced with multiple file names"
+      value: "Possible secrets found in %{files}. Consider reviewing the contents of these files before submitting your app."
+      screenshot: "https://drive.google.com/file/d/179IMwzJvXD1m5u-0K499Ul3-qRBXAxnT"
+  - translation:
+      key: "txt.apps.admin.warning.app_build.insecure_http_request"
+      title: "App builder job: warning on detecting an insecure http request call in app source files"
+      value: "Possible insecure HTTP request to %{uri} in %{file}. Consider instead using the HTTPS protocol."
+      screenshot: "https://drive.google.com/file/d/1V-lXrVoAXAZEtBoekq7XLyetomUZRqY-"
+  - translation:
+      key: "txt.apps.admin.error.app_build.blocked_request"
+      title: "App builder job: error on detecting a forbidden http request call in app source files"
+      value: "Possible request to a %{type} ip %{uri} in %{file}."
+      screenshot: "https://drive.google.com/file/d/1hiTwbQi5aj6PnEtfuA7QTALs6AryDmj_"
+  - translation:
+      key: "txt.apps.admin.error.app_build.blocked_request_private"
+      title: "App builder job: forbidden http request call ip type: private. See https://en.wikipedia.org/wiki/Private_network"
+      value: "private"
+  - translation:
+      key: "txt.apps.admin.error.app_build.blocked_request_loopback"
+      title: "App builder job: forbidden http request call ip type: loopback. See https://en.wikipedia.org/wiki/Loopback"
+      value: "loopback"
+  - translation:
+      key: "txt.apps.admin.error.app_build.blocked_request_link_local"
+      title: "App builder job: forbidden http request call ip type: link-local. See https://en.wikipedia.org/wiki/Link-local_address"
+      value: "link-local"
+  - translation:
+      key: "txt.apps.admin.warning.app_build.application_secret"
+      title: "App builder job: warning for secrets found in app text files"
+      value: "Possible %{secret_type} found in %{file}. Consider reviewing the contents of this file before submitting your app."
+      screenshot: "https://drive.google.com/file/d/1LoN9-IlRbiz6uv1-CQ933mh-WY8XY5o2"
   - translation:
       key: "txt.apps.admin.error.app_build.invalid_version"
       title: "App builder job: invalid framework version"

data/lib/zendesk_apps_support.rb

@@ -21,6 +21,7 @@ module ZendeskAppsSupport
     autoload :ValidationError,       'zendesk_apps_support/validations/validation_error'
     autoload :Manifest,              'zendesk_apps_support/validations/manifest'
     autoload :Marketplace,           'zendesk_apps_support/validations/marketplace'
+    autoload :Secrets,               'zendesk_apps_support/validations/secrets'
     autoload :Source,                'zendesk_apps_support/validations/source'
     autoload :Templates,             'zendesk_apps_support/validations/templates'
     autoload :Translations,          'zendesk_apps_support/validations/translations'

data/lib/zendesk_apps_support/package.rb

@@ -31,6 +31,7 @@ module ZendeskAppsSupport
     def validate(marketplace: true, skip_marketplace_translations: false)
       errors = []
       errors << Validations::Manifest.call(self)
+
       if has_valid_manifest?(errors)
         errors << Validations::Marketplace.call(self) if marketplace
         errors << Validations::Source.call(self)
@@ -46,6 +47,9 @@ module ZendeskAppsSupport
       errors << Validations::Banner.call(self) if has_banner?
       errors << Validations::Svg.call(self) if has_svgs?
 
+      # warning only validators
+      Validations::Secrets.call(self)
+
       errors.flatten.compact
     end
 
@@ -84,8 +88,12 @@ module ZendeskAppsSupport
       files
     end
 
+    def text_files
+      @text_files ||= files.select { |f| f =~ %r{.*(html?|xml|js|json?)$} }
+    end
+
     def js_files
-      @js_files ||= files.select { |f| f.to_s == 'app.js' || (f.to_s.start_with?('lib/') && f.to_s.end_with?('.js')) }
+      @js_files ||= files.select { |f| f =~ %r{^(app|lib\/.*)\.js$} }
     end
 
     def lib_files

data/lib/zendesk_apps_support/validations/secrets.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+module ZendeskAppsSupport
+  module Validations
+    module Secrets
+      SECRET_KEYWORDS = %w[
+        pass password secret secretToken secret_token auth_key
+        authKey auth_pass authPass auth_user AuthUser username api_key
+      ].freeze
+
+      APPLICATION_SECRETS = {
+        # rubocop:disable Metrics/LineLength
+        'Slack Token' => /(xox[p|b|o|a]-*.[a-z0-9])/,
+        'RSA Private Key' => /-----BEGIN RSA PRIVATE KEY-----/,
+        'SSH Private Key (OpenSSH)' => /-----BEGIN OPENSSH PRIVATE KEY-----/,
+        'SSH Private Key (DSA)' => /-----BEGIN DSA PRIVATE KEY-----/,
+        'SSH Private Key (EC)' => /-----BEGIN EC PRIVATE KEY-----/,
+        'PGP Private Key Block' => /-----BEGIN PGP PRIVATE KEY BLOCK-----/,
+        'Facebook OAuth Token' => /([f|F][a|A][c|C][e|E][b|B][o|O][o|O][k|K]( [|:\"=-]|[:\"=-|]).*.[0-9a-f]{24,36})/,
+        'Twitter OAuth Token' => /([t|T][w|W][i|I][t|T][t|T][e|E][r|R]( [:\"=-]|[:\"=-]).*.[0-9a-zA-Z]{30,45})/,
+        'Github Token' => /([g|G][i|I][t|T][h|H][u|U][b|B]( [:\"=-]|[:\"=-]).*.[0-9a-zA-Z]{30,45})/,
+        'Google OAuth Token' => /([c|C][l|L][i|I][e|E][n|N][t|T][\-_][s|S][e|E][c|C][r|R][e|E][t|T]( [:\"=-]|[:\"=-]).*[a-zA-Z0-9\-_]{16,32})/,
+        'AWS Access Key ID' => /(AKIA[0-9A-Z]{8,24})/,
+        'AWS Secret Access Key' => /([a|A][w|W][s|S][_-][s|S][e|E][c|C][r|R][e|E][t|T][_-][a|A][c|C][c|C][e|E][s|S][s|S][_-][k|K][e|E][y|Y].*.[0-9a-zA-Z]{24,48})/,
+        'Heroku API Key' => /([h|H][e|E][r|R][o|O][k|K][u|U].*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{6,18})/,
+        'Quickpay Secret' => /(quickpay_secret:.*.[0-9a-zA-Z]{24,72})/,
+        'Doorman Secret' => /([d|D][o|O][o|O][r|R][m|M][a|A][n|N][-_][s|S][e|E][c|C][r|R][e|E][t|T].*.[0-9a-f]{16,132})/,
+        'Shared Session Secret' => /(shared_session_secret.*.[0-9a-f]{4,132})/,
+        'Permanent Cookie Secret' => /(permanent_cookie_secret.*.[0-9a-f]{120,156})/,
+        'Scarlett AWS Secret Key' => /([sS][cC][aA][rR][lL][eE][tT][tT][_-][aA][wW][sS][_-][sS][eE][cC][rR][eE][tT][_-][kK][eE][yY].*.[0-9a-zA-Z+.]{35,45})/,
+        'Braintree Key' => /(braintree_key.*.[0-9a-zA-Z]{16,36})/,
+        'Ticket Validation Key' => /(ticket_validation_key.*.[0-9a-zA-Z]{15,25})/,
+        'App Key' => /([aA][pP][pP][-_][kK][eE][yY]( [:\"=-]|[:\"=-]).*.[0-9a-zA-Z+_.-]{4,156})/,
+        'App Secret' => /([aA][pP][pP][-_][sS][eE][cC][rR][eE][tT]( [:\"=-]|[:\"=-]).*.[0-9a-zA-Z+_.-]{4,156})/,
+        'Consumer Key' => /([cC][oO][nN][sS][uU][mM][eE][rR][-_][kK][eE][yY]( [:\"=-]|[:\"=-]).*.[0-9a-zA-Z+_.-]{4,156})/,
+        'Consumer Secret' => /([cC][oO][nN][sS][uU][mM][eE][rR][-_][sS][eE][cC][rR][eE][tT]( [:\"=-]|[:\"=-]).*.[0-9a-zA-Z+_.-]{4,156})/,
+        'Generic Secret' => /(?m)^([sS][eE][cC][rR][eE][tT]( [:\"=-]|[:\"=-]).*.[0-9a-zA-Z+_.-]{4,156})/,
+        'Master Key' => /([mM][aA][sS][tT][eE][rR][-_][kK][eE][yY]( [:\"=-]|[:\"=-]).*.[0-9a-zA-Z+_.-]{4,156})/,
+        'Master Secret' => /([mM][aA][sS][tT][eE][rR][-_][sS][eE][cC][rR][eE][tT]( [:\"=-]|[:\"=-]).*.[0-9a-zA-Z+_.-]{4,156})/,
+        'Token Key' => /([tT][oO][kK][eE][nN][-_][kK][eE][yY]( [:\"=-]|[:\"=-]).*.[0-9a-zA-Z+_.-]{4,156})/,
+        'Token Secret' => /([tT][oO][kK][eE][nN][-_][sS][eE][cC][rR][eE][tT]( [:\"=-]|[:\"=-]).*.[0-9a-zA-Z+_.-]{4,156})/,
+        'Zendesk Zopim Mobile SSO Key' => /(zendesk_zopim_mobile_sso_key.*.[0-9a-f]{58,68})/,
+        'Help Center Private Key' => /([pP][rR][iI][vV][aA][tT][eE][-_][kK][eE][yY]( [:\"=-]|[:\"=-]).*.[0-9a-zA-Z+_.-]{4,156})/,
+        'X-Outbound-Key' => /([xX][-][oO][uU][tT][bB][oO][uU][nN][dD][-][kK][eE][yY][:\" \t=-].*.[0-9a-z-]{32,36})/,
+        'Attachment Token Key' => /(attachment_token_key.*.[0-9a-f]{24,72})/,
+        'Password' => /([pP][aA][sS][sS][wW][oO][rR][dD].*.[0-9a-zA-Z+_.-]{4,156})/,
+        'Token' => /([tT][oO][kK][eE][nN]( [:\"=-]|[:\"=-]).*.[0-9a-zA-Z+_.-]{4,156})/
+        # rubocop:enable Metrics/LineLength
+      }.freeze
+
+      class << self
+        def call(package)
+          compromised_files = package.text_files.map do |file|
+            contents = file.read
+
+            APPLICATION_SECRETS.each do |secret_type, regex_str|
+              next unless contents =~ Regexp.new(regex_str)
+              package.warnings << I18n.t('txt.apps.admin.warning.app_build.application_secret',
+                                         file: file.relative_path,
+                                         secret_type: secret_type)
+            end
+
+            file.relative_path if contents =~ Regexp.union(SECRET_KEYWORDS)
+          end.compact
+
+          return unless compromised_files.any?
+          package.warnings << I18n.t('txt.apps.admin.warning.app_build.generic_secrets',
+                                     files: compromised_files.join(
+                                       I18n.t('txt.apps.admin.error.app_build.listing_comma')
+                                     ),
+                                     count: compromised_files.count)
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: zendesk_apps_support
 version: !ruby/object:Gem::Version
-  version: 4.15.1
+  version: 4.16.0
 platform: ruby
 authors:
 - James A. Rosen
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-05-03 00:00:00.000000000 Z
+date: 2019-06-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: i18n
@@ -262,6 +262,7 @@ files:
 - lib/zendesk_apps_support/validations/manifest.rb
 - lib/zendesk_apps_support/validations/marketplace.rb
 - lib/zendesk_apps_support/validations/requirements.rb
+- lib/zendesk_apps_support/validations/secrets.rb
 - lib/zendesk_apps_support/validations/source.rb
 - lib/zendesk_apps_support/validations/stylesheets.rb
 - lib/zendesk_apps_support/validations/svg.rb
@@ -288,7 +289,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 1.3.6
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.14
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: Support to help you develop Zendesk Apps.