[INS-246] Add Google Cloud API key detector #4649
Conversation
proto/detectors.proto
Outdated
| PhraseAccessToken = 1037; | ||
| Photoroom = 1038; | ||
| JWT = 1039; | ||
| GoogleGemini = 1040; |
There was a problem hiding this comment.
GoogleGemini is already quite specific, but are there different types of credentials available for Gemini (for example, API keys vs tokens)? If so, we might consider using a more explicit detector type like GoogleGeminiApiKey or GoogleGeminiToken instead of the generic GoogleGemini. Just a suggestion, not a blocker at all.
There was a problem hiding this comment.
Thanks for this. Yes, Google Gemini does have other ways of authenticating. I'll make the change.
| _, _ = io.Copy(io.Discard, res.Body) | ||
| }() | ||
|
|
||
| switch res.StatusCode { |
There was a problem hiding this comment.
It's common to receive a 403 response in a few situations:
- the key is not scoped to Gemini, but still valid for other google services
- the key is "restricted" either via IP address, referer, etc.
Might make sense add a case for 403s just so it's not throwing an error, when those cases are normal.
There was a problem hiding this comment.
Thanks for this!
You are very much right. I just confirmed this by generating a Google Cloud API Key. I also realized it's not just about adding this case. Getting a 403 means that the key is live, it just does not have the Generative Language API scope enabled.
Now I'm wondering if it makes sense to create a GoogleGeminiAPIKey detector, or simply a GoogleAPIKey detector. What do you think?
There was a problem hiding this comment.
I recommend keeping the original intent here and authoring a detector for only Gemini. If any other Google API services surface that are similarly risky, we can adapt then.
There was a problem hiding this comment.
I agree with the approach of authoring a detector only for Gemini. My only concern here is that for 403 we'll mark the credential as inactive/rotated, but that's misleading, because the credential will be live, just not scoped to Gemini.
There was a problem hiding this comment.
I would endorse that we mark an API key "LIVE" if we're certain that a 403 Forbidden response implies the key is valid and capable of accessing Google services beyond just Gemini.
There was a problem hiding this comment.
Agreed.
I've gone ahead and made the changes to make this a GoogleCloudAPIKey detector. @joeleonjr let me know if you have concerns and we can discuss.
mustansir14
changed the title
pkg/detectors/googlecloudapikey/googlecloudapikey_integration_test.go
Outdated
Show resolved
Hide resolved
5 participants
Description:
This PR closes #4623 by introducing the Google Cloud API Key detector.
While the issue specifically mentions Gemini, we found that Gemini Keys are basically Google Cloud API Keys with the Generative AI permission enabled. This means that we need a general detector for all Google Cloud API Keys, as the regex of the key is same.
All Google Cloud API Keys follow a strict pattern: A prefix
AIzafollowed by35characters.Regex for the detector:
\b(AIza[A-Za-z0-9_-]{35})\bI have verified this by generating 5-10 keys, and this is also confirmed here.
For verification, we're using Gemini's
GET /v1/modelsendpoint. This is a safe endpoint that only lists the available models, which means no costs will be incurred. For non-gemini keys, this endpoint will return403, which indicates that the key is active, just not scoped to Gemini.Added unit and integration tests as well.
Checklist:
make test-community)?make lintthis requires golangci-lint)?