PRP: Secret extractor for Packagist Secrets

[shipsteady]

Secret name: Packagist Composer Credentials (packagist_uut_), Packagist API Keys (packagist_ack_), and Packagist API Secrets (packagist_acs_)

• Risk in exposing the secret:
  Unauthorized access to Packagist credentials can allow attackers to authenticate to Private Packagist, download private PHP packages, modify dependency sources, or obtain sensitive code. Exposed API keys or secrets may also provide the ability to interact with authenticated Packagist API endpoints, potentially enabling metadata manipulation or unauthorized read/write operations.

• Validation method, if any:

  • Tokens can be verified by making a harmless authenticated request to Packagist—for example, querying the /packages.json endpoint.
  • When detecting credentials inside auth.json, validation can ensure the hostname matches repo.packagist.com and that the associated fields follow the expected structure, even if no live verification is performed.

• Resources:

  • https://packagist.com/docs#authentication
  • https://getcomposer.org/doc/articles/authentication-for-private-packages.md
  • https://packagist.com/docs/api/api-authentication#accessing-api-endpoints-without-generating-a-signature

1. Packagist API Key

packagist_ack_[0-9a-f]{40,120}

2. Packagist API Secret

packagist_acs_[0-9a-f]{40,200}

3. Packagist auth.json extractor

Composer stores credentials in $COMPOSER_HOME/auth.json, so an extractor can detect them directly from that structure. Example:

{
    "http-basic": {
        "repo.packagist.com": {
            "username": "<username>",
            "password": "packagist_uut_<>"
        }
    }
}

Would this be considered a separate PRP? Could you clarify how rewards apply in cases like this?

Thanks.

[github-actions]

Welcome to the OSV-SCALIBR patch reward program!
Your issue has been added to our triage queue and will reviewed
shortly. The panel usually takes a decision once per week, so it
can take up to a week before you hear back from us.
Please, do not start the work until the panel has reached a
decision. Although we always welcome contributions, unapproved
work is not eligible for a reward.
~The OSV-SCALIBR PRP team

[github-actions]

Congratulations, your request has been approved! 🎉
This means that you can start working on this contribution.
❗ Please take a moment to fill the participation form
If you are unsure where to start, we have compiled a set of
useful guides in our documentation:

• Writing a new vulnerability detector plugin
• Writing a new inventory extraction plugin
• Main directory for secret detectors - More detailed docs will be available soon!
• General style guide

~The OSV-SCALIBR PRP team

[shipsteady]

@erikvarga, could you please take a look at this behavior? The user is commenting on all open issues and submitting multiple pull requests, which appears to be spam.

[erikvarga]

Hi, I'd like to work on this issue. I will implement a detector for Packagist API Keys (packagist_ack_), Secret Keys (packagist_acs_), and User Update Tokens (packagist_uut_), including validation.

@Ashutosh0x ,
You're commenting and opening PRs for PRP requests that others are already working on. As per the rules of the program you'll have to submit your own suggestions that no one else has yet submitted and wait for the panel to approve before creating PRs. I'll remove your existing comments and close the PRs you opened. See the program rules for more details.

[Ashutosh0x]

Hi, I'd like to work on this issue. I will implement a detector for Packagist API Keys (packagist_ack_), Secret Keys (packagist_acs_), and User Update Tokens (packagist_uut_), including validation.

@Ashutosh0x , You're commenting and opening PRs for PRP requests that others are already working on. As per the rules of the program you'll have to submit your own suggestions that no one else has yet submitted and wait for the panel to approve before creating PRs. I'll remove your existing comments and close the PRs you opened. See the program rules for more details.

@erikvarga Please let me know if there’s an approved or unclaimed PRP I can be assigned to

[erikvarga]

@Ashutosh0x There are currently no unclaimed PRP requests. If you'd like to work on a patch, submit your own patch suggestion and the panel will meet once per week to decide on which requests qualify per our acceptance criteria.

[Ashutosh0x]

@Ashutosh0x There are currently no unclaimed PRP requests. If you'd like to work on a patch, submit your own patch suggestion and the panel will meet once per week to decide on which requests qualify per our acceptance criteria.

Thanks for the clarification, @erikvarga. I understand the OSV-SCALIBR Patch Rewards Program rules and the PRP process. I’ll submit a new PRP:Request issue with a detailed patch proposal that meets the acceptance criteria and wait for the panel’s review before opening any PRs.