[INS-246] Add Google Gemini API key detector #4649
Conversation
proto/detectors.proto
Outdated
| PhraseAccessToken = 1037; | ||
| Photoroom = 1038; | ||
| JWT = 1039; | ||
| GoogleGemini = 1040; |
There was a problem hiding this comment.
GoogleGemini is already quite specific, but are there different types of credentials available for Gemini (for example, API keys vs tokens)? If so, we might consider using a more explicit detector type like GoogleGeminiApiKey or GoogleGeminiToken instead of the generic GoogleGemini. Just a suggestion, not a blocker at all.
There was a problem hiding this comment.
Thanks for this. Yes, Google Gemini does have other ways of authenticating. I'll make the change.
| _, _ = io.Copy(io.Discard, res.Body) | ||
| }() | ||
|
|
||
| switch res.StatusCode { |
There was a problem hiding this comment.
It's common to receive a 403 response in a few situations:
- the key is not scoped to Gemini, but still valid for other google services
- the key is "restricted" either via IP address, referer, etc.
Might make sense add a case for 403s just so it's not throwing an error, when those cases are normal.
There was a problem hiding this comment.
Thanks for this!
You are very much right. I just confirmed this by generating a Google Cloud API Key. I also realized it's not just about adding this case. Getting a 403 means that the key is live, it just does not have the Generative Language API scope enabled.
Now I'm wondering if it makes sense to create a GoogleGeminiAPIKey detector, or simply a GoogleAPIKey detector. What do you think?
There was a problem hiding this comment.
I recommend keeping the original intent here and authoring a detector for only Gemini. If any other Google API services surface that are similarly risky, we can adapt then.
There was a problem hiding this comment.
I agree with the approach of authoring a detector only for Gemini. My only concern here is that for 403 we'll mark the credential as inactive/rotated, but that's misleading, because the credential will be live, just not scoped to Gemini.
There was a problem hiding this comment.
I would endorse that we mark an API key "LIVE" if we're certain that a 403 Forbidden response implies the key is valid and capable of accessing Google services beyond just Gemini.
There was a problem hiding this comment.
Agreed.
I've gone ahead and made the changes to make this a GoogleCloudAPIKey detector. @joeleonjr let me know if you have concerns and we can discuss.
There was a problem hiding this comment.
After internal discussion, it has been decided to make this a GoogleGeminiAPIKey detector as originally intended. For other Google Cloud API keys that have gemini disabled, we will mark them as disabled but set "active-google-key": "true" in the ExtraData field.
mustansir14
changed the title
pkg/detectors/googlecloudapikey/googlecloudapikey_integration_test.go
Outdated
Show resolved
Hide resolved
mustansir14
changed the title
5 participants
Description:
This PR closes #4623 by introducing the Google Gemini API Key detector
All Google Gemini API Keys follow a strict pattern: A prefix
AIzaSyfollowed by33characters.Regex for the detector:
\b(AIzaSy[A-Za-z0-9_-]{33})\bI have verified this by generating 5-10 keys.
For verification, we're using Gemini's
GET /v1/modelsendpoint. This is a safe endpoint that only lists the available models, which means no costs will be incurred. For non-gemini keys, this endpoint will return403, which indicates that the key is active, just not scoped to Gemini. In this case, we will mark the key as unverified, but set"active_google_key": "true"in theExtraData, so that the user can distinguish.Added unit and integration tests as well.
Checklist:
make test-community)?make lintthis requires golangci-lint)?