Method: hashes.search

Search for full hashes matching the specified prefixes.

This is a custom method as defined by https://google.aip.dev/136 (the custom method refers to this method having a custom name within Google's general API development nomenclature; it does not refer to using a custom HTTP method).

HTTP request

GET https://safebrowsing.googleapis.com/v5alpha1/hashes:search

The URL uses gRPC Transcoding syntax.

Query parameters

Parameters
hashPrefixes[]

string (bytes format)

Required. The hash prefixes to be looked up. Clients MUST NOT send more than 1000 hash prefixes. However, following the URL processing procedure, clients SHOULD NOT need to send more than 30 hash prefixes.

Currently each hash prefix is required to be exactly 4 bytes long. This MAY be relaxed in the future.

A base64-encoded string.

filter

string

Optional. If the client is interested in filtering, such as only retrieving specific kinds of threats, this can be specified. If omitted, all matching threats are returned. It is highly recommended to omit this to get the most complete protection Safe Browsing can offer.

The filter is specified using Google Common Expression Language, which can be found at https://github.com/google/cel-spec along with general examples. Here are some specific examples that can be used here:

The filter "threatType == ThreatType.SOCIAL_ENGINEERING" requires that the within FullHashDetail the threat type must be SOCIAL_ENGINEERING. The identifier "threatType" refers to the current threat type. The identifier "ThreatType" refers to the collection of all possible threat types.

The filter "threatType in [ ThreatType.UNWANTED_SOFTWARE, ThreatType.MALWARE ]" requires that the threat type must be either UNWANTED_SOFTWARE or MALWARE.

Request body

The request body must be empty.

Response body

The response returned after searching threat hashes.

If nothing is found, the server will return an OK status (HTTP status code 200) with the fullHashes field empty, rather than returning a NOT_FOUND status (HTTP status code 404).

What's new in V5: There is a separation between FullHash and FullHashDetail. In the case when a hash represents a site having multiple threats (e.g. both MALWARE and SOCIAL_ENGINEERING), the full hash does not need to be sent twice as in V4. Furthermore, the cache duration has been simplified into a single cacheDuration field.

If successful, the response body contains data with the following structure:

JSON representation
{
  "fullHashes": [
    {
      object (FullHash)
    }
  ],
  "cacheDuration": string
}
Fields
fullHashes[]

object (FullHash)

Unordered list. The unordered list of full hashes found.

cacheDuration

string (Duration format)

The client-side cache duration. The client MUST add this duration to the current time to determine the expiration time. The expiration time then applies to every hash prefix queried by the client in the request, regardless of how many full hashes are returned in the response. Even if the server returns no full hashes for a particular hash prefix, this fact MUST also be cached by the client.

If and only if the field fullHashes is empty, the client MAY increase the cacheDuration to determine a new expiration that is later than that specified by the server. In any case, the increased cache duration must not be longer than 24 hours.

Important: the client MUST NOT assume that the server will return the same cache duration for all responses. The server MAY choose different cache durations for different responses depending on the situation.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

FullHash

The full hash identified with one or more matches.

JSON representation
{
  "fullHash": string,
  "fullHashDetails": [
    {
      object (FullHashDetail)
    }
  ]
}
Fields
fullHash

string (bytes format)

The matching full hash. This is the SHA256 hash. The length will be exactly 32 bytes.

A base64-encoded string.

fullHashDetails[]

object (FullHashDetail)

Unordered list. A repeated field identifying the details relevant to this full hash.

FullHashDetail

Details about a matching full hash.

An important note about forward compatibility: new threat types and threat attributes may be added by the server at any time; those additions are considered minor version changes. It is Google's policy not to expose minor version numbers in APIs (see https://cloud.google.com/apis/design/versioning for the versioning policy), so clients MUST be prepared to receive FullHashDetail messages containing ThreatType enum values or ThreatAttribute enum values that are considered invalid by the client. Therefore, it is the client's responsibility to check for the validity of all ThreatType and ThreatAttribute enum values; if any value is considered invalid, the client MUST disregard the entire FullHashDetail message.

JSON representation
{
  "threatType": enum (ThreatType),
  "attributes": [
    enum (ThreatAttribute)
  ]
}
Fields
threatType

enum (ThreatType)

The type of threat. This field will never be empty.

attributes[]

enum (ThreatAttribute)

Unordered list. Additional attributes about those full hashes. This may be empty.

ThreatAttribute

Attributes of threats. These attributes may confer additional meaning to a particular threat but will not affect the threat type. For example, an attribute may specify a lower confidence while a different attribute may specify higher confidence. More attributes may be added in the future.

Enums
THREAT_ATTRIBUTE_UNSPECIFIED Unknown attribute. If this is returned by the server, the client shall disregard the enclosing FullHashDetail altogether.
CANARY Indicates that the threatType should not be used for enforcement.
FRAME_ONLY Indicates that the threatType should only be used for enforcement on frames.