From 77e3fbadda172254b9bf22cd1889f945517030f4 Mon Sep 17 00:00:00 2001 From: Mildred Tosoc Date: Wed, 28 Sep 2022 22:11:18 +0800 Subject: [PATCH 1/6] Added digitaloceanv2 detector --- .../digitaloceanv2/digitaloceanv2.go | 74 +++++++++++ .../digitaloceanv2/digitaloceanv2_test.go | 119 ++++++++++++++++++ 2 files changed, 193 insertions(+) create mode 100644 pkg/detectors/digitaloceanv2/digitaloceanv2.go create mode 100644 pkg/detectors/digitaloceanv2/digitaloceanv2_test.go diff --git a/pkg/detectors/digitaloceanv2/digitaloceanv2.go b/pkg/detectors/digitaloceanv2/digitaloceanv2.go new file mode 100644 index 000000000000..014d990031b0 --- /dev/null +++ b/pkg/detectors/digitaloceanv2/digitaloceanv2.go @@ -0,0 +1,74 @@ +package digitaloceanv2 + +import ( + "context" + "fmt" + "net/http" + "regexp" + "strings" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct{} + +// Ensure the Scanner satisfies the interface at compile time. +var _ detectors.Detector = (*Scanner)(nil) + +var ( + client = common.SaneHttpClient() + + // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. + keyPat = regexp.MustCompile(`\b(dop\_v1\_[a-f0-9]{64})\b`) +) + +// Keywords are used for efficiently pre-filtering chunks. +// Use identifiers in the secret preferably, or the provider name. +func (s Scanner) Keywords() []string { + return []string{"dop_v1_"} +} + +// FromData will find and optionally verify DigitalOceanV2 secrets in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + matches := keyPat.FindAllStringSubmatch(dataStr, -1) + + for _, match := range matches { + if len(match) != 2 { + continue + } + resMatch := strings.TrimSpace(match[1]) + + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_DigitalOceanV2, + Raw: []byte(resMatch), + } + + if verify { + req, err := http.NewRequestWithContext(ctx, "GET", "https://api.digitalocean.com/v2/account", nil) + if err != nil { + continue + } + req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", resMatch)) + res, err := client.Do(req) + if err == nil { + defer res.Body.Close() + if res.StatusCode >= 200 && res.StatusCode < 300 { + s1.Verified = true + } else { + // This function will check false positives for common test words, but also it will make sure the key appears 'random' enough to be a real key. + if detectors.IsKnownFalsePositive(resMatch, detectors.DefaultFalsePositives, true) { + continue + } + } + } + } + + results = append(results, s1) + } + + return detectors.CleanResults(results), nil +} diff --git a/pkg/detectors/digitaloceanv2/digitaloceanv2_test.go b/pkg/detectors/digitaloceanv2/digitaloceanv2_test.go new file mode 100644 index 000000000000..6c5556dcfcd0 --- /dev/null +++ b/pkg/detectors/digitaloceanv2/digitaloceanv2_test.go @@ -0,0 +1,119 @@ +//go:build detectors +// +build detectors + +package digitaloceanv2 + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/kylelemons/godebug/pretty" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +func TestDigitalOceanV2_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors4") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + secret := testSecrets.MustGetField("DIGITALOCEANV2") + inactiveSecret := testSecrets.MustGetField("DIGITALOCEANV2_INACTIVE") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a digitaloceanv2 secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_DigitalOceanV2, + Verified: true, + }, + }, + wantErr: false, + }, + { + name: "found, unverified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a digitaloceanv2 secret %s within but not valid", inactiveSecret)), // the secret would satisfy the regex but not pass validation + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_DigitalOceanV2, + Verified: false, + }, + }, + wantErr: false, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + s := Scanner{} + got, err := s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("DigitalOceanV2.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + got[i].Raw = nil + } + if diff := pretty.Compare(got, tt.want); diff != "" { + t.Errorf("DigitalOceanV2.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := Scanner{} + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +} From 49acb7370492d1907d1bf79d206c0ba522cc948b Mon Sep 17 00:00:00 2001 From: Dustin Decker Date: Wed, 28 Sep 2022 09:55:54 -0700 Subject: [PATCH 2/6] import detector --- pkg/engine/defaults.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/engine/defaults.go b/pkg/engine/defaults.go index 713d2fe331c9..1e37886ffd8d 100644 --- a/pkg/engine/defaults.go +++ b/pkg/engine/defaults.go @@ -1477,5 +1477,6 @@ func DefaultDetectors() []detectors.Detector { mongodb.Scanner{}, ngc.Scanner{}, gemini.Scanner{}, + digitaloceanv2.Scanner{}, } } From 13e55d259d587df5f9a26e2d2f19c20176c73ce9 Mon Sep 17 00:00:00 2001 From: Mildred Tosoc Date: Sat, 1 Oct 2022 07:19:10 +0800 Subject: [PATCH 3/6] add prefixes and keywords for doo_v1_ and dor_v1_ types --- pkg/detectors/digitaloceanv2/digitaloceanv2.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/detectors/digitaloceanv2/digitaloceanv2.go b/pkg/detectors/digitaloceanv2/digitaloceanv2.go index 014d990031b0..2b4968321898 100644 --- a/pkg/detectors/digitaloceanv2/digitaloceanv2.go +++ b/pkg/detectors/digitaloceanv2/digitaloceanv2.go @@ -21,13 +21,13 @@ var ( client = common.SaneHttpClient() // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. - keyPat = regexp.MustCompile(`\b(dop\_v1\_[a-f0-9]{64})\b`) + keyPat = regexp.MustCompile(`\b(dop\_v1\_[a-f0-9]{64} | doo\_v1\_[a-f0-9]{64} | dor\_v1\_[a-f0-9]{64})\b`) ) // Keywords are used for efficiently pre-filtering chunks. // Use identifiers in the secret preferably, or the provider name. func (s Scanner) Keywords() []string { - return []string{"dop_v1_"} + return []string{"dop_v1_", "doo_v1_", "dor_v1_"} } // FromData will find and optionally verify DigitalOceanV2 secrets in a given set of bytes. From 26353d583c1f34a62b9320cc39a842922e5e60d8 Mon Sep 17 00:00:00 2001 From: Mildred Tosoc Date: Sun, 2 Oct 2022 22:40:26 +0800 Subject: [PATCH 4/6] 1. Modified the regex based on suggestion 2. Support different verifying logic based on the token prefix --- .../digitaloceanv2/digitaloceanv2.go | 40 +++++++++++++++---- 1 file changed, 33 insertions(+), 7 deletions(-) diff --git a/pkg/detectors/digitaloceanv2/digitaloceanv2.go b/pkg/detectors/digitaloceanv2/digitaloceanv2.go index 2b4968321898..c0fa6e4ac998 100644 --- a/pkg/detectors/digitaloceanv2/digitaloceanv2.go +++ b/pkg/detectors/digitaloceanv2/digitaloceanv2.go @@ -3,6 +3,7 @@ package digitaloceanv2 import ( "context" "fmt" + "io" "net/http" "regexp" "strings" @@ -21,7 +22,7 @@ var ( client = common.SaneHttpClient() // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. - keyPat = regexp.MustCompile(`\b(dop\_v1\_[a-f0-9]{64} | doo\_v1\_[a-f0-9]{64} | dor\_v1\_[a-f0-9]{64})\b`) + keyPat = regexp.MustCompile(`\b((?:dop|doo|dor)_v1_[a-f0-9]{64})\b`) ) // Keywords are used for efficiently pre-filtering chunks. @@ -41,6 +42,7 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result continue } resMatch := strings.TrimSpace(match[1]) + println("resmatch: " + resMatch) s1 := detectors.Result{ DetectorType: detectorspb.DetectorType_DigitalOceanV2, @@ -54,15 +56,39 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result } req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", resMatch)) res, err := client.Do(req) + if err == nil { - defer res.Body.Close() - if res.StatusCode >= 200 && res.StatusCode < 300 { - s1.Verified = true - } else { - // This function will check false positives for common test words, but also it will make sure the key appears 'random' enough to be a real key. - if detectors.IsKnownFalsePositive(resMatch, detectors.DefaultFalsePositives, true) { + switch { + case strings.HasPrefix(resMatch, "dor_v1_"): + bodyBytes, err := io.ReadAll(res.Body) + + if err != nil { continue } + + bodyString := string(bodyBytes) + validResponse := strings.Contains(bodyString, `"access_token"`) + defer res.Body.Close() + + if res.StatusCode >= 200 && res.StatusCode < 300 && validResponse { + s1.Verified = true + } else { + // This function will check false positives for common test words, but also it will make sure the key appears 'random' enough to be a real key + if detectors.IsKnownFalsePositive(resMatch, detectors.DefaultFalsePositives, true) { + continue + } + } + case strings.HasPrefix(resMatch, "doo_v1_"), strings.HasPrefix(resMatch, "dop_v1_"): + defer res.Body.Close() + + if res.StatusCode >= 200 && res.StatusCode < 300 { + s1.Verified = true + } else { + // This function will check false positives for common test words, but also it will make sure the key appears 'random' enough to be a real key. + if detectors.IsKnownFalsePositive(resMatch, detectors.DefaultFalsePositives, true) { + continue + } + } } } } From fe137b44e9d0a5664c5223cc201dd98b9d148618 Mon Sep 17 00:00:00 2001 From: Mildred Tosoc Date: Mon, 3 Oct 2022 23:58:44 +0800 Subject: [PATCH 5/6] Modified the verification logic --- .../digitaloceanv2/digitaloceanv2.go | 29 ++++++++++++------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/pkg/detectors/digitaloceanv2/digitaloceanv2.go b/pkg/detectors/digitaloceanv2/digitaloceanv2.go index c0fa6e4ac998..ddf2bc128069 100644 --- a/pkg/detectors/digitaloceanv2/digitaloceanv2.go +++ b/pkg/detectors/digitaloceanv2/digitaloceanv2.go @@ -50,16 +50,15 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result } if verify { - req, err := http.NewRequestWithContext(ctx, "GET", "https://api.digitalocean.com/v2/account", nil) - if err != nil { - continue - } - req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", resMatch)) - res, err := client.Do(req) + switch { + case strings.HasPrefix(resMatch, "dor_v1_"): + req, err := http.NewRequestWithContext(ctx, "GET", "https://cloud.digitalocean.com/v1/oauth/token?grant_type=refresh_token&refresh_token="+resMatch, nil) + if err != nil { + continue + } - if err == nil { - switch { - case strings.HasPrefix(resMatch, "dor_v1_"): + res, err := client.Do(req) + if err == nil { bodyBytes, err := io.ReadAll(res.Body) if err != nil { @@ -78,9 +77,17 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result continue } } - case strings.HasPrefix(resMatch, "doo_v1_"), strings.HasPrefix(resMatch, "dop_v1_"): - defer res.Body.Close() + } + case strings.HasPrefix(resMatch, "doo_v1_"), strings.HasPrefix(resMatch, "dop_v1_"): + req, err := http.NewRequestWithContext(ctx, "GET", "https://api.digitalocean.com/v2/account", nil) + if err != nil { + continue + } + req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", resMatch)) + res, err := client.Do(req) + if err == nil { + defer res.Body.Close() if res.StatusCode >= 200 && res.StatusCode < 300 { s1.Verified = true } else { From 53eb8a087d3ca6f969b78741b9749b9c2ba90e29 Mon Sep 17 00:00:00 2001 From: Mildred Tosoc Date: Tue, 4 Oct 2022 08:10:38 +0800 Subject: [PATCH 6/6] Removed println --- pkg/detectors/digitaloceanv2/digitaloceanv2.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/detectors/digitaloceanv2/digitaloceanv2.go b/pkg/detectors/digitaloceanv2/digitaloceanv2.go index ddf2bc128069..daba6ad9ed41 100644 --- a/pkg/detectors/digitaloceanv2/digitaloceanv2.go +++ b/pkg/detectors/digitaloceanv2/digitaloceanv2.go @@ -42,7 +42,6 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result continue } resMatch := strings.TrimSpace(match[1]) - println("resmatch: " + resMatch) s1 := detectors.Result{ DetectorType: detectorspb.DetectorType_DigitalOceanV2,