diff --git a/pkg/detectors/deno/denodeploy.go b/pkg/detectors/deno/denodeploy.go new file mode 100644 index 000000000000..2137525538a4 --- /dev/null +++ b/pkg/detectors/deno/denodeploy.go @@ -0,0 +1,106 @@ +package denodeploy + +import ( + "context" + "encoding/json" + "fmt" + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" + "io" + "net/http" + "regexp" +) + +type Scanner struct { + client *http.Client +} + +// Ensure the Scanner satisfies the interface at compile time. +var _ detectors.Detector = (*Scanner)(nil) + +var ( + defaultClient = common.SaneHttpClient() + tokenPat = regexp.MustCompile(`\b(dd[pw]_[a-zA-Z0-9]{36})\b`) +) + +// Keywords are used for efficiently pre-filtering chunks. +// Use identifiers in the secret preferably, or the provider name. +func (s Scanner) Keywords() []string { + return []string{"ddp_", "ddw_"} +} + +type userResponse struct { + Login string `json:"login"` +} + +// FromData will find and optionally verify DenoDeploy secrets in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + tokenMatches := tokenPat.FindAllStringSubmatch(dataStr, -1) + + for _, tokenMatch := range tokenMatches { + token := tokenMatch[1] + + s1 := detectors.Result{ + DetectorType: s.Type(), + Raw: []byte(token), + } + + if verify { + client := s.client + if client == nil { + client = defaultClient + } + + req, err := http.NewRequestWithContext(ctx, "GET", "https://api.deno.com/user", nil) + req.Header.Set("Authorization", "Bearer "+token) + if err != nil { + continue + } + + res, err := client.Do(req) + if err == nil { + defer res.Body.Close() + if res.StatusCode == 200 { + s1.Verified = true + + body, err := io.ReadAll(res.Body) + if err != nil { + s1.VerificationError = err + } else { + var user userResponse + if err := json.Unmarshal(body, &user); err != nil { + fmt.Printf("Unmarshal error: %v\n", err) + s1.VerificationError = err + } else { + s1.ExtraData = map[string]string{ + "login": user.Login, + } + } + } + } else if res.StatusCode == 401 { + // The secret is determinately not verified (nothing to do) + } else { + s1.VerificationError = fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) + } + } else { + s1.VerificationError = err + } + } + + // This function will check false positives for common test words, but also it will make sure the key appears 'random' enough to be a real key. + if !s1.Verified && detectors.IsKnownFalsePositive(token, detectors.DefaultFalsePositives, true) { + continue + } + + results = append(results, s1) + } + + return results, nil +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_DenoDeploy +} diff --git a/pkg/detectors/deno/denodeploy_test.go b/pkg/detectors/deno/denodeploy_test.go new file mode 100644 index 000000000000..ba8197bb887c --- /dev/null +++ b/pkg/detectors/deno/denodeploy_test.go @@ -0,0 +1,255 @@ +//go:build detectors +// +build detectors + +package denodeploy + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +func TestDenoDeploy_Pattern(t *testing.T) { + tests := []struct { + name string + data string + shouldMatch bool + match string + }{ + // True positives + { + name: `valid_deployctl`, + data: ` "tasks": { + "d": "deployctl deploy --prod --import-map=import_map.json --project=o88 main.ts --token ddp_eg5DjUmbR5lHZ3LiN9MajMk2tA1GxL2NRdvc", + "start": "deno run -A --unstable --watch=static/,routes/ dev.ts" + },`, + shouldMatch: true, + match: `ddp_eg5DjUmbR5lHZ3LiN9MajMk2tA1GxL2NRdvc`, + }, + { + name: `valid_dotenv`, + data: `DENO_KV_ACCESS_TOKEN=ddp_hn029Cl2dIN4Jb0BF0L1V9opokoPVC30ddGk`, + shouldMatch: true, + match: `ddp_hn029Cl2dIN4Jb0BF0L1V9opokoPVC30ddGk`, + }, + { + name: `valid_dotfile`, + data: `# deno +export DENO_INSTALL="/home/khushal/.deno" +export PATH="$DENO_INSTALL/bin:$PATH" +export DENO_DEPLOY_TOKEN="ddp_QLbDfRlMKpXSf3oCz20Hp8wVVxThDwlwhFbV""`, + shouldMatch: true, + match: `ddp_QLbDfRlMKpXSf3oCz20Hp8wVVxThDwlwhFbV`, + }, + { + name: `valid_webtoken`, + data: ` // headers: { Authorization: 'Bearer ddw_ebahKKeZqiZVXOad7KJRHskLeP79Lf0OJXlj' }`, + shouldMatch: true, + match: `ddw_ebahKKeZqiZVXOad7KJRHskLeP79Lf0OJXlj`, + }, + + // False positives + { + name: `invalid_token1`, + data: ` "summoner2Id": 4, + "summonerId": "oljqJ1Ddp_LJm5s6ONPAJXIl97Bi6pcKMywYLG496a58rA", + "summonerLevel": 146,`, + shouldMatch: false, + }, + { + name: `invalid_token2`, + data: ` "image_thumbnail_url": "https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQFq6zzTXpXtRDdP_JbNkS58loAyCvhhZ1WWONaUkJoWbHsgwIJBw",`, + shouldMatch: false, + }, + { + name: `invalid_token3`, + data: `matplotlib/backends/_macosx.cpython-37m-darwin.so,sha256=DDw_KRE5yTUEY5iDBwBW7KvDcTkDmrIu0N18i8I3FvA,90140`, + shouldMatch: false, + }, + } + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + s := Scanner{} + + results, err := s.FromData(context.Background(), false, []byte(test.data)) + if err != nil { + t.Errorf("DenoDeploy.FromData() error = %v", err) + return + } + + if test.shouldMatch { + if len(results) == 0 { + t.Errorf("%s: did not receive a match for '%v' when one was expected", test.name, test.data) + return + } + expected := test.data + if test.match != "" { + expected = test.match + } + result := results[0] + resultData := string(result.Raw) + if resultData != expected { + t.Errorf("%s: did not receive expected match.\n\texpected: '%s'\n\t actual: '%s'", test.name, expected, resultData) + return + } + } else { + if len(results) > 0 { + t.Errorf("%s: received a match for '%v' when one wasn't wanted", test.name, test.data) + return + } + } + }) + } +} + +func TestDenoDeploy_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors5") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + secret := testSecrets.MustGetField("DENODEPLOY") + inactiveSecret := testSecrets.MustGetField("DENODEPLOY_INACTIVE") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + wantVerificationErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a denodeploy secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_DenoDeploy, + Verified: true, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, unverified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a denodeploy secret %s within but not valid", inactiveSecret)), // the secret would satisfy the regex but not pass validation + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_DenoDeploy, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, would be verified if not for timeout", + s: Scanner{client: common.SaneHttpClientTimeOut(1 * time.Microsecond)}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a denodeploy secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_DenoDeploy, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + { + name: "found, verified but unexpected api surface", + s: Scanner{client: common.ConstantResponseHttpClient(404, "")}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a denodeploy secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_DenoDeploy, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("Denodeploy.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + if (got[i].VerificationError != nil) != tt.wantVerificationErr { + t.Fatalf("wantVerificationError = %v, verification error = %v", tt.wantVerificationErr, got[i].VerificationError) + } + } + ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "VerificationError", "ExtraData") + if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" { + t.Errorf("Denodeploy.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := Scanner{} + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + b.ResetTimer() + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +} diff --git a/pkg/engine/defaults.go b/pkg/engine/defaults.go index a42f792b060d..751893264271 100644 --- a/pkg/engine/defaults.go +++ b/pkg/engine/defaults.go @@ -188,6 +188,7 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/deepgram" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/delighted" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/demio" + denodeploy "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/deno" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/deputy" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/detectify" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/detectlanguage" @@ -1562,6 +1563,7 @@ func DefaultDetectors() []detectors.Detector { betterstack.Scanner{}, coinbase_waas.Scanner{}, lemonsqueezy.Scanner{}, + denodeploy.Scanner{}, budibase.Scanner{}, } diff --git a/pkg/pb/detectorspb/detectors.pb.go b/pkg/pb/detectorspb/detectors.pb.go index 9f34c8601616..e22641efd1d0 100644 --- a/pkg/pb/detectorspb/detectors.pb.go +++ b/pkg/pb/detectorspb/detectors.pb.go @@ -1031,6 +1031,7 @@ const ( DetectorType_CoinbaseWaaS DetectorType = 951 DetectorType_LemonSqueezy DetectorType = 952 DetectorType_Budibase DetectorType = 953 + DetectorType_DenoDeploy DetectorType = 954 ) // Enum value maps for DetectorType. @@ -1986,6 +1987,7 @@ var ( 951: "CoinbaseWaaS", 952: "LemonSqueezy", 953: "Budibase", + 954: "DenoDeploy", } DetectorType_value = map[string]int32{ "Alibaba": 0, @@ -2938,6 +2940,7 @@ var ( "CoinbaseWaaS": 951, "LemonSqueezy": 952, "Budibase": 953, + "DenoDeploy": 954, } ) @@ -3316,7 +3319,7 @@ var file_detectors_proto_rawDesc = []byte{ 0x44, 0x65, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x50, 0x4c, 0x41, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x42, 0x41, 0x53, 0x45, 0x36, 0x34, 0x10, 0x02, 0x12, - 0x09, 0x0a, 0x05, 0x55, 0x54, 0x46, 0x31, 0x36, 0x10, 0x03, 0x2a, 0xe0, 0x77, 0x0a, 0x0c, 0x44, + 0x09, 0x0a, 0x05, 0x55, 0x54, 0x46, 0x31, 0x36, 0x10, 0x03, 0x2a, 0xf1, 0x77, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4d, 0x51, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x57, 0x53, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x41, @@ -4274,12 +4277,13 @@ var file_detectors_proto_rawDesc = []byte{ 0x61, 0x62, 0x61, 0x73, 0x65, 0x10, 0xb6, 0x07, 0x12, 0x11, 0x0a, 0x0c, 0x43, 0x6f, 0x69, 0x6e, 0x62, 0x61, 0x73, 0x65, 0x57, 0x61, 0x61, 0x53, 0x10, 0xb7, 0x07, 0x12, 0x11, 0x0a, 0x0c, 0x4c, 0x65, 0x6d, 0x6f, 0x6e, 0x53, 0x71, 0x75, 0x65, 0x65, 0x7a, 0x79, 0x10, 0xb8, 0x07, 0x12, 0x0d, - 0x0a, 0x08, 0x42, 0x75, 0x64, 0x69, 0x62, 0x61, 0x73, 0x65, 0x10, 0xb9, 0x07, 0x42, 0x3d, 0x5a, - 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, - 0x66, 0x6c, 0x65, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, - 0x66, 0x6c, 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, - 0x2f, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x33, + 0x0a, 0x08, 0x42, 0x75, 0x64, 0x69, 0x62, 0x61, 0x73, 0x65, 0x10, 0xb9, 0x07, 0x12, 0x0f, 0x0a, + 0x0a, 0x44, 0x65, 0x6e, 0x6f, 0x44, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x10, 0xba, 0x07, 0x42, 0x3d, + 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, + 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, + 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, + 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/proto/detectors.proto b/proto/detectors.proto index f9830a2be006..293abb89e884 100644 --- a/proto/detectors.proto +++ b/proto/detectors.proto @@ -962,6 +962,7 @@ enum DetectorType { CoinbaseWaaS = 951; LemonSqueezy = 952; Budibase = 953; + DenoDeploy = 954; } message Result {