diff --git a/pkg/detectors/azurebatch/azurebatch.go b/pkg/detectors/azurebatch/azurebatch.go index 5297ae69397b..927052ae8abb 100644 --- a/pkg/detectors/azurebatch/azurebatch.go +++ b/pkg/detectors/azurebatch/azurebatch.go @@ -6,11 +6,12 @@ import ( "crypto/sha256" "encoding/base64" "fmt" - regexp "github.com/wasilibs/go-re2" "net/http" "strings" "time" + regexp "github.com/wasilibs/go-re2" + "github.com/trufflesecurity/trufflehog/v3/pkg/common" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" @@ -54,8 +55,8 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result s1 := detectors.Result{ DetectorType: detectorspb.DetectorType_AzureBatch, Raw: []byte(endpoint), - Redacted: endpoint, RawV2: []byte(endpoint + accountKey), + Redacted: endpoint, } if verify { diff --git a/pkg/detectors/azurecontainerregistry/azurecontainerregistry.go b/pkg/detectors/azurecontainerregistry/azurecontainerregistry.go index ae831c7f1f24..78ee6f66e44c 100644 --- a/pkg/detectors/azurecontainerregistry/azurecontainerregistry.go +++ b/pkg/detectors/azurecontainerregistry/azurecontainerregistry.go @@ -4,9 +4,10 @@ import ( "context" "encoding/base64" "fmt" - regexp "github.com/wasilibs/go-re2" "net/http" + regexp "github.com/wasilibs/go-re2" + "github.com/trufflesecurity/trufflehog/v3/pkg/common" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" @@ -49,8 +50,8 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result s1 := detectors.Result{ DetectorType: detectorspb.DetectorType_AzureContainerRegistry, Raw: []byte(endpoint), - Redacted: endpoint, RawV2: []byte(endpoint + password), + Redacted: endpoint, } if verify { diff --git a/pkg/detectors/azuredevopspersonalaccesstoken/azuredevopspersonalaccesstoken.go b/pkg/detectors/azuredevopspersonalaccesstoken/azuredevopspersonalaccesstoken.go index 05d33403c052..c1a50ae76922 100644 --- a/pkg/detectors/azuredevopspersonalaccesstoken/azuredevopspersonalaccesstoken.go +++ b/pkg/detectors/azuredevopspersonalaccesstoken/azuredevopspersonalaccesstoken.go @@ -52,7 +52,8 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result s1 := detectors.Result{ DetectorType: detectorspb.DetectorType_AzureDevopsPersonalAccessToken, - Raw: []byte(resMatch + resOrgMatch), + Raw: []byte(resMatch), + RawV2: []byte(resMatch + resOrgMatch), } if verify { diff --git a/pkg/detectors/azurefunctionkey/azurefunctionkey.go b/pkg/detectors/azurefunctionkey/azurefunctionkey.go index 4a43965fd02f..1f6f235192a0 100644 --- a/pkg/detectors/azurefunctionkey/azurefunctionkey.go +++ b/pkg/detectors/azurefunctionkey/azurefunctionkey.go @@ -44,7 +44,8 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result resUrl := strings.TrimSpace(urlMatch[0]) s1 := detectors.Result{ DetectorType: detectorspb.DetectorType_AzureFunctionKey, - Raw: []byte(resMatch + resUrl), + Raw: []byte(resMatch), + RawV2: []byte(resMatch + resUrl), } if verify { diff --git a/pkg/detectors/azuresearchadminkey/azuresearchadminkey.go b/pkg/detectors/azuresearchadminkey/azuresearchadminkey.go new file mode 100644 index 000000000000..d821ab8449c8 --- /dev/null +++ b/pkg/detectors/azuresearchadminkey/azuresearchadminkey.go @@ -0,0 +1,101 @@ +package azuresearchadminkey + +import ( + "context" + "fmt" + "net/http" + "strings" + + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct { + client *http.Client +} + +// Ensure the Scanner satisfies the interface at compile time. +var _ detectors.Detector = (*Scanner)(nil) + +var ( + defaultClient = common.SaneHttpClient() + // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. + keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"azure"}) + `\b([0-9a-zA-Z]{52})\b`) + servicePat = regexp.MustCompile(detectors.PrefixRegex([]string{"azure"}) + `\b([0-9a-zA-Z]{7,40})\b`) +) + +// Keywords are used for efficiently pre-filtering chunks. +// Use identifiers in the secret preferably, or the provider name. +func (s Scanner) Keywords() []string { + return []string{"azure"} +} + +// FromData will find and optionally verify AzureSearchAdminKey secrets in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + matches := keyPat.FindAllStringSubmatch(dataStr, -1) + serviceMatches := servicePat.FindAllStringSubmatch(dataStr, -1) + + for _, match := range matches { + if len(match) != 2 { + continue + } + resMatch := strings.TrimSpace(match[1]) + for _, serviceMatch := range serviceMatches { + if len(serviceMatch) != 2 { + continue + } + resServiceMatch := strings.TrimSpace(serviceMatch[1]) + + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_AzureSearchAdminKey, + Raw: []byte(resMatch), + RawV2: []byte(resMatch + resServiceMatch), + } + + if verify { + client := s.client + if client == nil { + client = defaultClient + } + req, err := http.NewRequestWithContext(ctx, "GET", "https://"+resServiceMatch+".search.windows.net/servicestats?api-version=2023-10-01-Preview", nil) + if err != nil { + continue + } + req.Header.Add("api-key", resMatch) + + res, err := client.Do(req) + if err == nil { + defer res.Body.Close() + if res.StatusCode >= 200 && res.StatusCode < 300 { + s1.Verified = true + } else if res.StatusCode == 401 || res.StatusCode == 403 { + // The secret is determinately not verified (nothing to do) + } else { + err = fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) + s1.SetVerificationError(err, resMatch) + } + } else { + s1.SetVerificationError(err, resMatch) + } + } + + // This function will check false positives for common test words, but also it will make sure the key appears 'random' enough to be a real key. + if !s1.Verified && detectors.IsKnownFalsePositive(resMatch, detectors.DefaultFalsePositives, true) { + continue + } + + results = append(results, s1) + } + } + + return results, nil +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_AzureSearchAdminKey +} diff --git a/pkg/detectors/azuresearchadminkey/azuresearchadminkey_test.go b/pkg/detectors/azuresearchadminkey/azuresearchadminkey_test.go new file mode 100644 index 000000000000..e6b2a4d7c1d5 --- /dev/null +++ b/pkg/detectors/azuresearchadminkey/azuresearchadminkey_test.go @@ -0,0 +1,163 @@ +//go:build detectors +// +build detectors + +package azuresearchadminkey + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +func TestAzuresearchadminkey_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors5") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + secret := testSecrets.MustGetField("AZURE_SEARCH_ADMIN_KEY") + inactiveSecret := testSecrets.MustGetField("AZURE_SEARCH_ADMIN_KEY_INACTIVE") + service := testSecrets.MustGetField("AZURE_SEARCH_ADMIN_KEY_SERVICE") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + wantVerificationErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a azure secret %s and azure service %s within", secret, service)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_AzureSearchAdminKey, + Verified: true, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, unverified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a azure secret %s and azure service %s within but not valid", inactiveSecret, service)), // the secret would satisfy the regex but not pass validation + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_AzureSearchAdminKey, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, would be verified if not for timeout", + s: Scanner{client: common.SaneHttpClientTimeOut(1 * time.Microsecond)}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a azure secret %s and azure service %s within", secret, service)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_AzureSearchAdminKey, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + { + name: "found, verified but unexpected api surface", + s: Scanner{client: common.ConstantResponseHttpClient(404, "")}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a azure secret %s and azure service %s within", secret, service)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_AzureSearchAdminKey, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("Azuresearchadminkey.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + if (got[i].VerificationError() != nil) != tt.wantVerificationErr { + t.Fatalf("wantVerificationError = %v, verification error = %v", tt.wantVerificationErr, got[i].VerificationError()) + } + } + ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "verificationError") + if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" { + t.Errorf("Azuresearchadminkey.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := Scanner{} + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + b.ResetTimer() + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +} diff --git a/pkg/detectors/falsepositives.go b/pkg/detectors/falsepositives.go index 0d4b313675ea..948ad12d95bf 100644 --- a/pkg/detectors/falsepositives.go +++ b/pkg/detectors/falsepositives.go @@ -107,7 +107,7 @@ func StringShannonEntropy(input string) float64 { func FilterResultsWithEntropy(results []Result, entropy float64) []Result { var filteredResults []Result for _, result := range results { - if !result.Verified && result.VerificationError() == nil { + if !result.Verified { if result.RawV2 != nil { if StringShannonEntropy(string(result.RawV2)) >= entropy { filteredResults = append(filteredResults, result) diff --git a/pkg/engine/defaults.go b/pkg/engine/defaults.go index 07848edb36d0..ff2305ce1fc6 100644 --- a/pkg/engine/defaults.go +++ b/pkg/engine/defaults.go @@ -67,6 +67,7 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/azurecontainerregistry" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/azuredevopspersonalaccesstoken" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/azurefunctionkey" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/azuresearchadminkey" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/azurestorage" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/bannerbear" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/baremetrics" @@ -801,9 +802,6 @@ func DefaultDetectors() []detectors.Detector { &alibaba.Scanner{}, aws.New(), awssessionkey.New(), - &azure.Scanner{}, - &azurecontainerregistry.Scanner{}, - &azurebatch.Scanner{}, &slack.Scanner{}, // has 4 secret types &gitlab.Scanner{}, &gitlabv2.Scanner{}, @@ -1604,12 +1602,16 @@ func DefaultDetectors() []detectors.Detector { rabbitmq.Scanner{}, planetscale.Scanner{}, portainertoken.Scanner{}, - azurestorage.Scanner{}, planetscaledb.Scanner{}, + azure.Scanner{}, + azurestorage.Scanner{}, + azurecontainerregistry.Scanner{}, + azurebatch.Scanner{}, + azurefunctionkey.Scanner{}, + azuredevopspersonalaccesstoken.Scanner{}, + azuresearchadminkey.Scanner{}, jiratoken_v2.Scanner{}, - &azurefunctionkey.Scanner{}, &googleoauth2.Scanner{}, - &azuredevopspersonalaccesstoken.Scanner{}, } }