Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Github Oauth2 verification #1584

Merged
merged 6 commits into from
Aug 2, 2023
Merged

Github Oauth2 verification #1584

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
642b597
Github Oauth2 verification
bill-rich Jul 31, 2023
d2d80d4
Use prefix and include RawV2
bill-rich Aug 1, 2023
68dad1d
Make gh_oauth2 a new detector
bill-rich Aug 1, 2023
ce8c921
Remove unused struct
bill-rich Aug 1, 2023
bdec501
Remove versioner
bill-rich Aug 1, 2023
b9fbe35
Remove unused code
bill-rich Aug 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 47 additions & 3 deletions pkg/detectors/github/github.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,12 @@ import (
"fmt"
"net/http"
"regexp"
"strings"

"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
"golang.org/x/oauth2/clientcredentials"
"golang.org/x/oauth2/github"

"github.com/trufflesecurity/trufflehog/v3/pkg/common"
)
Expand All @@ -31,8 +34,13 @@ var (
// https://github.blog/changelog/2022-10-18-introducing-fine-grained-personal-access-tokens/
keyPat = regexp.MustCompile(`\b((?:ghp|gho|ghu|ghs|ghr|github_pat)_[a-zA-Z0-9_]{36,255})\b`)

// TODO: Oauth2 client_id and client_secret
// https://developer.github.com/v3/#oauth2-keysecret
// Oauth2 client ID and secret
oauth2ClientIDPat = regexp.MustCompile(`\b([a-f0-9]{20})\b`)
oauth2ClientSecretPat = regexp.MustCompile(`\b([a-f0-9]{40})\b`)
)

const (
githubBadVerificationCodeError = "bad_verification_code"
)

// TODO: Add secret context?? Information about access, ownership etc
Expand All @@ -48,13 +56,49 @@ type userRes struct {
// Keywords are used for efficiently pre-filtering chunks.
// Use identifiers in the secret preferably, or the provider name.
func (s Scanner) Keywords() []string {
return []string{"ghp_", "gho_", "ghu_", "ghs_", "ghr_", "github_pat_"}
return []string{"ghp_", "gho_", "ghu_", "ghs_", "ghr_", "github_pat_", "github"}
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

github matches means a lot of matches. Something like github_client would cut that down, but could miss creds. I erred on the side of not missing anything, but looking for other opinions.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm with you, I think erring on the side of not missing anything makes sense. And to clarify a little bit here, the github keyword would be associated with oauth creds right? Would it make sense to use detectors.PrefixRegex for the oauth regexes?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call. Switched.

}

// FromData will find and optionally verify GitHub secrets in a given set of bytes.
func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
dataStr := string(data)

// Oauth2 client ID and secret
oauth2ClientIDMatches := oauth2ClientIDPat.FindAllStringSubmatch(dataStr, -1)
oauth2ClientSecretMatches := oauth2ClientSecretPat.FindAllStringSubmatch(dataStr, -1)

for _, idMatch := range oauth2ClientIDMatches {
if len(idMatch) != 2 {
continue
}
for _, secretMatch := range oauth2ClientSecretMatches {
if len(secretMatch) != 2 {
continue
}

s1 := detectors.Result{
DetectorType: detectorspb.DetectorType_Github,
Raw: []byte(idMatch[1]),
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If my understanding is correct, we should also have a RawV2: []byte(idMatch[i] + secretMatch[1]).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#1584 (comment)


config := &clientcredentials.Config{
ClientID: idMatch[1],
ClientSecret: secretMatch[1],
TokenURL: github.Endpoint.TokenURL,
}
_, err := config.Token(ctx)
if err != nil && strings.Contains(err.Error(), githubBadVerificationCodeError) {
s1.Verified = true
}

if !s1.Verified && detectors.IsKnownFalsePositive(string(s1.Raw), detectors.DefaultFalsePositives, true) {
continue
}

results = append(results, s1)
}
}

matches := keyPat.FindAllStringSubmatch(dataStr, -1)

for _, match := range matches {
Expand Down
Loading