Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

extract AWS account number from ID without verification #2091

Merged
merged 6 commits into from
Nov 16, 2023
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions pkg/detectors/aws/aws.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ import (
"context"
"crypto/hmac"
"crypto/sha256"
"encoding/base32"
"encoding/binary"
"encoding/hex"
"encoding/json"
"fmt"
Expand Down Expand Up @@ -101,6 +103,34 @@ func GetHMAC(key []byte, data []byte) []byte {
return hasher.Sum(nil)
}

func GetAccountNumFromAWSID(AWSID string) (string, error) {
joeleonjr marked this conversation as resolved.
Show resolved Hide resolved
// Function to get the account number from an AWS ID (no verification required)
// Source: https://medium.com/@TalBeerySec/a-short-note-on-aws-key-id-f88cc4317489
if len(AWSID) < 4 {
return "", fmt.Errorf("AWSID is too short")
}
trimmed_AWSID := AWSID[4:]
x, err := base32.StdEncoding.WithPadding(base32.NoPadding).DecodeString(strings.ToUpper(trimmed_AWSID))
joeleonjr marked this conversation as resolved.
Show resolved Hide resolved
if err != nil {
return "", err
}

if len(x) < 6 {
return "", fmt.Errorf("Decoded AWSID is too short")
}
y := x[0:6]
joeleonjr marked this conversation as resolved.
Show resolved Hide resolved

var z uint64 = binary.BigEndian.Uint64(append(make([]byte, 8-len(y)), y...))
maskBytes, err := hex.DecodeString("7fffffffff80")
joeleonjr marked this conversation as resolved.
Show resolved Hide resolved
if err != nil {
return "", err
}

var mask uint64 = binary.BigEndian.Uint64(append(make([]byte, 8-len(maskBytes)), maskBytes...))
joeleonjr marked this conversation as resolved.
Show resolved Hide resolved
account_num := (z & mask) >> 7
return fmt.Sprintf("%012d", account_num), nil
}

// FromData will find and optionally verify AWS secrets in a given set of bytes.
func (s scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
dataStr := string(data)
Expand Down Expand Up @@ -136,9 +166,18 @@ func (s scanner) FromData(ctx context.Context, verify bool, data []byte) (result
},
}

account, err := GetAccountNumFromAWSID(resIDMatch)
joeleonjr marked this conversation as resolved.
Show resolved Hide resolved
if err == nil {
s1.ExtraData["account"] = account
}

if verify {
verified, extraData, verificationErr := s.verifyMatch(ctx, resIDMatch, resSecretMatch, true)
s1.Verified = verified
//It'd be good to log when calculated account value does not match
joeleonjr marked this conversation as resolved.
Show resolved Hide resolved
//the account value from verification. Should only be edge cases at most.
//if extraData["account"] != s1.ExtraData["account"] && extraData["account"] != "" {//log here}

//Append the extraData to the existing ExtraData map.
// This will overwrite with the new verified values.
for k, v := range extraData {
Expand Down
10 changes: 9 additions & 1 deletion pkg/detectors/aws/aws_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,10 @@ func TestAWS_FromChunk(t *testing.T) {
DetectorType: detectorspb.DetectorType_AWS,
Verified: false,
Redacted: "AKIASP2TPHJSQH3FJRUX",
ExtraData: map[string]string{"resource_type": "Access key"},
ExtraData: map[string]string{
"resource_type": "Access key",
"account": "171436882533",
},
},
},
wantErr: false,
Expand Down Expand Up @@ -115,6 +118,7 @@ func TestAWS_FromChunk(t *testing.T) {
Redacted: "AKIASP2TPHJSQH3FJXYZ",
ExtraData: map[string]string{
"resource_type": "Access key",
"account": "171436882533",
},
},
{
Expand Down Expand Up @@ -187,6 +191,7 @@ func TestAWS_FromChunk(t *testing.T) {
Redacted: "AKIASP2TPHJSQH3FJRUX",
ExtraData: map[string]string{
"resource_type": "Access key",
"account": "171436882533",
},
},
},
Expand Down Expand Up @@ -221,6 +226,7 @@ func TestAWS_FromChunk(t *testing.T) {
Redacted: "AKIASP2TPHJSQH3FJRUX",
ExtraData: map[string]string{
"resource_type": "Access key",
"account": "171436882533",
},
},
},
Expand All @@ -242,6 +248,7 @@ func TestAWS_FromChunk(t *testing.T) {
Redacted: "AKIASP2TPHJSQH3FJRUX",
ExtraData: map[string]string{
"resource_type": "Access key",
"account": "171436882533",
},
},
},
Expand All @@ -263,6 +270,7 @@ func TestAWS_FromChunk(t *testing.T) {
Redacted: "AKIASP2TPHJSQH3FJRUX",
ExtraData: map[string]string{
"resource_type": "Access key",
"account": "171436882533",
},
},
},
Expand Down
Loading