diff --git a/pkg/detectors/railwayapp/railwayapp.go b/pkg/detectors/railwayapp/railwayapp.go new file mode 100644 index 000000000000..0408103c8ada --- /dev/null +++ b/pkg/detectors/railwayapp/railwayapp.go @@ -0,0 +1,172 @@ +package railwayapp + +import ( + "bytes" + "context" + "encoding/json" + "fmt" + "io" + "net/http" + "strings" + + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct { + client *http.Client +} + +// graphQLResponse will handle the response from railway API +type graphQLResponse struct { + Data interface{} `json:"data"` + Errors []interface{} `json:"errors"` +} + +// Ensure the Scanner satisfies the interface at compile time. +var _ detectors.Detector = (*Scanner)(nil) + +var ( + defaultClient = common.SaneHttpClient() + + apiToken = regexp.MustCompile(detectors.PrefixRegex([]string{"railway"}) + + `\b([a-f0-9]{8}(?:-[a-f0-9]{4}){3}-[a-f0-9]{12})\b`) +) + +func (s Scanner) getClient() *http.Client { + if s.client != nil { + return s.client + } + + return defaultClient +} + +// Keywords are used for efficiently pre-filtering chunks. +// Use identifiers in the secret preferably, or the provider name. +func (s Scanner) Keywords() []string { + return []string{"railway"} +} + +func (s Scanner) Description() string { + return "Railway is a deployment platform designed to streamline the software development life-cycle, starting with instant deployments and effortless scale, extending to CI/CD integrations and built-in observability." +} + +// FromData will find and optionally verify SaladCloud API Key secrets in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + // uniqueMatches will hold unique match values and ensure we only process unique matches found in the data string + var uniqueMatches = make(map[string]bool) + + for _, match := range apiToken.FindAllStringSubmatch(dataStr, -1) { + if len(match) != 2 { + continue + } + + uniqueMatches[strings.TrimSpace(match[1])] = true + } + + for match := range uniqueMatches { + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_RailwayApp, + Raw: []byte(match), + ExtraData: map[string]string{ + "rotation_guide": "https://howtorotate.com/docs/tutorials/railwayapp/", + }, + } + + if verify { + client := s.getClient() + isVerified, verificationErr := verifyRailwayApp(ctx, client, match) + s1.Verified = isVerified + s1.SetVerificationError(verificationErr) + } + + results = append(results, s1) + } + + return results, nil +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_RailwayApp +} + +/* +verifyRailwayApp verifies if the passed matched api key for railwayapp is active or not. +docs: https://docs.railway.app/reference/public-api +*/ +func verifyRailwayApp(ctx context.Context, client *http.Client, match string) (bool, error) { + jsonPayload, err := getJSONPayload() + if err != nil { + return false, err + } + + req, err := http.NewRequestWithContext(ctx, "POST", "https://backboard.railway.app/graphql/v2", bytes.NewBuffer(jsonPayload)) + if err != nil { + return false, err + } + + // set the required headers + req.Header.Set("Content-Type", "application/json") + req.Header.Set("Authorization", "Bearer "+match) + + resp, err := client.Do(req) + if err != nil { + return false, err + } + defer resp.Body.Close() + + /* + GraphQL queries return response with 200 OK status code even for errors + Sources: + https://www.apollographql.com/docs/react/data/error-handling/#graphql-errors + https://github.com/rmosolgo/graphql-ruby/issues/1130 + https://inigo.io/blog/graphql_error_handling + */ + if resp.StatusCode != http.StatusOK { + return false, fmt.Errorf("railway app verification failed with status code %d", resp.StatusCode) + } + + // if rate limit is reached, return verification as false with no error + if resp.Header.Get("x-ratelimit-remaining") == "0" { + return false, nil + } + + // read the response body + body, err := io.ReadAll(resp.Body) + if err != nil { + return false, err + } + + // parse the response body into a structured format + var graphqlResponse graphQLResponse + if err = json.Unmarshal(body, &graphqlResponse); err != nil { + return false, err + } + + // if any errors exist in response, return verification as false + if len(graphqlResponse.Errors) > 0 { + return false, nil + } + + return true, nil +} + +// getJSONPayload return the graphQL query as a JSON +func getJSONPayload() ([]byte, error) { + payload := map[string]string{ + "query": `query me {me {email}}`, + } + + // convert the payload to JSON + jsonPayload, err := json.Marshal(payload) + if err != nil { + return nil, fmt.Errorf("error marshalling JSON: %w", err) + } + + return jsonPayload, nil +} diff --git a/pkg/detectors/railwayapp/railwayapp_test.go b/pkg/detectors/railwayapp/railwayapp_test.go new file mode 100644 index 000000000000..1bdc9a756257 --- /dev/null +++ b/pkg/detectors/railwayapp/railwayapp_test.go @@ -0,0 +1,247 @@ +//go:build detectors +// +build detectors + +package railwayapp + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +func TestRailwayApp_Pattern(t *testing.T) { + d := Scanner{} + ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d}) + tests := []struct { + name string + input string + want []string + }{ + { + name: "typical pattern - with keyword railwayapp", + input: "railwayapp token = 'a52a85d1-33c4-4808-8fa0-c375f3c6013a'", + want: []string{"a52a85d1-33c4-4808-8fa0-c375f3c6013a"}, + }, + { + name: "typical pattern - with keyword railway", + input: "railway = 'a52a85d1-33c4-4808-8fa0-c375f3c6013a'", + want: []string{"a52a85d1-33c4-4808-8fa0-c375f3c6013a"}, + }, + { + name: "typical pattern - ignore duplicate", + input: "railwayapp token = 'a52a85d1-33c4-4808-8fa0-c375f3c6013a | a52a85d1-33c4-4808-8fa0-c375f3c6013a'", + want: []string{"a52a85d1-33c4-4808-8fa0-c375f3c6013a"}, + }, + { + name: "invalid pattern", + input: "railway = 'a52e95g1-33c4-4808-8fa0-b375f3c6013a'", + want: []string{}, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input)) + if len(matchedDetectors) == 0 { + t.Errorf("keywords '%v' not matched by: %s", d.Keywords(), test.input) + return + } + + results, err := d.FromData(context.Background(), false, []byte(test.input)) + if err != nil { + t.Errorf("error = %v", err) + return + } + + if len(results) != len(test.want) { + if len(results) == 0 { + t.Errorf("did not receive result") + } else { + t.Errorf("expected %d results, only received %d", len(test.want), len(results)) + } + return + } + + actual := make(map[string]struct{}, len(results)) + for _, r := range results { + if len(r.RawV2) > 0 { + actual[string(r.RawV2)] = struct{}{} + } else { + actual[string(r.Raw)] = struct{}{} + } + } + expected := make(map[string]struct{}, len(test.want)) + for _, v := range test.want { + expected[v] = struct{}{} + } + + if diff := cmp.Diff(expected, actual); diff != "" { + t.Errorf("%s diff: (-want +got)\n%s", test.name, diff) + } + }) + } +} + +func TestRailwayApp_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors5") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + secret := testSecrets.MustGetField("RAILWAYAPP") + inactiveSecret := testSecrets.MustGetField("RAILWAYAPP_INACTIVE") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + wantVerificationErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: ctx, + data: []byte(fmt.Sprintf("You can find a railwayapp secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_RailwayApp, + Verified: true, + ExtraData: map[string]string{ + "rotation_guide": "https://howtorotate.com/docs/tutorials/railwayapp/", + }, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, unverified", + s: Scanner{}, + args: args{ + ctx: ctx, + data: []byte(fmt.Sprintf("You can find a railwayapp secret %s within but not valid", inactiveSecret)), // the secret would satisfy the regex but not pass validation + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_RailwayApp, + Verified: false, + ExtraData: map[string]string{ + "rotation_guide": "https://howtorotate.com/docs/tutorials/railwayapp/", + }, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, would be verified if not for timeout", + s: Scanner{client: common.SaneHttpClientTimeOut(1 * time.Microsecond)}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a railwayapp secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_RailwayApp, + Verified: false, + ExtraData: map[string]string{ + "rotation_guide": "https://howtorotate.com/docs/tutorials/railwayapp/", + }, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + { + name: "found, verified but unexpected api surface", + s: Scanner{client: common.ConstantResponseHttpClient(500, "")}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a railwayapp secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_RailwayApp, + Verified: false, + ExtraData: map[string]string{ + "rotation_guide": "https://howtorotate.com/docs/tutorials/railwayapp/", + }, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("RailwayApp.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + if (got[i].VerificationError() != nil) != tt.wantVerificationErr { + t.Fatalf("wantVerificationError = %v, verification error = %v", tt.wantVerificationErr, got[i].VerificationError()) + } + } + ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "verificationError") + if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" { + t.Errorf("RailwayApp.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := Scanner{} + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + b.ResetTimer() + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +} diff --git a/pkg/engine/defaults.go b/pkg/engine/defaults.go index 9e77803b125d..e592e206b783 100644 --- a/pkg/engine/defaults.go +++ b/pkg/engine/defaults.go @@ -556,6 +556,7 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/qualaroo" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/qubole" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rabbitmq" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/railwayapp" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/ramp" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rapidapi" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/rawg" @@ -1632,6 +1633,7 @@ func DefaultDetectors() []detectors.Detector { netsuite.Scanner{}, robinhoodcrypto.Scanner{}, nvapi.Scanner{}, + railwayapp.Scanner{}, } } diff --git a/pkg/pb/detectorspb/detectors.pb.go b/pkg/pb/detectorspb/detectors.pb.go index 319e394cb9b2..c5263a63fd38 100644 --- a/pkg/pb/detectorspb/detectors.pb.go +++ b/pkg/pb/detectorspb/detectors.pb.go @@ -1100,6 +1100,7 @@ const ( DetectorType_RobinhoodCrypto DetectorType = 996 DetectorType_NVAPI DetectorType = 997 DetectorType_PyPI DetectorType = 998 + DetectorType_RailwayApp DetectorType = 999 ) // Enum value maps for DetectorType. @@ -2100,6 +2101,7 @@ var ( 996: "RobinhoodCrypto", 997: "NVAPI", 998: "PyPI", + 999: "RailwayApp", } DetectorType_value = map[string]int32{ "Alibaba": 0, @@ -3097,6 +3099,7 @@ var ( "RobinhoodCrypto": 996, "NVAPI": 997, "PyPI": 998, + "RailwayApp": 999, } ) @@ -3550,7 +3553,7 @@ var file_detectors_proto_rawDesc = []byte{ 0x4c, 0x41, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x42, 0x41, 0x53, 0x45, 0x36, 0x34, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x54, 0x46, 0x31, 0x36, 0x10, 0x03, 0x12, 0x13, 0x0a, 0x0f, 0x45, 0x53, 0x43, 0x41, 0x50, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x49, 0x43, 0x4f, 0x44, 0x45, - 0x10, 0x04, 0x2a, 0xc5, 0x7f, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x54, + 0x10, 0x04, 0x2a, 0xd6, 0x7f, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4d, 0x51, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x57, 0x53, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x10, 0x03, 0x12, 0x0a, @@ -4570,12 +4573,13 @@ var file_detectors_proto_rawDesc = []byte{ 0x0a, 0x08, 0x4e, 0x65, 0x74, 0x73, 0x75, 0x69, 0x74, 0x65, 0x10, 0xe3, 0x07, 0x12, 0x14, 0x0a, 0x0f, 0x52, 0x6f, 0x62, 0x69, 0x6e, 0x68, 0x6f, 0x6f, 0x64, 0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x10, 0xe4, 0x07, 0x12, 0x0a, 0x0a, 0x05, 0x4e, 0x56, 0x41, 0x50, 0x49, 0x10, 0xe5, 0x07, 0x12, - 0x09, 0x0a, 0x04, 0x50, 0x79, 0x50, 0x49, 0x10, 0xe6, 0x07, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, - 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, - 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, - 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, - 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x33, + 0x09, 0x0a, 0x04, 0x50, 0x79, 0x50, 0x49, 0x10, 0xe6, 0x07, 0x12, 0x0f, 0x0a, 0x0a, 0x52, 0x61, + 0x69, 0x6c, 0x77, 0x61, 0x79, 0x41, 0x70, 0x70, 0x10, 0xe7, 0x07, 0x42, 0x3d, 0x5a, 0x3b, 0x67, + 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, + 0x65, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, + 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, + 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, } var ( diff --git a/proto/detectors.proto b/proto/detectors.proto index 5f2817004a90..65bc6189337c 100644 --- a/proto/detectors.proto +++ b/proto/detectors.proto @@ -715,7 +715,7 @@ enum DetectorType { Goshippo = 703; Sigopt = 704; Sugester = 705; - Viewneo = 706; + Viewneo = 706; BoostNote = 707; CaptainData = 708; Checkvist = 709; @@ -1008,6 +1008,7 @@ enum DetectorType { RobinhoodCrypto = 996; NVAPI = 997; PyPI = 998; + RailwayApp = 999; } message Result {