Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix/saucelabs detector #3696

Merged
merged 4 commits into from
Dec 2, 2024
Merged

Fix/saucelabs detector #3696

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b17fb06
fixed and updated saucelabs detector
kashifkhan0771 Nov 29, 2024
78c25ce
added flags for integration test case
kashifkhan0771 Nov 29, 2024
8f1d8e4
Merge branch 'main' into fix/saucelabs-detector
kashifkhan0771 Dec 2, 2024
b08237f
added detection for base url
kashifkhan0771 Dec 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 49 additions & 35 deletions pkg/detectors/saucelabs/saucelabs.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,18 @@ package saucelabs

import (
"context"
b64 "encoding/base64"
"fmt"
regexp "github.com/wasilibs/go-re2"
"io"
"net/http"
"strings"

regexp "github.com/wasilibs/go-re2"

"github.com/trufflesecurity/trufflehog/v3/pkg/common"
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
)

type Scanner struct{
type Scanner struct {
detectors.DefaultMultiPartCredentialProvider
}

Expand All @@ -24,8 +24,9 @@ var (
client = common.SaneHttpClient()

// Make sure that your group is surrounded in boundary characters such as below to reduce false positives.
idPat = regexp.MustCompile(`\b(oauth\-[a-z0-9]{8,}\-[a-z0-9]{5})\b`)
keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"saucelabs"}) + `\b([a-z0-9]{8}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{12})\b`)
// as per signup page username can be between 2 to 70 characters and must only contain letters, numbers, or characters (_-.)
usernamePat = regexp.MustCompile(detectors.PrefixRegex([]string{"saucelabs", "username"}) + `\b([a-zA-Z0-9_\.-]{2,70})\b`)
zricethezav marked this conversation as resolved.
Show resolved Hide resolved
keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"saucelabs"}) + `\b([a-z0-9]{8}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{12})\b`)
)

// Keywords are used for efficiently pre-filtering chunks.
Expand All @@ -38,47 +39,33 @@ func (s Scanner) Keywords() []string {
func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
dataStr := string(data)

idMatches := idPat.FindAllStringSubmatch(dataStr, -1)
keyMatches := keyPat.FindAllStringSubmatch(dataStr, -1)

for _, match := range idMatches {
if len(match) != 2 {
continue
}
uniqueUserNameMatches, uniqueKeyMatches := make(map[string]struct{}), make(map[string]struct{})

idMatch := strings.TrimSpace(match[1])

for _, secret := range keyMatches {
if len(secret) != 2 {
continue
}
for _, match := range usernamePat.FindAllStringSubmatch(dataStr, -1) {
uniqueUserNameMatches[match[1]] = struct{}{}
}

keyMatch := strings.TrimSpace(secret[1])
for _, match := range keyPat.FindAllStringSubmatch(dataStr, -1) {
uniqueKeyMatches[match[1]] = struct{}{}
}

for userName := range uniqueUserNameMatches {
for key := range uniqueKeyMatches {
s1 := detectors.Result{
DetectorType: detectorspb.DetectorType_SauceLabs,
Raw: []byte(idMatch),
Raw: []byte(userName),
RawV2: []byte(userName + key),
}

if verify {
data := fmt.Sprintf("%s:%s", idMatch, keyMatch)
encoded := b64.StdEncoding.EncodeToString([]byte(data))
req, err := http.NewRequestWithContext(ctx, "GET", "https://api.eu-central-1.saucelabs.com/team-management/v1/teams", nil)
if err != nil {
continue
}
req.Header.Add("Authorization", fmt.Sprintf("Basic %s", encoded))
res, err := client.Do(req)
if err == nil {
defer res.Body.Close()
if res.StatusCode >= 200 && res.StatusCode < 300 {
s1.Verified = true
}
}
isVerified, verificationErr := verifySauceLabKey(ctx, client, userName, key)
s1.Verified = isVerified
s1.SetVerificationError(verificationErr, key)
}

results = append(results, s1)
}

}

return results, nil
Expand All @@ -91,3 +78,30 @@ func (s Scanner) Type() detectorspb.DetectorType {
func (s Scanner) Description() string {
return "A service for cross browser testing, API keys can create and access tests from potentially sensitive internal websites"
}

func verifySauceLabKey(ctx context.Context, client *http.Client, userName, key string) (bool, error) {
req, err := http.NewRequestWithContext(ctx, "GET", "https://api.eu-central-1.saucelabs.com/team-management/v1/teams", nil)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about us-west and us-east?

Copy link
Contributor Author

@kashifkhan0771 kashifkhan0771 Dec 2, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about that and the solution I have on my mind is to search for base URL in chunk, if found use that else used a fixed one. What do you think? Earlier we were only using one.
Also during testing I noticed that if we hit a URL which we do not have access to with valid token it gives us 403 and if token is incorrect we get 401.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rgmz can you check now? If current approach looks ok to you.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's probably fine. I did something similar here.

In theory, I think you're supposed to use CloudProvider / EndpointCustomizer / EndpointSetter; I have no clue how tf to actually use them.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that is to provide users the functionality to pass their own custom endpoints for the application/software vs using the default cloud endpoint. Here we have only three fix endpoints to choose from. Correct me @mcastorina If I am wrong about the usage of EndpointCustomizer.

if err != nil {
return false, err
}

req.SetBasicAuth(userName, key)
resp, err := client.Do(req)
if err != nil {
return false, err
}

defer func() {
_, _ = io.Copy(io.Discard, resp.Body)
_ = resp.Body.Close()
}()

switch resp.StatusCode {
case http.StatusOK, http.StatusForbidden:
return true, nil
case http.StatusUnauthorized:
return false, nil
default:
return false, fmt.Errorf("unexpected status code %v", resp.StatusCode)
}
}
25 changes: 22 additions & 3 deletions pkg/detectors/saucelabs/saucelabs_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,9 @@ import (
"time"

"github.com/kylelemons/godebug/pretty"
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"

"github.com/trufflesecurity/trufflehog/v3/pkg/common"
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
)

Expand Down Expand Up @@ -44,13 +44,19 @@ func TestSauceLabs_FromChunk(t *testing.T) {
s: Scanner{},
args: args{
ctx: context.Background(),
data: []byte(fmt.Sprintf("You can find a saucelabs secret %s within saucelabs id %s but verified", secret, id)),
data: []byte(createFakeString(id, secret)),
verify: true,
},
want: []detectors.Result{
{
DetectorType: detectorspb.DetectorType_SauceLabs,
Verified: true,
RawV2: []byte(id + secret),
},
{
DetectorType: detectorspb.DetectorType_SauceLabs,
Verified: false,
RawV2: []byte(secret + secret),
},
},
wantErr: false,
Expand All @@ -60,13 +66,19 @@ func TestSauceLabs_FromChunk(t *testing.T) {
s: Scanner{},
args: args{
ctx: context.Background(),
data: []byte(fmt.Sprintf("You can find a saucelabs secret %s within saucelabs id %s but not valid", inactiveSecret, id)), // the secret would satisfy the regex but not pass validation
data: []byte(fmt.Sprintf("username: %s\n saucelabskey: %s", id, inactiveSecret)), // the secret would satisfy the regex but not pass validation
verify: true,
},
want: []detectors.Result{
{
DetectorType: detectorspb.DetectorType_SauceLabs,
Verified: false,
RawV2: []byte(id + inactiveSecret),
},
{
DetectorType: detectorspb.DetectorType_SauceLabs,
Verified: false,
RawV2: []byte(inactiveSecret + inactiveSecret),
},
},
wantErr: false,
Expand Down Expand Up @@ -119,3 +131,10 @@ func BenchmarkFromData(benchmark *testing.B) {
})
}
}

func createFakeString(username, key string) string {
return `
username: ` + username + `
saucelabskey: ` + key + `
`
}
Loading