trufflesecurity · zricethezav · Dec 2, 2024 · Nov 29, 2024 · Nov 29, 2024 · Dec 2, 2024
@@ -2,18 +2,18 @@ package saucelabs
 
 import (
 	"context"
-	b64 "encoding/base64"
 	"fmt"
-	regexp "github.com/wasilibs/go-re2"
+	"io"
 	"net/http"
-	"strings"
+
+	regexp "github.com/wasilibs/go-re2"
 
 	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
 )
 
-type Scanner struct{
+type Scanner struct {
 	detectors.DefaultMultiPartCredentialProvider
 }
 
@@ -24,8 +24,12 @@ var (
 	client = common.SaneHttpClient()
 
 	// Make sure that your group is surrounded in boundary characters such as below to reduce false positives.
-	idPat  = regexp.MustCompile(`\b(oauth\-[a-z0-9]{8,}\-[a-z0-9]{5})\b`)
-	keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"saucelabs"}) + `\b([a-z0-9]{8}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{12})\b`)
+	// as per signup page username can be between 2 to 70 characters and must only contain letters, numbers, or characters (_-.)
+	usernamePat = regexp.MustCompile(detectors.PrefixRegex([]string{"saucelabs", "username"}) + `\b([a-zA-Z0-9_\.-]{2,70})`)
+	keyPat      = regexp.MustCompile(detectors.PrefixRegex([]string{"saucelabs"}) + `\b([a-z0-9]{8}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{4}\-[a-z0-9]{12})\b`)
+	baseUrlPat  = regexp.MustCompile(`\b(api\.(?:us|eu)-(?:west|east|central)-[0-9].saucelabs\.com)\b`)
+
+	fixedBaseURL = "api.us-west-1.saucelabs.com"
 )
 
 // Keywords are used for efficiently pre-filtering chunks.
@@ -38,47 +42,48 @@ func (s Scanner) Keywords() []string {
 func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
 	dataStr := string(data)
 
-	idMatches := idPat.FindAllStringSubmatch(dataStr, -1)
-	keyMatches := keyPat.FindAllStringSubmatch(dataStr, -1)
-
-	for _, match := range idMatches {
-		if len(match) != 2 {
-			continue
-		}
+	uniqueUserNameMatches, uniqueKeyMatches, uniqueBaseURLMatches := make(map[string]struct{}), make(map[string]struct{}), make(map[string]struct{})
 
-		idMatch := strings.TrimSpace(match[1])
+	for _, match := range usernamePat.FindAllStringSubmatch(dataStr, -1) {
+		uniqueUserNameMatches[match[1]] = struct{}{}
+	}
 
-		for _, secret := range keyMatches {
-			if len(secret) != 2 {
-				continue
-			}
+	for _, match := range keyPat.FindAllStringSubmatch(dataStr, -1) {
+		uniqueKeyMatches[match[1]] = struct{}{}
+	}
 
-			keyMatch := strings.TrimSpace(secret[1])
+	for _, match := range baseUrlPat.FindAllStringSubmatch(dataStr, -1) {
+		uniqueBaseURLMatches[match[1]] = struct{}{}
+	}
 
-			s1 := detectors.Result{
-				DetectorType: detectorspb.DetectorType_SauceLabs,
-				Raw:          []byte(idMatch),
-			}
+	// if no domain is found, add a fixed domain to try against
+	if len(uniqueBaseURLMatches) == 0 {
+		uniqueBaseURLMatches[fixedBaseURL] = struct{}{}
+	}
 
-			if verify {
-				data := fmt.Sprintf("%s:%s", idMatch, keyMatch)
-				encoded := b64.StdEncoding.EncodeToString([]byte(data))
-				req, err := http.NewRequestWithContext(ctx, "GET", "https://api.eu-central-1.saucelabs.com/team-management/v1/teams", nil)
-				if err != nil {
-					continue
+	for userName := range uniqueUserNameMatches {
+		for key := range uniqueKeyMatches {
+			for baseURL := range uniqueBaseURLMatches {
+				s1 := detectors.Result{
+					DetectorType: detectorspb.DetectorType_SauceLabs,
+					Raw:          []byte(userName),
+					RawV2:        []byte(userName + key),
+					ExtraData: map[string]string{
+						// add base url in extradata to know which base url was used for verification
+						"Base URL": baseURL,
+					},
 				}
-				req.Header.Add("Authorization", fmt.Sprintf("Basic %s", encoded))
-				res, err := client.Do(req)
-				if err == nil {
-					defer res.Body.Close()
-					if res.StatusCode >= 200 && res.StatusCode < 300 {
-						s1.Verified = true
-					}
+
+				if verify {
+					isVerified, verificationErr := verifySauceLabKey(ctx, client, userName, key, baseURL)
+					s1.Verified = isVerified
+					s1.SetVerificationError(verificationErr, key)
 				}
-			}
 
-			results = append(results, s1)
+				results = append(results, s1)
+			}
 		}
+
 	}
 
 	return results, nil
@@ -91,3 +96,32 @@ func (s Scanner) Type() detectorspb.DetectorType {
 func (s Scanner) Description() string {
 	return "A service for cross browser testing, API keys can create and access tests from potentially sensitive internal websites"
 }
+
+func verifySauceLabKey(ctx context.Context, client *http.Client, userName, key, baseURL string) (bool, error) {
+	apiURL := fmt.Sprintf("https://%s/team-management/v1/teams", baseURL)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, apiURL, nil)
+	if err != nil {
+		return false, err
+	}
+
+	req.SetBasicAuth(userName, key)
+	resp, err := client.Do(req)
+	if err != nil {
+		return false, err
+	}
+
+	defer func() {
+		_, _ = io.Copy(io.Discard, resp.Body)
+		_ = resp.Body.Close()
+	}()
+
+	switch resp.StatusCode {
+	case http.StatusOK, http.StatusForbidden:
+		return true, nil
+	case http.StatusUnauthorized:
+		return false, nil
+	default:
+		return false, fmt.Errorf("unexpected status code %v", resp.StatusCode)
+	}
+}
@@ -10,9 +10,9 @@ import (
 	"time"
 
 	"github.com/kylelemons/godebug/pretty"
-	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
 
 	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
 )
 
@@ -44,13 +44,19 @@ func TestSauceLabs_FromChunk(t *testing.T) {
 			s:    Scanner{},
 			args: args{
 				ctx:    context.Background(),
-				data:   []byte(fmt.Sprintf("You can find a saucelabs secret %s within saucelabs id %s but verified", secret, id)),
+				data:   []byte(createFakeString(id, secret)),
 				verify: true,
 			},
 			want: []detectors.Result{
 				{
 					DetectorType: detectorspb.DetectorType_SauceLabs,
 					Verified:     true,
+					RawV2:        []byte(id + secret),
+				},
+				{
+					DetectorType: detectorspb.DetectorType_SauceLabs,
+					Verified:     false,
+					RawV2:        []byte(secret + secret),
 				},
 			},
 			wantErr: false,
@@ -60,13 +66,19 @@ func TestSauceLabs_FromChunk(t *testing.T) {
 			s:    Scanner{},
 			args: args{
 				ctx:    context.Background(),
-				data:   []byte(fmt.Sprintf("You can find a saucelabs secret %s within saucelabs id %s but not valid", inactiveSecret, id)), // the secret would satisfy the regex but not pass validation
+				data:   []byte(fmt.Sprintf("username: %s\n saucelabskey: %s", id, inactiveSecret)), // the secret would satisfy the regex but not pass validation
 				verify: true,
 			},
 			want: []detectors.Result{
 				{
 					DetectorType: detectorspb.DetectorType_SauceLabs,
 					Verified:     false,
+					RawV2:        []byte(id + inactiveSecret),
+				},
+				{
+					DetectorType: detectorspb.DetectorType_SauceLabs,
+					Verified:     false,
+					RawV2:        []byte(inactiveSecret + inactiveSecret),
 				},
 			},
 			wantErr: false,
@@ -119,3 +131,10 @@ func BenchmarkFromData(benchmark *testing.B) {
 		})
 	}
 }
+
+func createFakeString(username, key string) string {
+	return `
+	username: ` + username + `
+	saucelabskey: ` + key + `
+	`
+}