Extend algoliaadminkey with additional checks

trufflesecurity · Oct 21, 2024 · 4dc3365 · 4dc3365
1 parent 86d2c6d
commit 4dc3365
Show file tree

Hide file tree

Showing 2 changed files with 78 additions and 15 deletions.
diff --git a/pkg/detectors/algoliaadminkey/algoliaadminkey.go b/pkg/detectors/algoliaadminkey/algoliaadminkey.go
@@ -2,6 +2,8 @@ package algoliaadminkey
 
 import (
 	"context"
+	"fmt"
+	"encoding/json"
 	regexp "github.com/wasilibs/go-re2"
 	"net/http"
 	"strings"
@@ -22,14 +24,14 @@ var (
 	client = common.SaneHttpClient()
 
 	// Make sure that your group is surrounded in boundary characters such as below to reduce false positives.
-	keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"algolia"}) + `\b([a-zA-Z0-9]{32})\b`)
-	idPat  = regexp.MustCompile(detectors.PrefixRegex([]string{"algolia"}) + `\b([A-Z0-9]{10})\b`)
+	keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"algolia", "docsearch", "apiKey"}) + `\b([a-zA-Z0-9]{32})\b`)
+	idPat  = regexp.MustCompile(detectors.PrefixRegex([]string{"algolia", "docsearch", "appId"}) + `\b([A-Z0-9]{10})\b`)
 )
 
 // Keywords are used for efficiently pre-filtering chunks.
 // Use identifiers in the secret preferably, or the provider name.
 func (s Scanner) Keywords() []string {
-	return []string{"algolia"}
+	return []string{"algolia", "docsearch"}
 }
 
 // FromData will find and optionally verify AlgoliaAdminKey secrets in a given set of bytes.
@@ -57,19 +59,16 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 			}
 
 			if verify {
-				req, err := http.NewRequestWithContext(ctx, "GET", "https://"+resIdMatch+"-dsn.algolia.net/1/keys", nil)
-				if err != nil {
-					continue
-				}
-				req.Header.Add("X-Algolia-Application-Id", resIdMatch)
-				req.Header.Add("X-Algolia-API-Key", resMatch)
-				res, err := client.Do(req)
-				if err == nil {
-					defer res.Body.Close()
-					if res.StatusCode >= 200 && res.StatusCode < 300 {
-						s1.Verified = true
-					}
+				// Verify if the key is a valid Algolia Admin Key.
+				isVerified, verificationErr := verifyAlgoliaKey(ctx, resIdMatch, resMatch)
+
+				// Verify if the key has sensitive permissions, even if it's not an Admin Key.
+				if !isVerified {
+					isVerified, verificationErr = verifyAlgoliaKeyACL(ctx, resIdMatch, resMatch)
 				}
+
+				s1.SetVerificationError(verificationErr, resMatch)
+				s1.Verified = isVerified
 			}
 
 			results = append(results, s1)
@@ -78,6 +77,68 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 	return results, nil
 }
 
+func verifyAlgoliaKey(ctx context.Context, appId, apiKey string) (bool, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://"+appId+"-dsn.algolia.net/1/keys", nil)
+	if err != nil {
+		return false, err
+	}
+
+	req.Header.Add("X-Algolia-Application-Id", appId)
+	req.Header.Add("X-Algolia-API-Key", apiKey)
+
+	res, err := client.Do(req)
+	if err != nil {
+		return false, err
+	}
+	defer res.Body.Close()
+
+	if res.StatusCode == 403 {
+		return false, nil
+	} else if res.StatusCode < 200 || res.StatusCode > 299 {
+		return false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode)
+	}
+
+	return true, nil
+}
+
+func verifyAlgoliaKeyACL(ctx context.Context, appId, apiKey string) (bool, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://"+appId+".algolia.net/1/keys/"+apiKey, nil)
+	if err != nil {
+		return false, err
+	}
+
+	req.Header.Add("X-Algolia-Application-Id", appId)
+	req.Header.Add("X-Algolia-API-Key", apiKey)
+
+	res, err := client.Do(req)
+	if err != nil {
+		return false, err
+	}
+	defer res.Body.Close()
+
+	if res.StatusCode == 403 {
+		return false, nil
+	} else if res.StatusCode < 200 || res.StatusCode > 299 {
+		return false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode)
+	}
+
+	var jsonResponse struct {
+		ACL []string `json:"acl"`
+	}
+
+	if err := json.NewDecoder(res.Body).Decode(&jsonResponse); err != nil {
+		return false, err
+	}
+
+	for _, acl := range jsonResponse.ACL {
+		if acl != "search" && acl != "listIndexes" && acl != "settings" {
+			return true, nil // Other permissions are sensitive.
+		}
+	}
+
+	return false, nil
+}
+
 func (s Scanner) Type() detectorspb.DetectorType {
 	return detectorspb.DetectorType_AlgoliaAdminKey
 }

diff --git a/pkg/detectors/algoliaadminkey/algoliaadminkey_integration_test.go b/pkg/detectors/algoliaadminkey/algoliaadminkey_integration_test.go
@@ -51,6 +51,7 @@ func TestAlgoliaAdminKey_FromChunk(t *testing.T) {
 				{
 					DetectorType: detectorspb.DetectorType_AlgoliaAdminKey,
 					Verified:     true,
+					RawV2:        []byte(fmt.Sprintf("%s%s", secret, id)),
 				},
 			},
 			wantErr: false,
@@ -67,6 +68,7 @@ func TestAlgoliaAdminKey_FromChunk(t *testing.T) {
 				{
 					DetectorType: detectorspb.DetectorType_AlgoliaAdminKey,
 					Verified:     false,
+					RawV2:        []byte(fmt.Sprintf("%s%s", inactiveSecret, id)),
 				},
 			},
 			wantErr: false,