fix: corrected verification endpoint & validation logic for bombbomb #3462
Conversation
sahil9001
changed the title
pkg/detectors/bombbomb/bombbomb.go
Outdated
| @@ -20,7 +21,7 @@ var ( | |||
| client = common.SaneHttpClient() | |||
|
|
|||
| // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. | |||
| keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"bombbomb"}) + `\b([a-zA-Z0-9-._]{704})\b`) | |||
| keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"bombbomb"}) + `\b(eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,})\b`) | |||
There was a problem hiding this comment.
Have you had a chance to generate an API key from the BombBomb portal? I'm not entirely sure if I might have made a mistake, but when I copy the API key from the BombBomb integrations page, it doesn't seem to match the regex.
There was a problem hiding this comment.
Yes, that is because it is not the integrations API Key, the endpoint corresponds to user information, for that you can get token by Network Tab on Chrome
There was a problem hiding this comment.
I am not exactly sure about this. I'll let someone else review and comment here.
There was a problem hiding this comment.
Well you can try this though, go to this website : https://developer.bombbomb.com/api#
and then click on authenticate button, it will give you an API token to test
There was a problem hiding this comment.
@kashifkhan0771 can you check and reply here?
There was a problem hiding this comment.
I'll check today @sahil9001
pkg/detectors/bombbomb/bombbomb.go
Outdated
| @@ -20,7 +21,7 @@ var ( | |||
| client = common.SaneHttpClient() | |||
|
|
|||
| // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. | |||
| keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"bombbomb"}) + `\b([a-zA-Z0-9-._]{704})\b`) | |||
| keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"bombbomb"}) + `\b(eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,})\b`) | |||
There was a problem hiding this comment.
The generated secrets are JWTs, and I recommend using a standard JWT regex pattern: \b[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\b. Additionally, I suggest adding this pattern to the common patterns here so that it can be utilized by other detectors that look for JWT secrets.
@zricethezav @mcastorina @abmussani thoughts on adding JWT in common patterns? ^
There was a problem hiding this comment.
Done, please check @kashifkhan0771
Signed-off-by: Sahil Silare <[email protected]>
| @@ -8,6 +8,7 @@ import ( | |||
| ) | |||
|
|
|||
| const EmailPattern = `\b(?:[a-z0-9!#$%&'*+/=?^_\x60{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_\x60{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])\b` | |||
| const JWTPattern = `\b[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\b` | |||
There was a problem hiding this comment.
@sahil9001 this is too loose. Take a look at this for a reference https://github.com/gitleaks/gitleaks/blob/43fae355e6fe4d99d2a7b240a224b85e2903aeb4/config/gitleaks.toml#L2311 or even
trufflehog/pkg/detectors/formio/formio.go
Line 23 in 6a367ab
There was a problem hiding this comment.
No, it changes with each refresh, apparently there is a jti field which changes each time which eventually changes the first part each time as well.
Description:
Fixes #3461 , tests:
Checklist:
make test-community)?make lintthis requires golangci-lint)?