-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: fixed verifcation pattern logic for bulksms
#3478
Changes from 4 commits
7f31ba6
93da780
57a2552
b32c296
e8dc9f4
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,18 +2,18 @@ package bulksms | |
|
||
import ( | ||
"context" | ||
b64 "encoding/base64" | ||
"fmt" | ||
regexp "github.com/wasilibs/go-re2" | ||
"io" | ||
"net/http" | ||
"strings" | ||
|
||
regexp "github.com/wasilibs/go-re2" | ||
|
||
"github.com/trufflesecurity/trufflehog/v3/pkg/common" | ||
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors" | ||
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" | ||
) | ||
|
||
type Scanner struct{ | ||
type Scanner struct { | ||
detectors.DefaultMultiPartCredentialProvider | ||
} | ||
|
||
|
@@ -24,12 +24,11 @@ var ( | |
client = common.SaneHttpClient() | ||
|
||
// Make sure that your group is surrounded in boundary characters such as below to reduce false positives | ||
keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"bulksms"}) + `\b([a-fA-Z0-9*]{29})\b`) | ||
keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"bulksms"}) + `\b([a-zA-Z0-9!@#$%^&*()]{29})\b`) | ||
idPat = regexp.MustCompile(detectors.PrefixRegex([]string{"bulksms"}) + `\b([A-F0-9-]{37})\b`) | ||
) | ||
|
||
// Keywords are used for efficiently pre-filtering chunks. | ||
// Use identifiers in the secret preferably, or the provider name. | ||
func (s Scanner) Keywords() []string { | ||
return []string{"bulksms"} | ||
} | ||
|
@@ -38,46 +37,66 @@ func (s Scanner) Keywords() []string { | |
func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { | ||
dataStr := string(data) | ||
|
||
matches := keyPat.FindAllStringSubmatch(dataStr, -1) | ||
idMatches := idPat.FindAllStringSubmatch(dataStr, -1) | ||
keyMatches := keyPat.FindAllStringSubmatch(dataStr, -1) | ||
|
||
verifiedKeys := make(map[string]bool) | ||
verifiedIDs := make(map[string]bool) | ||
|
||
for _, match := range matches { | ||
if len(match) != 2 { | ||
for _, idMatch := range idMatches { | ||
if len(idMatch) != 2 { | ||
continue | ||
} | ||
resMatch := strings.TrimSpace(match[1]) | ||
for _, idmatch := range idMatches { | ||
if len(match) != 2 { | ||
resIDMatch := strings.TrimSpace(idMatch[1]) | ||
|
||
if verifiedIDs[resIDMatch] { | ||
continue | ||
} | ||
|
||
for _, keyMatch := range keyMatches { | ||
if len(keyMatch) != 2 { | ||
continue | ||
} | ||
resKeyMatch := strings.TrimSpace(keyMatch[1]) | ||
|
||
if verifiedKeys[resKeyMatch] { | ||
continue | ||
} | ||
resIdMatch := strings.TrimSpace(idmatch[1]) | ||
|
||
s1 := detectors.Result{ | ||
DetectorType: detectorspb.DetectorType_Bulksms, | ||
Raw: []byte(resMatch), | ||
RawV2: []byte(resMatch + resIdMatch), | ||
Raw: []byte(resKeyMatch), | ||
RawV2: []byte(resKeyMatch + resIDMatch), | ||
} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Few suggestions:
Suggested Code: (This is a suggestion code, you can run it locally and verify and make changes if required)
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks @kashifkhan0771 , this method is better, I agree. I have made the changes and tested it too, please check. |
||
|
||
if verify { | ||
data := fmt.Sprintf("%s:%s", resIdMatch, resMatch) | ||
sEnc := b64.StdEncoding.EncodeToString([]byte(data)) | ||
req, err := http.NewRequestWithContext(ctx, "GET", "https://api.bulksms.com/v1/messages", nil) | ||
if err != nil { | ||
continue | ||
} | ||
req.Header.Add("Authorization", fmt.Sprintf("Basic %s", sEnc)) | ||
req.SetBasicAuth(resIDMatch, resKeyMatch) | ||
res, err := client.Do(req) | ||
if err == nil { | ||
defer res.Body.Close() | ||
if res.StatusCode >= 200 && res.StatusCode < 300 { | ||
defer func() { | ||
_, _ = io.Copy(io.Discard, res.Body) | ||
_ = res.Body.Close() | ||
}() | ||
|
||
if res.StatusCode == http.StatusOK { | ||
s1.Verified = true | ||
// Mark both ID and key as verified | ||
verifiedIDs[resIDMatch] = true | ||
verifiedKeys[resKeyMatch] = true | ||
results = append(results, s1) | ||
break | ||
} | ||
} else { | ||
s1.SetVerificationError(err, resKeyMatch) | ||
} | ||
} | ||
|
||
results = append(results, s1) | ||
} | ||
|
||
} | ||
} | ||
|
||
return results, nil | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I generated over 10 tokens, and it appears the new regex is correct. So far, I’ve only received tokens containing the special characters
!_*#
, though I believe other special characters are possible.Potential Improvements for the Detector:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the review @kashifkhan0771 , I have addressed the changes