fix(maxmind): prevent npd panic (#2948)

This commit is contained in:
Richard Gomez 2024-06-11 08:27:42 -04:00 committed by GitHub
parent ca67a8aa83
commit 6b52d5ad40
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 130 additions and 28 deletions

View file

@ -3,6 +3,7 @@ package maxmindlicense
import (
"context"
"fmt"
"io"
"net/http"
"net/url"
"strings"
@ -14,21 +15,22 @@ import (
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
)
type Scanner struct{}
type Scanner struct {
client *http.Client
}
// Ensure the Scanner satisfies the interface at compile time.
var _ detectors.Detector = (*Scanner)(nil)
var (
client = common.SaneHttpClient()
keyPat = regexp.MustCompile(`\b([0-9A-Za-z]{6}_[0-9A-Za-z]{29}_mmk)\b`)
defaultClient = common.SaneHttpClient()
keyPat = regexp.MustCompile(`\b([a-zA-Z0-9]{6}_[a-zA-Z0-9]{29}_mmk)\b`)
)
// Keywords are used for efficiently pre-filtering chunks.
// Use identifiers in the secret preferably, or the provider name.
func (s Scanner) Keywords() []string {
return []string{"maxmind", "geoip"}
return []string{"_mmk"}
}
func (Scanner) Version() int { return 2 }
@ -37,14 +39,15 @@ func (Scanner) Version() int { return 2 }
func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
dataStr := string(data)
keyMatches := keyPat.FindAllStringSubmatch(dataStr, -1)
for _, keyMatch := range keyMatches {
keyRes := keyMatch[1]
uniqueMatches := make(map[string]struct{})
for _, key := range keyPat.FindAllStringSubmatch(dataStr, -1) {
uniqueMatches[key[1]] = struct{}{}
}
for key := range uniqueMatches {
r := detectors.Result{
DetectorType: detectorspb.DetectorType_MaxMindLicense,
Raw: []byte(keyRes),
Raw: []byte(key),
ExtraData: map[string]string{
"rotation_guide": "https://howtorotate.com/docs/tutorials/maxmind/",
"version": fmt.Sprintf("%d", s.Version()),
@ -52,26 +55,14 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
}
if verify {
data := url.Values{}
data.Add("license_key", keyRes)
req, err := http.NewRequestWithContext(
ctx, "POST", "https://secret-scanning.maxmind.com/secrets/validate-license-key",
strings.NewReader(data.Encode()))
if err != nil {
r.SetVerificationError(err)
results = append(results, r)
continue
client := s.client
if client == nil {
client = defaultClient
}
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
res, err := client.Do(req)
if err != nil {
r.SetVerificationError(err)
}
defer res.Body.Close()
if err == nil && res.StatusCode >= 200 && res.StatusCode < 300 {
r.Verified = true
}
verified, vErr := s.verify(ctx, client, key)
r.Verified = verified
r.SetVerificationError(vErr, key)
}
results = append(results, r)
@ -80,6 +71,38 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
return results, nil
}
func (s Scanner) verify(ctx context.Context, client *http.Client, key string) (bool, error) {
data := url.Values{}
data.Add("license_key", key)
// https://dev.maxmind.com/license-key-validation-api
req, err := http.NewRequestWithContext(
ctx, http.MethodPost, "https://secret-scanning.maxmind.com/secrets/validate-license-key",
strings.NewReader(data.Encode()))
if err != nil {
return false, err
}
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
res, err := client.Do(req)
if err != nil {
return false, err
}
defer func() {
_, _ = io.Copy(io.Discard, res.Body)
_ = res.Body.Close()
}()
switch res.StatusCode {
case http.StatusNoContent:
return true, nil
case http.StatusUnauthorized:
return false, nil
default:
return false, fmt.Errorf("unexpected status code: %d", res.StatusCode)
}
}
func (s Scanner) Type() detectorspb.DetectorType {
return detectorspb.DetectorType_MaxMindLicense
}

View file

@ -9,13 +9,92 @@ import (
"testing"
"time"
"github.com/google/go-cmp/cmp"
"github.com/kylelemons/godebug/pretty"
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
"github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick"
"github.com/trufflesecurity/trufflehog/v3/pkg/common"
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
)
func TestMaxMind_Pattern(t *testing.T) {
d := Scanner{}
ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d})
tests := []struct {
name string
input string
want []string
}{
{
name: "key in URL",
input: `#cd /home/xtreamcodes/iptv_xtream_codes/
#wget "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=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&suffix=tar.gz" -qO /home/xtreamcodes/iptv_xtream_codes/GeoLite2-City.mmdb.tar.gz
#tar -xf /home/xtreamcodes/iptv_xtream_codes/GeoLite2-City.mmdb.tar.gz`,
want: []string{"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"},
},
{
name: "ENV VAR",
input: `BASE_URL=https://plausible.example.com
SECRET_KEY_BASE=GLVzDZW04FzuS1gMcmBRVhwgd4Gu9YmSl/k/TqfTUXti7FLBd7aflXeQDdwCj6Cz
TOTP_VAULT_KEY=dsxvbn3jxDd16az2QpsX5B8O+llxjQ2SJE2i5Bzx38I=
MAXMIND_LICENSE_KEY=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
MAXMIND_EDITION=GeoLite2-City
GOOGLE_CLIENT_ID=...`,
want: []string{"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"},
},
{
name: "Random .conf",
input: `# LicenseKey is from your MaxMind account
LicenseKey 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`,
want: []string{"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"},
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input))
if len(matchedDetectors) == 0 {
t.Errorf("keywords '%v' not matched by: %s", d.Keywords(), test.input)
return
}
results, err := d.FromData(context.Background(), false, []byte(test.input))
if err != nil {
t.Errorf("error = %v", err)
return
}
if len(results) != len(test.want) {
if len(results) == 0 {
t.Errorf("did not receive result")
} else {
t.Errorf("expected %d results, only received %d", len(test.want), len(results))
}
return
}
actual := make(map[string]struct{}, len(results))
for _, r := range results {
if len(r.RawV2) > 0 {
actual[string(r.RawV2)] = struct{}{}
} else {
actual[string(r.Raw)] = struct{}{}
}
}
expected := make(map[string]struct{}, len(test.want))
for _, v := range test.want {
expected[v] = struct{}{}
}
if diff := cmp.Diff(expected, actual); diff != "" {
t.Errorf("%s diff: (-want +got)\n%s", test.name, diff)
}
})
}
}
func TestMaxMindLicense(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
defer cancel()