fix(maxmind): prevent npd panic (#2948)

2024-11-10 07:04:24 +00:00 · 2024-06-11 08:27:42 -04:00 · 2024-06-11 08:27:42 -04:00 · 6b52d5ad40
commit 6b52d5ad40
parent ca67a8aa83
2 changed files with 130 additions and 28 deletions
--- a/pkg/detectors/maxmindlicense/v2/maxmindlicense_v2.go
+++ b/pkg/detectors/maxmindlicense/v2/maxmindlicense_v2.go
@ -3,6 +3,7 @@ package maxmindlicense
 import (
 	"context"
 	"fmt"
+	"io"
 	"net/http"
 	"net/url"
 	"strings"
@ -14,21 +15,22 @@ import (
 	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
 )

-type Scanner struct{}
+type Scanner struct {
+	client *http.Client
+}

 // Ensure the Scanner satisfies the interface at compile time.
 var _ detectors.Detector = (*Scanner)(nil)

 var (
-	client = common.SaneHttpClient()
-
-	keyPat = regexp.MustCompile(`\b([0-9A-Za-z]{6}_[0-9A-Za-z]{29}_mmk)\b`)
+	defaultClient = common.SaneHttpClient()
+	keyPat        = regexp.MustCompile(`\b([a-zA-Z0-9]{6}_[a-zA-Z0-9]{29}_mmk)\b`)
 )

 // Keywords are used for efficiently pre-filtering chunks.
 // Use identifiers in the secret preferably, or the provider name.
 func (s Scanner) Keywords() []string {
-	return []string{"maxmind", "geoip"}
+	return []string{"_mmk"}
 }

 func (Scanner) Version() int { return 2 }
@ -37,14 +39,15 @@ func (Scanner) Version() int { return 2 }
 func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
 	dataStr := string(data)

-	keyMatches := keyPat.FindAllStringSubmatch(dataStr, -1)
-
-	for _, keyMatch := range keyMatches {
-		keyRes := keyMatch[1]
+	uniqueMatches := make(map[string]struct{})
+	for _, key := range keyPat.FindAllStringSubmatch(dataStr, -1) {
+		uniqueMatches[key[1]] = struct{}{}
+	}

+	for key := range uniqueMatches {
 		r := detectors.Result{
 			DetectorType: detectorspb.DetectorType_MaxMindLicense,
-			Raw:          []byte(keyRes),
+			Raw:          []byte(key),
 			ExtraData: map[string]string{
 				"rotation_guide": "https://howtorotate.com/docs/tutorials/maxmind/",
 				"version":        fmt.Sprintf("%d", s.Version()),
@ -52,26 +55,14 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 		}

 		if verify {
-			data := url.Values{}
-			data.Add("license_key", keyRes)
-			req, err := http.NewRequestWithContext(
-				ctx, "POST", "https://secret-scanning.maxmind.com/secrets/validate-license-key",
-				strings.NewReader(data.Encode()))
-			if err != nil {
-				r.SetVerificationError(err)
-				results = append(results, r)
-				continue
+			client := s.client
+			if client == nil {
+				client = defaultClient
 			}
-			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

-			res, err := client.Do(req)
-			if err != nil {
-				r.SetVerificationError(err)
-			}
-			defer res.Body.Close()
-			if err == nil && res.StatusCode >= 200 && res.StatusCode < 300 {
-				r.Verified = true
-			}
+			verified, vErr := s.verify(ctx, client, key)
+			r.Verified = verified
+			r.SetVerificationError(vErr, key)
 		}

 		results = append(results, r)
@ -80,6 +71,38 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 	return results, nil
 }

+func (s Scanner) verify(ctx context.Context, client *http.Client, key string) (bool, error) {
+	data := url.Values{}
+	data.Add("license_key", key)
+
+	// https://dev.maxmind.com/license-key-validation-api
+	req, err := http.NewRequestWithContext(
+		ctx, http.MethodPost, "https://secret-scanning.maxmind.com/secrets/validate-license-key",
+		strings.NewReader(data.Encode()))
+	if err != nil {
+		return false, err
+	}
+
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	res, err := client.Do(req)
+	if err != nil {
+		return false, err
+	}
+	defer func() {
+		_, _ = io.Copy(io.Discard, res.Body)
+		_ = res.Body.Close()
+	}()
+
+	switch res.StatusCode {
+	case http.StatusNoContent:
+		return true, nil
+	case http.StatusUnauthorized:
+		return false, nil
+	default:
+		return false, fmt.Errorf("unexpected status code: %d", res.StatusCode)
+	}
+}
+
 func (s Scanner) Type() detectorspb.DetectorType {
 	return detectorspb.DetectorType_MaxMindLicense
 }
--- a/pkg/detectors/maxmindlicense/v2/maxmindlicense_v2_test.go
+++ b/pkg/detectors/maxmindlicense/v2/maxmindlicense_v2_test.go
@ -9,13 +9,92 @@ import (
 	"testing"
 	"time"

+	"github.com/google/go-cmp/cmp"
 	"github.com/kylelemons/godebug/pretty"
+
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick"

 	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
 )

+func TestMaxMind_Pattern(t *testing.T) {
+	d := Scanner{}
+	ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d})
+	tests := []struct {
+		name  string
+		input string
+		want  []string
+	}{
+		{
+			name: "key in URL",
+			input: `#cd /home/xtreamcodes/iptv_xtream_codes/
+#wget "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-City&license_key=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&suffix=tar.gz" -qO /home/xtreamcodes/iptv_xtream_codes/GeoLite2-City.mmdb.tar.gz
+#tar -xf /home/xtreamcodes/iptv_xtream_codes/GeoLite2-City.mmdb.tar.gz`,
+			want: []string{"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"},
+		},
+		{
+			name: "ENV VAR",
+			input: `BASE_URL=https://plausible.example.com
+SECRET_KEY_BASE=GLVzDZW04FzuS1gMcmBRVhwgd4Gu9YmSl/k/TqfTUXti7FLBd7aflXeQDdwCj6Cz
+TOTP_VAULT_KEY=dsxvbn3jxDd16az2QpsX5B8O+llxjQ2SJE2i5Bzx38I=
+MAXMIND_LICENSE_KEY=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
+MAXMIND_EDITION=GeoLite2-City
+GOOGLE_CLIENT_ID=...`,
+			want: []string{"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"},
+		},
+		{
+			name: "Random .conf",
+			input: `# LicenseKey is from your MaxMind account
+LicenseKey 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`,
+			want: []string{"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"},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input))
+			if len(matchedDetectors) == 0 {
+				t.Errorf("keywords '%v' not matched by: %s", d.Keywords(), test.input)
+				return
+			}
+
+			results, err := d.FromData(context.Background(), false, []byte(test.input))
+			if err != nil {
+				t.Errorf("error = %v", err)
+				return
+			}
+
+			if len(results) != len(test.want) {
+				if len(results) == 0 {
+					t.Errorf("did not receive result")
+				} else {
+					t.Errorf("expected %d results, only received %d", len(test.want), len(results))
+				}
+				return
+			}
+
+			actual := make(map[string]struct{}, len(results))
+			for _, r := range results {
+				if len(r.RawV2) > 0 {
+					actual[string(r.RawV2)] = struct{}{}
+				} else {
+					actual[string(r.Raw)] = struct{}{}
+				}
+			}
+			expected := make(map[string]struct{}, len(test.want))
+			for _, v := range test.want {
+				expected[v] = struct{}{}
+			}
+
+			if diff := cmp.Diff(expected, actual); diff != "" {
+				t.Errorf("%s diff: (-want +got)\n%s", test.name, diff)
+			}
+		})
+	}
+}
+
 func TestMaxMindLicense(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
 	defer cancel()