diff --git a/pkg/detectors/bitmex/bitmex.go b/pkg/detectors/bitmex/bitmex.go new file mode 100644 index 000000000..647edbfba --- /dev/null +++ b/pkg/detectors/bitmex/bitmex.go @@ -0,0 +1,110 @@ +package bitmex + +import ( + "context" + "crypto/hmac" + "crypto/sha256" + "encoding/hex" + "strconv" + "time" + + // "log" + "regexp" + "strings" + + "net/http" + "net/url" + + "github.com/trufflesecurity/trufflehog/pkg/common" + "github.com/trufflesecurity/trufflehog/pkg/detectors" + "github.com/trufflesecurity/trufflehog/pkg/pb/detectorspb" +) + +type Scanner struct{} + +// Ensure the Scanner satisfies the interface at compile time +var _ detectors.Detector = (*Scanner)(nil) + +var ( + client = common.SaneHttpClient() + + //Make sure that your group is surrounded in boundry characters such as below to reduce false positives + keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"bitmex"}) + `([ \r\n]{1}[0-9a-zA-Z\-\_]{24}[ \r\n]{1})`) + secretPat = regexp.MustCompile(detectors.PrefixRegex([]string{"bitmex"}) + `([ \r\n]{1}[0-9a-zA-Z\-\_]{48}[ \r\n]{1})`) +) + +// Keywords are used for efficiently pre-filtering chunks. +// Use identifiers in the secret preferably, or the provider name. +func (s Scanner) Keywords() []string { + return []string{"bitmex"} +} + +// FromData will find and optionally verify Bitmex secrets in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + matches := keyPat.FindAllStringSubmatch(dataStr, -1) + secretMatches := secretPat.FindAllStringSubmatch(dataStr, -1) + + for _, match := range matches { + if len(match) != 2 { + continue + } + resMatch := strings.TrimSpace(match[1]) + + for _, secretMatch := range secretMatches { + if len(secretMatch) != 2 { + continue + } + resSecretMatch := strings.TrimSpace(secretMatch[1]) + + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_Bitmex, + Raw: []byte(resSecretMatch), + } + + if verify { + + timestamp := strconv.FormatInt(time.Now().Unix()+5, 10) + action := "GET" + path := "/api/v1/user" + payload := url.Values{} + + signature := getBitmexSignature(timestamp, resSecretMatch, action, path, payload.Encode()) + + req, _ := http.NewRequest(action, "https://www.bitmex.com"+path, strings.NewReader(payload.Encode())) + req.Header.Add("api-expires", timestamp) + req.Header.Add("api-key", resMatch) + req.Header.Add("api-signature", signature) + res, err := client.Do(req) + if err == nil { + defer res.Body.Close() + if res.StatusCode >= 200 && res.StatusCode < 300 { + s1.Verified = true + } else { + //This function will check false positives for common test words, but also it will make sure the key appears 'random' enough to be a real key + if detectors.IsKnownFalsePositive(resMatch, detectors.DefaultFalsePositives, true) { + continue + } + + if detectors.IsKnownFalsePositive(resSecretMatch, detectors.DefaultFalsePositives, true) { + continue + } + } + } + } + + results = append(results, s1) + } + } + + return detectors.CleanResults(results), nil +} + +func getBitmexSignature(timeStamp string, secret string, action string, path string, payload string) string { + + mac := hmac.New(sha256.New, []byte(secret)) + mac.Write([]byte(action + path + timeStamp + payload)) + macsum := mac.Sum(nil) + return hex.EncodeToString(macsum) +} diff --git a/pkg/detectors/bitmex/bitmex_test.go b/pkg/detectors/bitmex/bitmex_test.go new file mode 100644 index 000000000..2a5b1f54b --- /dev/null +++ b/pkg/detectors/bitmex/bitmex_test.go @@ -0,0 +1,115 @@ +package bitmex + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/kylelemons/godebug/pretty" + "github.com/trufflesecurity/trufflehog/pkg/detectors" + + "github.com/trufflesecurity/trufflehog/pkg/common" + "github.com/trufflesecurity/trufflehog/pkg/pb/detectorspb" +) + +func TestBitmex_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetScannersTestSecrets(ctx) + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + key := testSecrets.MustGetField("BITMEX_KEY") + inactiveKey := testSecrets.MustGetField("BITMEX_KEY_INACTIVE") + secret := testSecrets.MustGetField("BITMEX") + inactiveSecret := testSecrets.MustGetField("BITMEX_INACTIVE") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a bitmex key %s with bitmex secret %s within", key, secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_Bitmex, + Verified: true, + }, + }, + wantErr: false, + }, + { + name: "found, unverified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a bitmex key %s with bitmex secret %s within but not valid", inactiveKey, inactiveSecret)), // the secret would satisfy the regex but not pass validation + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_Bitmex, + Verified: false, + }, + }, + wantErr: false, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + s := Scanner{} + got, err := s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("Bitmex.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + got[i].Raw = nil + } + if diff := pretty.Compare(got, tt.want); diff != "" { + t.Errorf("Bitmex.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := Scanner{} + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + for n := 0; n < b.N; n++ { + s.FromData(ctx, false, data) + } + }) + } +}