diff --git a/pkg/detectors/planetscale/planetscale.go b/pkg/detectors/planetscale/planetscale.go new file mode 100644 index 000000000..8fe238fe7 --- /dev/null +++ b/pkg/detectors/planetscale/planetscale.go @@ -0,0 +1,88 @@ +package planetscale + +import ( + "context" + "fmt" + "net/http" + "regexp" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct { + client *http.Client +} + +var ( + defaultClient = common.SaneHttpClient() + usernamePat = regexp.MustCompile(`\b[a-z0-9]{12}\b`) + passwordPat = regexp.MustCompile(`\bpscale_tkn_[A-Za-z0-9_]{43}\b`) +) + +// Ensure the Scanner satisfies the interface at compile time. +var _ detectors.Detector = (*Scanner)(nil) + +// Keywords are used for efficiently pre-filtering chunks. +func (s Scanner) Keywords() []string { + return []string{"pscale_tkn_"} +} + +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + usernameMatches := usernamePat.FindAllString(dataStr, -1) + passwordMatches := passwordPat.FindAllString(dataStr, -1) + + for _, username := range usernameMatches { + + for _, password := range passwordMatches { + credentials := fmt.Sprintf("%s:%s", username, password) + + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_PlanetScale, + Raw: []byte(credentials), + } + + if verify { + client := s.client + if client == nil { + client = defaultClient + } + + // Construct HTTP request + req, err := http.NewRequestWithContext(ctx, "GET", "https://api.planetscale.com/v1/organizations", nil) + if err != nil { + continue + } + req.Header.Set("Authorization", credentials) + req.Header.Set("accept", "application/json") + + // Send HTTP request + res, err := client.Do(req) + if err == nil { + defer res.Body.Close() + if res.StatusCode >= 200 && res.StatusCode < 300 { + s1.Verified = true + } else if res.StatusCode == 401 { + // The secret is determinately not verified + s1.Verified = false + } else { + s1.VerificationError = fmt.Errorf("unexpected status code %d", res.StatusCode) + } + } else { + s1.VerificationError = err + } + } + + results = append(results, s1) + } + } + + return results, nil +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_PlanetScale +} diff --git a/pkg/detectors/planetscale/planetscale_test.go b/pkg/detectors/planetscale/planetscale_test.go new file mode 100644 index 000000000..e1dbdf391 --- /dev/null +++ b/pkg/detectors/planetscale/planetscale_test.go @@ -0,0 +1,164 @@ +//go:build detectors +// +build detectors + +package planetscale + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +func TestPlanetscale_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors5") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + secret := testSecrets.MustGetField("PLANET_SCALE_TOKEN") + secretID := testSecrets.MustGetField("PLANET_SCALE_ID") + inactiveSecret := testSecrets.MustGetField("PLANET_SCALE_TOKEN_INACTIVE") + inactiveSecretID := testSecrets.MustGetField("PLANET_SCALE_ID_INACTIVE") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + wantVerificationErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a planetscale secret %s within with id %s", secret, secretID)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_PlanetScale, + Verified: true, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, unverified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a planetscale secret %s within with id %s but not valid", inactiveSecret, inactiveSecretID)), // the secret would satisfy the regex but not pass validation + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_PlanetScale, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, would be verified if not for timeout", + s: Scanner{client: common.SaneHttpClientTimeOut(1 * time.Microsecond)}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a planetscale secret %s within with id %s", secret, secretID)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_PlanetScale, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + { + name: "found, verified but unexpected api surface", + s: Scanner{client: common.ConstantResponseHttpClient(404, "")}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a planetscale secret %s within with id %s", secret, secretID)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_PlanetScale, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("Planetscale.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + if (got[i].VerificationError != nil) != tt.wantVerificationErr { + t.Fatalf("wantVerificationError = %v, verification error = %v", tt.wantVerificationErr, got[i].VerificationError) + } + } + ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "VerificationError") + if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" { + t.Errorf("Planetscale.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := Scanner{} + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + b.ResetTimer() + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +} diff --git a/pkg/detectors/planetscaledb/planetscaledb.go b/pkg/detectors/planetscaledb/planetscaledb.go new file mode 100644 index 000000000..dc1108fb6 --- /dev/null +++ b/pkg/detectors/planetscaledb/planetscaledb.go @@ -0,0 +1,81 @@ +package planetscaledb + +import ( + "context" + "database/sql" + "regexp" + "strings" + + "github.com/go-sql-driver/mysql" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct { + db *sql.DB +} + +// Ensure the Scanner satisfies the interface at compile time. +var _ detectors.Detector = (*Scanner)(nil) + +var ( + usernamePat = regexp.MustCompile(`\b[a-z0-9]{20}\b`) + passwordPat = regexp.MustCompile(`\bpscale_pw_[A-Za-z0-9_]{43}\b`) + hostPat = regexp.MustCompile(`\b(aws|gcp)\.connect\.psdb\.cloud\b`) +) + +// Keywords are used for efficiently pre-filtering chunks. +func (s Scanner) Keywords() []string { + return []string{"pscale_pw_"} +} + +// FromData will find and optionally verify Planetscaledb secrets in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + usernameMatches := usernamePat.FindAllStringSubmatch(dataStr, -1) + passwordMatches := passwordPat.FindAllStringSubmatch(dataStr, -1) + hostMatches := hostPat.FindAllString(dataStr, -1) + + for _, username := range usernameMatches { + for _, password := range passwordMatches { + for _, host := range hostMatches { + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_PlanetScaleDb, + Raw: []byte(strings.Join([]string{host, username[0], password[0]}, "\t")), + } + + if verify { + cfg := mysql.Config{ + User: username[0], + Passwd: password[0], + Net: "tcp", + Addr: host, + TLSConfig: "true", // assuming SSL is required + AllowNativePasswords: true, + } + db, err := sql.Open("mysql", cfg.FormatDSN()) + if err != nil { + s1.VerificationError = err + } else { + err = db.PingContext(ctx) + if err == nil { + s1.Verified = true + } else { + s1.VerificationError = err + } + db.Close() + } + } + + results = append(results, s1) + } + } + } + + return results, nil +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_PlanetScaleDb +} diff --git a/pkg/detectors/planetscaledb/planetscaledb_test.go b/pkg/detectors/planetscaledb/planetscaledb_test.go new file mode 100644 index 000000000..e831a9fb0 --- /dev/null +++ b/pkg/detectors/planetscaledb/planetscaledb_test.go @@ -0,0 +1,129 @@ +//go:build detectors +// +build detectors + +package planetscaledb + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +func TestPlanetscaledb_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors5") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + username := testSecrets.MustGetField("PLANET_SCALEDB_USERNAME") + host := testSecrets.MustGetField("PLANET_SCALEDB_HOST") + password := testSecrets.MustGetField("PLANET_SCALEDB_PASSWORD") + inactivePassword := testSecrets.MustGetField("PLANET_SCALEDB_PASSWORD_INACTIVE") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + wantVerificationErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a planetscaledb secret %s %s %s", username, password, host)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_PlanetScaleDb, + Verified: true, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, unverified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a planetscaledb secret %s %s %s", username, inactivePassword, host)), + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_PlanetScaleDb, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + wantVerificationErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("Planetscaledb.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + if (got[i].VerificationError != nil) != tt.wantVerificationErr { + t.Fatalf("wantVerificationError = %v, verification error = %v", tt.wantVerificationErr, got[i].VerificationError) + } + } + ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "VerificationError") + if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" { + t.Errorf("Planetscaledb.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := Scanner{} + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + b.ResetTimer() + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +} diff --git a/pkg/pb/detectorspb/detectors.pb.go b/pkg/pb/detectorspb/detectors.pb.go index ec41821f5..10c9c389f 100644 --- a/pkg/pb/detectorspb/detectors.pb.go +++ b/pkg/pb/detectorspb/detectors.pb.go @@ -1003,6 +1003,7 @@ const ( DetectorType_Tailscale DetectorType = 929 DetectorType_Web3Storage DetectorType = 930 DetectorType_AzureStorage DetectorType = 931 + DetectorType_PlanetScaleDb DetectorType = 932 ) // Enum value maps for DetectorType. @@ -1936,6 +1937,7 @@ var ( 929: "Tailscale", 930: "Web3Storage", 931: "AzureStorage", + 932: "PlanetScaleDb", } DetectorType_value = map[string]int32{ "Alibaba": 0, @@ -2866,6 +2868,7 @@ var ( "Tailscale": 929, "Web3Storage": 930, "AzureStorage": 931, + "PlanetScaleDb": 932, } ) @@ -3244,7 +3247,7 @@ var file_detectors_proto_rawDesc = []byte{ 0x44, 0x65, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x50, 0x4c, 0x41, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x42, 0x41, 0x53, 0x45, 0x36, 0x34, 0x10, 0x02, 0x12, - 0x09, 0x0a, 0x05, 0x55, 0x54, 0x46, 0x31, 0x36, 0x10, 0x03, 0x2a, 0xd3, 0x74, 0x0a, 0x0c, 0x44, + 0x09, 0x0a, 0x05, 0x55, 0x54, 0x46, 0x31, 0x36, 0x10, 0x03, 0x2a, 0xe7, 0x74, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4d, 0x51, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x57, 0x53, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x41, @@ -4178,11 +4181,12 @@ var file_detectors_proto_rawDesc = []byte{ 0x61, 0x69, 0x6c, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x10, 0xa1, 0x07, 0x12, 0x10, 0x0a, 0x0b, 0x57, 0x65, 0x62, 0x33, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x10, 0xa2, 0x07, 0x12, 0x11, 0x0a, 0x0c, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x10, 0xa3, 0x07, - 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, - 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, - 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, - 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, - 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x12, 0x12, 0x0a, 0x0d, 0x50, 0x6c, 0x61, 0x6e, 0x65, 0x74, 0x53, 0x63, 0x61, 0x6c, 0x65, 0x44, + 0x62, 0x10, 0xa4, 0x07, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, + 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, + 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, + 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, + 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/proto/detectors.proto b/proto/detectors.proto index a19603c0d..3be8f02c2 100644 --- a/proto/detectors.proto +++ b/proto/detectors.proto @@ -940,6 +940,7 @@ enum DetectorType { Tailscale = 929; Web3Storage = 930; AzureStorage = 931; + PlanetScaleDb = 932; } message Result {