mirror of
https://github.com/trufflesecurity/trufflehog.git
synced 2024-11-15 01:17:34 +00:00
9d089c2188
* [analyze] Implement Analyzer interface for github * Make github repo and user enumeration configurable * Add AnalysisInfo to github detector * Use AnalyzeAndPrintPermissions from the CLI
250 lines
10 KiB
Go
250 lines
10 KiB
Go
package analyzer
|
|
|
|
import (
|
|
"github.com/alecthomas/kingpin/v2"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/airbrake"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/asana"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/bitbucket"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/github"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/gitlab"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/huggingface"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/mailchimp"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/mailgun"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/mysql"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/openai"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/opsgenie"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/postgres"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/postman"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/sendgrid"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/shopify"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/slack"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/sourcegraph"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/square"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/stripe"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers/twilio"
|
|
"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/config"
|
|
)
|
|
|
|
var (
|
|
// TODO: Add list of supported key types.
|
|
list *kingpin.CmdClause
|
|
showAll *bool
|
|
log *bool
|
|
|
|
githubScan *kingpin.CmdClause
|
|
githubKey *string
|
|
|
|
sendgridScan *kingpin.CmdClause
|
|
sendgridKey *string
|
|
|
|
openAIScan *kingpin.CmdClause
|
|
openaiKey *string
|
|
|
|
postgresScan *kingpin.CmdClause
|
|
postgresConnectionStr *string
|
|
|
|
mysqlScan *kingpin.CmdClause
|
|
mysqlConnectionStr *string
|
|
|
|
// mongodbScan *kingpin.CmdClause
|
|
// mongodbConnectionStr *string
|
|
|
|
slackScan *kingpin.CmdClause
|
|
slackKey *string
|
|
|
|
twilioScan *kingpin.CmdClause
|
|
twilioKey *string
|
|
|
|
airbrakeScan *kingpin.CmdClause
|
|
airbrakeKey *string
|
|
|
|
huggingfaceScan *kingpin.CmdClause
|
|
huggingfaceKey *string
|
|
|
|
stripeScan *kingpin.CmdClause
|
|
stripeKey *string
|
|
|
|
gitlabScan *kingpin.CmdClause
|
|
gitlabKey *string
|
|
|
|
mailchimpScan *kingpin.CmdClause
|
|
mailchimpKey *string
|
|
|
|
// mandrillScan *kingpin.CmdClause
|
|
// mandrillKey *string
|
|
|
|
postmanScan *kingpin.CmdClause
|
|
postmanKey *string
|
|
|
|
bitbucketScan *kingpin.CmdClause
|
|
bitbucketKey *string
|
|
|
|
asanaScan *kingpin.CmdClause
|
|
asanaKey *string
|
|
|
|
mailgunScan *kingpin.CmdClause
|
|
mailgunKey *string
|
|
|
|
squareScan *kingpin.CmdClause
|
|
squareKey *string
|
|
|
|
sourcegraphScan *kingpin.CmdClause
|
|
sourcegraphKey *string
|
|
|
|
shopifyScan *kingpin.CmdClause
|
|
shopifyKey *string
|
|
shopifyStoreURL *string
|
|
|
|
opsgenieScan *kingpin.CmdClause
|
|
opsgenieKey *string
|
|
)
|
|
|
|
func Command(app *kingpin.Application) *kingpin.CmdClause {
|
|
// TODO: Add list of supported key types.
|
|
cli := app.Command("analyze", "Analyze API keys for fine-grained permissions information").Hidden()
|
|
list = cli.Command("list", "List supported API providers")
|
|
showAll = cli.Flag("show-all", "Show all data, including permissions not available to this account + publicly-available data related to this account.").Default("false").Bool()
|
|
log = cli.Flag("log", "Log all HTTP requests sent during analysis to a file").Default("false").Bool()
|
|
|
|
githubScan = cli.Command("github", "Scan a GitHub API key")
|
|
githubKey = githubScan.Arg("key", "GitHub Key.").Required().String()
|
|
|
|
sendgridScan = cli.Command("sendgrid", "Scan a Sendgrid API key")
|
|
sendgridKey = sendgridScan.Arg("key", "Sendgrid Key.").Required().String()
|
|
|
|
openAIScan = cli.Command("openai", "Scan an OpenAI API key")
|
|
openaiKey = openAIScan.Arg("key", "OpenAI Key.").Required().String()
|
|
|
|
postgresScan = cli.Command("postgres", "Scan a Postgres connection string")
|
|
postgresConnectionStr = postgresScan.Arg("connection-string", "Postgres Connection String. As a reference, here's an example: postgresql://[user[:password]@][netloc][:port][/dbname][?param1=value1&...]").Required().String()
|
|
|
|
mysqlScan = cli.Command("mysql", "Scan a MySQL connection string")
|
|
mysqlConnectionStr = mysqlScan.Arg("connection-string", "MySQL Connection String. As a reference, here's an example: mysql://[user[:password]@][netloc][:port][/dbname][?param1=value1&...]").Required().String()
|
|
|
|
// mongodbScan = cli.Command("mongodb", "Scan a MongoDB connection string")
|
|
// mongodbConnectionStr = mongodbScan.Arg("connection-string", "MongoDB Connection String. As a reference, here's an example: mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[defaultauthdb][?options]]").Required().String()
|
|
|
|
slackScan = cli.Command("slack", "Scan a Slack API key")
|
|
slackKey = slackScan.Arg("key", "Slack Key.").Required().String()
|
|
|
|
twilioScan = cli.Command("twilio", "Scan a Twilio API key")
|
|
twilioKey = twilioScan.Arg("key", "Twilio API Key SID & Secret (ex: keySID:keySecret).").Required().String()
|
|
|
|
airbrakeScan = cli.Command("airbrake", "Scan an Airbrake User Key or Token")
|
|
airbrakeKey = airbrakeScan.Arg("key", "Airbrake User Key or Token.").Required().String()
|
|
|
|
huggingfaceScan = cli.Command("huggingface", "Scan a Huggingface API key")
|
|
huggingfaceKey = huggingfaceScan.Arg("key", "Huggingface Key.").Required().String()
|
|
|
|
stripeScan = cli.Command("stripe", "Scan a Stripe API key")
|
|
stripeKey = stripeScan.Arg("key", "Stripe Key.").Required().String()
|
|
|
|
gitlabScan = cli.Command("gitlab", "Scan a GitLab API key")
|
|
gitlabKey = gitlabScan.Arg("key", "GitLab Key.").Required().String()
|
|
|
|
mailchimpScan = cli.Command("mailchimp", "Scan a Mailchimp API key")
|
|
mailchimpKey = mailchimpScan.Arg("key", "Mailchimp Key.").Required().String()
|
|
|
|
// mandrillScan = cli.Command("mandrill", "Scan a Mandrill API key")
|
|
// mandrillKey = mandrillScan.Arg("key", "Mandril Key.").Required().String()
|
|
|
|
postmanScan = cli.Command("postman", "Scan a Postman API key")
|
|
postmanKey = postmanScan.Arg("key", "Postman Key.").Required().String()
|
|
|
|
bitbucketScan = cli.Command("bitbucket", "Scan a Bitbucket Access Token")
|
|
bitbucketKey = bitbucketScan.Arg("key", "Bitbucket Access Token.").Required().String()
|
|
|
|
asanaScan = cli.Command("asana", "Scan an Asana API key")
|
|
asanaKey = asanaScan.Arg("key", "Asana Key.").Required().String()
|
|
|
|
mailgunScan = cli.Command("mailgun", "Scan a Mailgun API key")
|
|
mailgunKey = mailgunScan.Arg("key", "Mailgun Key.").Required().String()
|
|
|
|
squareScan = cli.Command("square", "Scan a Square API key")
|
|
squareKey = squareScan.Arg("key", "Square Key.").Required().String()
|
|
|
|
sourcegraphScan = cli.Command("sourcegraph", "Scan a Sourcegraph Access Token")
|
|
sourcegraphKey = sourcegraphScan.Arg("key", "Sourcegraph Access Token.").Required().String()
|
|
|
|
shopifyScan = cli.Command("shopify", "Scan a Shopify API key")
|
|
shopifyKey = shopifyScan.Arg("key", "Shopify Key.").Required().String()
|
|
shopifyStoreURL = shopifyScan.Arg("store-url", "Shopify Store Domain (ex: 22297c-c6.myshopify.com).").Required().String()
|
|
|
|
opsgenieScan = cli.Command("opsgenie", "Scan an Opsgenie API key")
|
|
opsgenieKey = opsgenieScan.Arg("key", "Opsgenie Key.").Required().String()
|
|
|
|
return cli
|
|
}
|
|
|
|
func Run(cmd string) {
|
|
// Initialize configuration
|
|
cfg := &config.Config{
|
|
LoggingEnabled: *log,
|
|
ShowAll: *showAll,
|
|
}
|
|
switch cmd {
|
|
case list.FullCommand():
|
|
panic("todo")
|
|
case githubScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("github")
|
|
github.AnalyzeAndPrintPermissions(cfg, *githubKey)
|
|
case sendgridScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("sendgrid")
|
|
sendgrid.AnalyzePermissions(cfg, *sendgridKey)
|
|
case openAIScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("openai")
|
|
openai.AnalyzeAndPrintPermissions(cfg, *openaiKey)
|
|
case postgresScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("postgres")
|
|
postgres.AnalyzePermissions(cfg, *postgresConnectionStr)
|
|
case mysqlScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("mysql")
|
|
mysql.AnalyzePermissions(cfg, *mysqlConnectionStr)
|
|
case slackScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("slack")
|
|
slack.AnalyzePermissions(cfg, *slackKey)
|
|
case twilioScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("twilio")
|
|
twilio.AnalyzePermissions(cfg, *twilioKey)
|
|
case airbrakeScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("airbrake")
|
|
airbrake.AnalyzePermissions(cfg, *airbrakeKey)
|
|
case huggingfaceScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("huggingface")
|
|
huggingface.AnalyzePermissions(cfg, *huggingfaceKey)
|
|
case stripeScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("stripe")
|
|
stripe.AnalyzePermissions(cfg, *stripeKey)
|
|
case gitlabScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("gitlab")
|
|
gitlab.AnalyzePermissions(cfg, *gitlabKey)
|
|
case mailchimpScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("mailchimp")
|
|
mailchimp.AnalyzePermissions(cfg, *mailchimpKey)
|
|
case postmanScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("postman")
|
|
postman.AnalyzePermissions(cfg, *postmanKey)
|
|
case bitbucketScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("bitbucket")
|
|
bitbucket.AnalyzePermissions(cfg, *bitbucketKey)
|
|
case asanaScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("asana")
|
|
asana.AnalyzePermissions(cfg, *asanaKey)
|
|
case mailgunScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("mailgun")
|
|
mailgun.AnalyzePermissions(cfg, *mailgunKey)
|
|
case squareScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("square")
|
|
square.AnalyzePermissions(cfg, *squareKey)
|
|
case sourcegraphScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("sourcegraph")
|
|
sourcegraph.AnalyzePermissions(cfg, *sourcegraphKey)
|
|
case shopifyScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("shopify")
|
|
shopify.AnalyzePermissions(cfg, *shopifyKey, *shopifyStoreURL)
|
|
case opsgenieScan.FullCommand():
|
|
cfg.LogFile = analyzers.CreateLogFileName("opsgenie")
|
|
opsgenie.AnalyzePermissions(cfg, *opsgenieKey)
|
|
}
|
|
}
|