diff --git a/pkg/detectors/waveapps/waveapps.go b/pkg/detectors/waveapps/waveapps.go new file mode 100644 index 000000000000..6fa6893cb485 --- /dev/null +++ b/pkg/detectors/waveapps/waveapps.go @@ -0,0 +1,139 @@ +package waveapps + +import ( + "context" + "encoding/json" + "fmt" + "io" + "net/http" + "strings" + + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +// graphQLResponse represents the response from the Waveapps GraphQL API. +type graphQLResponse struct { + Data struct { + User struct { + ID string `json:"id"` + } `json:"user"` + } `json:"data"` + Errors []interface{} `json:"errors"` +} + +type Scanner struct { + client *http.Client +} + +const waveappsURL = "https://gql.waveapps.com/graphql/public" + +var ( + // Ensure the Scanner satisfies the interface at compile time. + _ detectors.Detector = (*Scanner)(nil) + + defaultClient = common.SaneHttpClient() + + // Wave payment tokens have distinct prefixes: wave_sn_prod_ or wave_ci_prod_ + // These are Waveapps (waveapps.com) API token types, not country codes. + // Ref: https://developer.waveapps.com/hc/en-us/articles/360018856751-Authentication + keyPat = regexp.MustCompile(`\b(wave_(?:sn|ci)_prod_[A-Za-z0-9_-]{30,})\b`) +) + +// Keywords are used for efficiently pre-filtering chunks. +func (s Scanner) Keywords() []string { + return []string{"wave_sn_prod_", "wave_ci_prod_"} +} + +func (s Scanner) getClient() *http.Client { + if s.client != nil { + return s.client + } + return defaultClient +} + +// FromData will find and optionally verify Waveapps secrets in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + matches := keyPat.FindAllStringSubmatch(dataStr, -1) + + for _, match := range matches { + resMatch := strings.TrimSpace(match[1]) + + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_Waveapps, + Raw: []byte(resMatch), + } + + if verify { + client := s.getClient() + isVerified, verificationErr := verifyWaveapps(ctx, client, resMatch) + s1.Verified = isVerified + s1.SetVerificationError(verificationErr, resMatch) + } + + results = append(results, s1) + } + + return results, nil +} + +func verifyWaveapps(ctx context.Context, client *http.Client, token string) (bool, error) { + // Use a simple user query to verify the token is valid. + payload := strings.NewReader(`{"query":"{ user { id } }"}`) + req, err := http.NewRequestWithContext(ctx, http.MethodPost, waveappsURL, payload) + if err != nil { + return false, err + } + req.Header.Set("Authorization", "Bearer "+token) + req.Header.Set("Content-Type", "application/json") + + res, err := client.Do(req) + if err != nil { + return false, err + } + defer func() { + _, _ = io.Copy(io.Discard, res.Body) + res.Body.Close() + }() + + body, err := io.ReadAll(res.Body) + if err != nil { + return false, err + } + + switch res.StatusCode { + case http.StatusOK: + var resp graphQLResponse + if err := json.Unmarshal(body, &resp); err != nil { + return false, err + } + + // If GraphQL returned errors, the token is invalid. + if len(resp.Errors) > 0 { + return false, nil + } + + // A valid token returns a non-empty user ID. + if resp.Data.User.ID != "" { + return true, nil + } + return false, nil + case http.StatusUnauthorized, http.StatusForbidden: + return false, nil + default: + return false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) + } +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_Waveapps +} + +func (s Scanner) Description() string { + return "Waveapps is a financial software platform for small businesses. Waveapps API tokens can be used to access payment and invoicing data via their GraphQL API." +} diff --git a/pkg/detectors/waveapps/waveapps_integration_test.go b/pkg/detectors/waveapps/waveapps_integration_test.go new file mode 100644 index 000000000000..7c46e7231b92 --- /dev/null +++ b/pkg/detectors/waveapps/waveapps_integration_test.go @@ -0,0 +1,161 @@ +//go:build detectors +// +build detectors + +package waveapps + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +func TestWaveapps_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors5") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + secret := testSecrets.MustGetField("WAVEAPPS") + inactiveSecret := testSecrets.MustGetField("WAVEAPPS_INACTIVE") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + wantVerificationErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: ctx, + data: []byte(fmt.Sprintf("You can find a waveapps secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_Waveapps, + Verified: true, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, unverified", + s: Scanner{}, + args: args{ + ctx: ctx, + data: []byte(fmt.Sprintf("You can find a waveapps secret %s within but not valid", inactiveSecret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_Waveapps, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, would be verified if not for timeout", + s: Scanner{client: common.SaneHttpClientTimeOut(1 * time.Microsecond)}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a waveapps secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_Waveapps, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + { + name: "found, verified but unexpected api surface", + s: Scanner{client: common.ConstantResponseHttpClient(500, "")}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a waveapps secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_Waveapps, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("Waveapps.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + if (got[i].VerificationError() != nil) != tt.wantVerificationErr { + t.Fatalf("wantVerificationError = %v, verification error = %v", tt.wantVerificationErr, got[i].VerificationError()) + } + } + ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "verificationError") + if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" { + t.Errorf("Waveapps.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := Scanner{} + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + b.ResetTimer() + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +} diff --git a/pkg/detectors/waveapps/waveapps_test.go b/pkg/detectors/waveapps/waveapps_test.go new file mode 100644 index 000000000000..50e3a3078450 --- /dev/null +++ b/pkg/detectors/waveapps/waveapps_test.go @@ -0,0 +1,104 @@ +package waveapps + +import ( + "context" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/stretchr/testify/require" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick" +) + +func TestWaveapps_Pattern(t *testing.T) { + d := Scanner{} + ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d}) + + tests := []struct { + name string + input string + want []string + }{ + { + name: "valid pattern - sn token", + input: ` + [INFO] Wave payment configuration + WAVE_SN_PAYMENT_TOKEN=wave_sn_prod_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6 + [INFO] Processing payments + `, + want: []string{"wave_sn_prod_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"}, + }, + { + name: "valid pattern - ci token", + input: ` + [DEBUG] Using CI payment token + WAVE_CI_PAYMENT_TOKEN=wave_ci_prod_x9y8w7v6u5t4s3r2q1p0o9n8m7l6k5j4 + [INFO] Token loaded + `, + want: []string{"wave_ci_prod_x9y8w7v6u5t4s3r2q1p0o9n8m7l6k5j4"}, + }, + { + name: "valid pattern - in config file", + input: ` + payment: + provider: waveapps + token: wave_sn_prod_abc123def456ghi789jkl012mno345pq + `, + want: []string{"wave_sn_prod_abc123def456ghi789jkl012mno345pq"}, + }, + { + name: "invalid pattern - too short", + input: ` + WAVE_TOKEN=wave_sn_prod_tooshort + `, + want: nil, + }, + { + name: "invalid pattern - wrong prefix", + input: ` + TOKEN=wave_xx_prod_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6 + `, + want: nil, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input)) + if len(matchedDetectors) == 0 { + if len(test.want) == 0 { + return + } + t.Errorf("test %q failed: expected keywords %v to be found in the input", test.name, d.Keywords()) + return + } + + results, err := d.FromData(context.Background(), false, []byte(test.input)) + require.NoError(t, err) + + if len(results) != len(test.want) { + t.Errorf("mismatch in result count: expected %d, got %d", len(test.want), len(results)) + return + } + + actual := make(map[string]struct{}, len(results)) + for _, r := range results { + if len(r.RawV2) > 0 { + actual[string(r.RawV2)] = struct{}{} + } else { + actual[string(r.Raw)] = struct{}{} + } + } + + expected := make(map[string]struct{}, len(test.want)) + for _, v := range test.want { + expected[v] = struct{}{} + } + + if diff := cmp.Diff(expected, actual); diff != "" { + t.Errorf("%s diff: (-want +got)\n%s", test.name, diff) + } + }) + } +} diff --git a/pkg/engine/defaults/defaults.go b/pkg/engine/defaults/defaults.go index fee8a40f19e9..653bd64179ac 100644 --- a/pkg/engine/defaults/defaults.go +++ b/pkg/engine/defaults/defaults.go @@ -818,6 +818,7 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/vultrapikey" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/vyte" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/walkscore" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/waveapps" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/weatherbit" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/weatherstack" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/web3storage" @@ -1706,6 +1707,7 @@ func buildDetectorList() []detectors.Detector { &vultrapikey.Scanner{}, &vyte.Scanner{}, &walkscore.Scanner{}, + &waveapps.Scanner{}, &weatherbit.Scanner{}, &weatherstack.Scanner{}, &web3storage.Scanner{}, diff --git a/pkg/pb/detectorspb/detectors.pb.go b/pkg/pb/detectorspb/detectors.pb.go index 601a7fd26e40..83474d10e9a0 100644 --- a/pkg/pb/detectorspb/detectors.pb.go +++ b/pkg/pb/detectorspb/detectors.pb.go @@ -1149,6 +1149,7 @@ const ( DetectorType_OpenAIAdmin DetectorType = 1040 DetectorType_GoogleGeminiAPIKey DetectorType = 1041 DetectorType_ArtifactoryReferenceToken DetectorType = 1042 + DetectorType_Waveapps DetectorType = 1043 ) // Enum value maps for DetectorType. @@ -2193,6 +2194,7 @@ var ( 1040: "OpenAIAdmin", 1041: "GoogleGeminiAPIKey", 1042: "ArtifactoryReferenceToken", + 1043: "Waveapps", } DetectorType_value = map[string]int32{ "Alibaba": 0, @@ -3234,6 +3236,7 @@ var ( "OpenAIAdmin": 1040, "GoogleGeminiAPIKey": 1041, "ArtifactoryReferenceToken": 1042, + "Waveapps": 1043, } ) @@ -3687,7 +3690,7 @@ var file_detectors_proto_rawDesc = []byte{ 0x4c, 0x41, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x42, 0x41, 0x53, 0x45, 0x36, 0x34, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x54, 0x46, 0x31, 0x36, 0x10, 0x03, 0x12, 0x13, 0x0a, 0x0f, 0x45, 0x53, 0x43, 0x41, 0x50, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x49, 0x43, 0x4f, 0x44, 0x45, - 0x10, 0x04, 0x2a, 0x90, 0x87, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, + 0x10, 0x04, 0x2a, 0x9f, 0x87, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4d, 0x51, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x57, 0x53, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x10, 0x03, 0x12, @@ -4768,11 +4771,12 @@ var file_detectors_proto_rawDesc = []byte{ 0x12, 0x47, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x47, 0x65, 0x6d, 0x69, 0x6e, 0x69, 0x41, 0x50, 0x49, 0x4b, 0x65, 0x79, 0x10, 0x91, 0x08, 0x12, 0x1e, 0x0a, 0x19, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x6f, 0x72, 0x79, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x54, 0x6f, - 0x6b, 0x65, 0x6e, 0x10, 0x92, 0x08, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, 0x63, 0x75, - 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, 0x67, 0x2f, - 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, - 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x6b, 0x65, 0x6e, 0x10, 0x92, 0x08, 0x12, 0x0d, 0x0a, 0x08, 0x57, 0x61, 0x76, 0x65, 0x61, 0x70, + 0x70, 0x73, 0x10, 0x93, 0x08, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, + 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, 0x63, 0x75, 0x72, + 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, + 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, + 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/proto/detectors.proto b/proto/detectors.proto index e85ef9ac92bf..bb188bf6a5b4 100644 --- a/proto/detectors.proto +++ b/proto/detectors.proto @@ -1052,6 +1052,7 @@ enum DetectorType { OpenAIAdmin = 1040; GoogleGeminiAPIKey = 1041; ArtifactoryReferenceToken = 1042; + Waveapps = 1043; } message Result {