Detector-Competition-Fix: Add Personal Access Tokens (API Tokens Depr… (

#1871) * Detector-Competition-Fix: Add Personal Access Tokens (API Tokens Depreciation) * fix(test): fix test debug msg * remove print
trufflesecurity · Oct 16, 2023 · 072e1f9 · 072e1f9
1 parent 5c721d1
commit 072e1f9
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 5 deletions.
diff --git a/pkg/detectors/airtableapikey/airtableapikey.go b/pkg/detectors/airtableapikey/airtableapikey.go
@@ -2,6 +2,7 @@ package airtableapikey
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"net/http"
 	"regexp"
@@ -20,8 +21,9 @@ var _ detectors.Detector = (*Scanner)(nil)
 var (
 	client = common.SaneHttpClient()
 
-	appPat = regexp.MustCompile(`(app[a-zA-Z0-9_-]{14})`) // could be part of url
-	keyPat = regexp.MustCompile(`\b(key[a-zA-Z0-9_-]{14})\b`)
+	appPat      = regexp.MustCompile(`(app[a-zA-Z0-9_-]{14})`) // could be part of url
+	keyPat      = regexp.MustCompile(`\b(key[a-zA-Z0-9_-]{14})\b`)
+	personalPat = regexp.MustCompile(`(\bpat[[:alnum:]]{14}\.[[:alnum:]]{64}\b)`)
 )
 
 // Keywords are used for efficiently pre-filtering chunks.
@@ -30,17 +32,31 @@ func (s Scanner) Keywords() []string {
 	return []string{"airtable"}
 }
 
+type response struct {
+	Error struct {
+		Type    string `json:"type"`
+		Message string `json:"message"`
+	} `json:"error"`
+}
+
 // FromData will find and optionally verify AirtableApiKey secrets in a given set of bytes.
 func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
 	dataStr := string(data)
 
 	appMatches := appPat.FindAllStringSubmatch(dataStr, -1)
 	keyMatches := keyPat.FindAllStringSubmatch(dataStr, -1)
+	personalKeyMatches := personalPat.FindAllStringSubmatch(dataStr, -1)
+
+	if len(keyMatches) == 0 {
+		keyMatches = personalKeyMatches
+
+	}
 
 	for _, keyMatch := range keyMatches {
 		if len(keyMatch) != 2 {
 			continue
 		}
+
 		keyRes := strings.TrimSpace(keyMatch[1])
 
 		for _, appMatch := range appMatches {
@@ -67,6 +83,15 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 					defer res.Body.Close()
 					if res.StatusCode >= 200 && res.StatusCode < 300 {
 						s1.Verified = true
+					} else if res.StatusCode == 403 {
+						var resp response
+						if err = json.NewDecoder(res.Body).Decode(&resp); err == nil {
+							// check if the error is due to invalid permissions or model not found
+							if resp.Error.Type == "INVALID_PERMISSIONS_OR_MODEL_NOT_FOUND" {
+								// The key is verified as it works, but the user must enumerate the tables or permissions for the key.
+								s1.Verified = true
+							}
+						}
 					} else {
 						if detectors.IsKnownFalsePositive(keyRes, detectors.DefaultFalsePositives, true) {
 							continue

diff --git a/pkg/detectors/airtableapikey/airtableapikey_test.go b/pkg/detectors/airtableapikey/airtableapikey_test.go
@@ -9,9 +9,10 @@ import (
 	"testing"
 	"time"
 
-	"github.com/kylelemons/godebug/pretty"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
 
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
 )
@@ -99,8 +100,9 @@ func TestAirtableApiKey_FromChunk(t *testing.T) {
 				}
 				got[i].Raw = nil
 			}
-			if diff := pretty.Compare(got, tt.want); diff != "" {
-				t.Errorf("AirtableApiKey.FromData() %s diff: (-got +want)\n%s", tt.name, diff)
+			ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "RawV2", "VerificationError")
+			if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" {
+				t.Errorf("Airtable.FromData() %s diff: (-got +want)\n%s", tt.name, diff)
 			}
 		})
 	}