From 1b4ca8a0f9dde30820f55d71a905deff578fefed Mon Sep 17 00:00:00 2001 From: Richard Gomez Date: Tue, 18 Jun 2024 09:53:52 -0400 Subject: [PATCH] feat(hubspot): unify v1 and v2 implementation --- .../v1/hubspot_apikey_v1.go} | 14 ++- .../v1/hubspot_apikey_v1_test.go} | 3 +- .../hubspot_apikey/v2/hubspot_apikey_v2.go | 104 ++++++++++++++++++ .../v2/hubspot_apikey_v2_test.go} | 3 +- .../hubspotapikeyv2/hubspotapikeyv2.go | 79 ------------- pkg/engine/defaults.go | 9 +- 6 files changed, 120 insertions(+), 92 deletions(-) rename pkg/detectors/{hubspotapikey/hubspotapikey.go => hubspot_apikey/v1/hubspot_apikey_v1.go} (93%) rename pkg/detectors/{hubspotapikey/hubspotapikey_test.go => hubspot_apikey/v1/hubspot_apikey_v1_test.go} (99%) create mode 100644 pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2.go rename pkg/detectors/{hubspotapikeyv2/hubspotapikeyv2_test.go => hubspot_apikey/v2/hubspot_apikey_v2_test.go} (99%) delete mode 100644 pkg/detectors/hubspotapikeyv2/hubspotapikeyv2.go diff --git a/pkg/detectors/hubspotapikey/hubspotapikey.go b/pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1.go similarity index 93% rename from pkg/detectors/hubspotapikey/hubspotapikey.go rename to pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1.go index 24f81b55bd8f..91488f3663da 100644 --- a/pkg/detectors/hubspotapikey/hubspotapikey.go +++ b/pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1.go @@ -1,4 +1,4 @@ -package hubspotapikey +package v1 import ( "context" @@ -17,11 +17,13 @@ type Scanner struct { client *http.Client } -func (s Scanner) Version() int { return 1 } - // Ensure the Scanner satisfies the interface at compile time. -var _ detectors.Detector = (*Scanner)(nil) -var _ detectors.Versioner = (*Scanner)(nil) +var _ interface { + detectors.Detector + detectors.Versioner +} = (*Scanner)(nil) + +func (s Scanner) Version() int { return 1 } var ( defaultClient = common.SaneHttpClient() @@ -32,7 +34,7 @@ var ( // Keywords are used for efficiently pre-filtering chunks. // Use identifiers in the secret preferably, or the provider name. func (s Scanner) Keywords() []string { - return []string{"hubspot", "hubapi", "hapikey", "hapi_key"} + return []string{"hubapi", "hapikey", "hapi_key", "hubspot"} } // FromData will find and optionally verify HubSpotApiKey secrets in a given set of bytes. diff --git a/pkg/detectors/hubspotapikey/hubspotapikey_test.go b/pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1_test.go similarity index 99% rename from pkg/detectors/hubspotapikey/hubspotapikey_test.go rename to pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1_test.go index 8c8a819c498d..613eb2714eab 100644 --- a/pkg/detectors/hubspotapikey/hubspotapikey_test.go +++ b/pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1_test.go @@ -1,7 +1,7 @@ //go:build detectors // +build detectors -package hubspotapikey +package v1 import ( "context" @@ -10,6 +10,7 @@ import ( "time" "github.com/kylelemons/godebug/pretty" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" "github.com/trufflesecurity/trufflehog/v3/pkg/common" diff --git a/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2.go b/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2.go new file mode 100644 index 000000000000..d328ca675dfb --- /dev/null +++ b/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2.go @@ -0,0 +1,104 @@ +package v2 + +import ( + "context" + "io" + + // "log" + "fmt" + "net/http" + + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct { + client *http.Client +} + +func (s Scanner) Version() int { return 2 } + +// Ensure the Scanner satisfies the interface at compile time. +var _ interface { + detectors.Detector + detectors.Versioner +} = (*Scanner)(nil) + +var ( + defaultClient = common.SaneHttpClient() + + keyPat = regexp.MustCompile(`\b(pat-(?:eu|na1)-[A-Za-z0-9]{8}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{12})\b`) +) + +// Keywords are used for efficiently pre-filtering chunks. +// Use identifiers in the secret preferably, or the provider name. +func (s Scanner) Keywords() []string { + return []string{"pat-na1-", "pat-eu1-"} +} + +// FromData will find and optionally verify HubSpotApiKey secrets in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + uniqueMatches := make(map[string]struct{}) + for _, match := range keyPat.FindAllStringSubmatch(dataStr, -1) { + uniqueMatches[match[1]] = struct{}{} + } + + for token := range uniqueMatches { + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_HubSpotApiKey, + Raw: []byte(token), + Redacted: token[8:] + "...", + } + + if verify { + client := s.client + if client == nil { + client = defaultClient + } + + verified, verificationErr := verifyToken(ctx, client, token) + s1.Verified = verified + s1.SetVerificationError(verificationErr) + } + + results = append(results, s1) + } + + return results, nil +} +func verifyToken(ctx context.Context, client *http.Client, token string) (bool, error) { + req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://api.hubapi.com/account-info/v3/api-usage/daily/private-apps", nil) + if err != nil { + return false, err + } + req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token)) + res, err := client.Do(req) + if err != nil { + return false, err + } + defer func() { + _, _ = io.Copy(io.Discard, res.Body) + _ = res.Body.Close() + }() + + switch res.StatusCode { + case http.StatusOK: + return true, nil + case http.StatusUnauthorized: + return false, nil + case http.StatusForbidden: + // The token is valid but lacks permission for the endpoint. + return true, nil + default: + return false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) + } +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_HubSpotApiKey +} diff --git a/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2_test.go b/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2_test.go similarity index 99% rename from pkg/detectors/hubspotapikeyv2/hubspotapikeyv2_test.go rename to pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2_test.go index e95cff8093a2..1ef20436d446 100644 --- a/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2_test.go +++ b/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2_test.go @@ -1,7 +1,7 @@ //go:build detectors // +build detectors -package hubspotapikeyv2 +package v2 import ( "context" @@ -10,6 +10,7 @@ import ( "time" "github.com/kylelemons/godebug/pretty" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" "github.com/trufflesecurity/trufflehog/v3/pkg/common" diff --git a/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2.go b/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2.go deleted file mode 100644 index d31757e954c2..000000000000 --- a/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2.go +++ /dev/null @@ -1,79 +0,0 @@ -package hubspotapikeyv2 - -import ( - "context" - // "log" - regexp "github.com/wasilibs/go-re2" - "net/http" - "strings" - "fmt" - - "github.com/trufflesecurity/trufflehog/v3/pkg/common" - "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" - "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" -) - -type Scanner struct{} - -func (s Scanner) Version() int { return 2 } - -// Ensure the Scanner satisfies the interface at compile time. -var _ detectors.Detector = (*Scanner)(nil) -var _ detectors.Versioner = (*Scanner)(nil) - -var ( - client = common.SaneHttpClient() - - keyPat = regexp.MustCompile(`\b(pat-na1-[A-Za-z0-9]{8}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{12})\b`) -) - -// Keywords are used for efficiently pre-filtering chunks. -// Use identifiers in the secret preferably, or the provider name. -func (s Scanner) Keywords() []string { - return []string{"pat-na1-"} -} - -// FromData will find and optionally verify HubSpotApiKey secrets in a given set of bytes. -func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { - dataStr := string(data) - - matches := keyPat.FindAllStringSubmatch(dataStr, -1) - for _, match := range matches { - if len(match) != 2 { - continue - } - resMatch := strings.TrimSpace(match[1]) - - s1 := detectors.Result{ - DetectorType: detectorspb.DetectorType_HubSpotApiKey, - Raw: []byte(resMatch), - } - - if verify { - req, err := http.NewRequestWithContext(ctx, "GET", "https://api.hubapi.com/account-info/v3/api-usage/daily/private-apps", nil) - if err != nil { - continue - } - req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", resMatch)) - res, err := client.Do(req) - if err == nil { - defer res.Body.Close() - if res.StatusCode >= 200 && res.StatusCode < 300 { - s1.Verified = true - } else { - if detectors.IsKnownFalsePositive(resMatch, detectors.DefaultFalsePositives, true) { - continue - } - } - } - } - - results = append(results, s1) - } - - return results, nil -} - -func (s Scanner) Type() detectorspb.DetectorType { - return detectorspb.DetectorType_HubSpotApiKey -} diff --git a/pkg/engine/defaults.go b/pkg/engine/defaults.go index 3552ef7dfad0..9bd4511a4c4f 100644 --- a/pkg/engine/defaults.go +++ b/pkg/engine/defaults.go @@ -330,8 +330,8 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/honeycomb" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/host" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/html2pdf" - "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/hubspotapikey" - "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/hubspotapikeyv2" + hubspot_apikey_v1 "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/hubspot_apikey/v1" + hubspot_apikey_v2 "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/hubspot_apikey/v2" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/huggingface" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/humanity" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/hunter" @@ -852,7 +852,7 @@ func DefaultDetectors() []detectors.Detector { &rapidapi.Scanner{}, &discordbottoken.Scanner{}, &netlify.Scanner{}, - &hubspotapikey.Scanner{}, + &hubspot_apikey_v1.Scanner{}, &travisci.Scanner{}, &scalewaykey.Scanner{}, &fastlypersonaltoken.Scanner{}, @@ -1611,8 +1611,7 @@ func DefaultDetectors() []detectors.Detector { groq.Scanner{}, twitterconsumerkey.Scanner{}, eraser.Scanner{}, - jiratoken_v2.Scanner{}, - hubspotapikeyv2.Scanner{}, + &hubspot_apikey_v2.Scanner{}, } }