Use bad json in slackwebhooks #2193

rosecodym · 2023-12-08T21:45:24Z

Description:

We're seeing some misbehavior from the existing SlackWebhook detector. The current implementation relies on undocumented Slack API behavior, and this version relies on defined behavior instead.

HOWEVER I'm still not sure what exactly #1761 was solving, and I don't want to change things until I can make sure that my new solution solves it too. (Also this doesn't build because I need to juggle our test secrets anyway.)

Checklist:

Tests passing (make test-community)?
Lint passing (make lint this requires golangci-lint)?

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [trufflesecurity/trufflehog](https://togithub.com/trufflesecurity/trufflehog) | action | patch | `v3.63.2` -> `v3.63.3` | --- ### Release Notes <details> <summary>trufflesecurity/trufflehog (trufflesecurity/trufflehog)</summary> ### [`v3.63.3`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.63.3) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.63.2...v3.63.3) #### What's Changed - Use forked sevenzip by [@bill-rich](https://togithub.com/bill-rich) in [trufflesecurity/trufflehog#2180 - fixing how to rotate URL by [@dylanTruffle](https://togithub.com/dylanTruffle) in [trufflesecurity/trufflehog#2183 - \[fixup] - Skip trying to determine MIME type for directories by [@ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2178 - \[feat] - Remove go-git dependency by [@ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2174 - remove unnecessary Git cmd check by [@ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2175 - \[chore] - use https for verification endpoints by [@ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2185 - allow targets for the source manager by [@ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2182 - Deprecate some detectors by [@dustin-decker](https://togithub.com/dustin-decker) in [trufflesecurity/trufflehog#2186 - \[chore] - update regex by [@ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2184 - \[chore] - Compile regex once by [@ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2176 - Remove Java archives from ignored extensions by [@rosecodym](https://togithub.com/rosecodym) in [trufflesecurity/trufflehog#2188 - \[chore] - Refactor common code into a separate function by [@ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2179 - \[feat] - add metrics for gitlab by [@ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2190 - \[bug] - move logic to main Chunks method by [@ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2194 - \[fixup] - skip files in the archive handler by [@ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2195 - Check private keys concurrently by [@rgmz](https://togithub.com/rgmz) in [trufflesecurity/trufflehog#2139 - Propagate TruffleHog context to handlers by [@rgmz](https://togithub.com/rgmz) in [trufflesecurity/trufflehog#2191 - \[bug] - close file after reading by [@ahrav](https://togithub.com/ahrav) in [trufflesecurity/trufflehog#2203 - Use bad json in slackwebhooks by [@rosecodym](https://togithub.com/rosecodym) in [trufflesecurity/trufflehog#2193 - Add disk buffer tempfile cleanup by [@codevbus](https://togithub.com/codevbus) in [trufflesecurity/trufflehog#2130 - \[chore] Remove omitempty tags on JobProgressMetrics and UnitMetrics by [@mcastorina](https://togithub.com/mcastorina) in [trufflesecurity/trufflehog#2204 - Fix azurestorage detector by [@0x1](https://togithub.com/0x1) in [trufflesecurity/trufflehog#2207 - fix and refactor browserstack detector by [@0x1](https://togithub.com/0x1) in [trufflesecurity/trufflehog#2208 - \[chore] Remove unnecessary string conversion in tefter detector by [@mcastorina](https://togithub.com/mcastorina) in [trufflesecurity/trufflehog#2209 - Update metabase verification to check for a valid JSON response by [@mcastorina](https://togithub.com/mcastorina) in [trufflesecurity/trufflehog#2210 **Full Changelog**: trufflesecurity/trufflehog@v3.63.2...v3.63.3 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/matter-labs/vault-auth-tee).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

rosecodym and others added 4 commits December 8, 2023 14:31

add rotation guides to SlackWebhook tests

681e719

begin cleaning up tests

09e0195

have slack webhook detector use malformed json

fb6e8e9

update test secrets

cb7a3a1

ahrav marked this pull request as ready for review December 11, 2023 22:09

ahrav requested a review from a team as a code owner December 11, 2023 22:09

mcastorina approved these changes Dec 11, 2023

View reviewed changes

ahrav merged commit 405f356 into main Dec 11, 2023
9 checks passed

ahrav deleted the use-bad-json-in-slackwebhooks branch December 11, 2023 23:04

ahrav mentioned this pull request Jan 23, 2024

The Slack Webhook verifier returns False even for active secrets. #2177

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use bad json in slackwebhooks #2193

Use bad json in slackwebhooks #2193

rosecodym commented Dec 8, 2023

Use bad json in slackwebhooks #2193

Use bad json in slackwebhooks #2193

Conversation

rosecodym commented Dec 8, 2023

Description:

Checklist: