diff --git a/pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1.go b/pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1.go new file mode 100644 index 000000000000..91488f3663da --- /dev/null +++ b/pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1.go @@ -0,0 +1,103 @@ +package v1 + +import ( + "context" + "fmt" + "io" + "net/http" + // "log" + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct { + client *http.Client +} + +// Ensure the Scanner satisfies the interface at compile time. +var _ interface { + detectors.Detector + detectors.Versioner +} = (*Scanner)(nil) + +func (s Scanner) Version() int { return 1 } + +var ( + defaultClient = common.SaneHttpClient() + + keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"hubapi", "hapi_?key", "hubspot"}) + `\b([a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12})\b`) +) + +// Keywords are used for efficiently pre-filtering chunks. +// Use identifiers in the secret preferably, or the provider name. +func (s Scanner) Keywords() []string { + return []string{"hubapi", "hapikey", "hapi_key", "hubspot"} +} + +// FromData will find and optionally verify HubSpotApiKey secrets in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + uniqueMatches := make(map[string]struct{}) + for _, match := range keyPat.FindAllStringSubmatch(dataStr, -1) { + uniqueMatches[match[1]] = struct{}{} + } + + for token := range uniqueMatches { + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_HubSpotApiKey, + Raw: []byte(token), + } + + if verify { + client := s.client + if client == nil { + client = defaultClient + } + + verified, verificationErr := verifyToken(ctx, client, token) + s1.Verified = verified + s1.SetVerificationError(verificationErr) + } + + results = append(results, s1) + } + + return results, nil +} + +// See https://legacydocs.hubspot.com/docs/methods/auth/oauth-overview +func verifyToken(ctx context.Context, client *http.Client, token string) (bool, error) { + req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://api.hubapi.com/contacts/v1/lists?hapikey="+token, nil) + if err != nil { + return false, err + } + + res, err := client.Do(req) + if err != nil { + return false, err + } + defer func() { + _, _ = io.Copy(io.Discard, res.Body) + _ = res.Body.Close() + }() + + switch res.StatusCode { + case http.StatusOK: + return true, nil + case http.StatusUnauthorized: + return false, nil + case http.StatusForbidden: + // The token is valid but lacks permission for the endpoint. + return true, nil + default: + return false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) + } +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_HubSpotApiKey +} diff --git a/pkg/detectors/hubspotapikey/hubspotapikey_test.go b/pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1_integration_test.go similarity index 99% rename from pkg/detectors/hubspotapikey/hubspotapikey_test.go rename to pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1_integration_test.go index 8c8a819c498d..613eb2714eab 100644 --- a/pkg/detectors/hubspotapikey/hubspotapikey_test.go +++ b/pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1_integration_test.go @@ -1,7 +1,7 @@ //go:build detectors // +build detectors -package hubspotapikey +package v1 import ( "context" @@ -10,6 +10,7 @@ import ( "time" "github.com/kylelemons/godebug/pretty" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" "github.com/trufflesecurity/trufflehog/v3/pkg/common" diff --git a/pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1_test.go b/pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1_test.go new file mode 100644 index 000000000000..73379dee639e --- /dev/null +++ b/pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1_test.go @@ -0,0 +1,91 @@ +package v1 + +import ( + "context" + "testing" + + "github.com/google/go-cmp/cmp" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick" +) + +func TestHubspotV1_Pattern(t *testing.T) { + d := Scanner{} + ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d}) + tests := []struct { + name string + input string + want []string + }{ + { + name: "hapikey", + input: `// const hapikey = 'b714cac4-a45c-42af-9905-da4de8838d75'; +const { HAPI_KEY } = process.env; +const hs = new HubSpotAPI({ hapikey: HAPI_KEY });`, + want: []string{"b714cac4-a45c-42af-9905-da4de8838d75"}, + }, + // TODO: Doesn't work because it's more than 40 characters. + // { + // name: "hubapi", + // input: `curl https://api.hubapi.com/contacts/v1/lists/all/contacts/all \ + //--header "Authorization: Bearer b71aa2ed-9c76-417d-bd8e-c5f4980d21ef"`, + // want: []string{"b71aa2ed-9c76-417d-bd8e-c5f4980d21ef"}, + // }, + { + name: "hubspot_1", + input: `const hs = new HubSpotAPI("76a836c8-469d-4426-8a3b-194ca930b7a1"); + +const blogPosts = hs.blog.getPosts({ name: 'Inbound' });`, + want: []string{"76a836c8-469d-4426-8a3b-194ca930b7a1"}, + }, + { + name: "hubspot_2", + input: ` 'hubspot' => [ + // 'api_key' => 'e9ff285d-6b7f-455a-a56d-9ec8c4abbd47', // @ts dev`, + want: []string{"e9ff285d-6b7f-455a-a56d-9ec8c4abbd47"}, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input)) + if len(matchedDetectors) == 0 { + t.Errorf("keywords '%v' not matched by: %s", d.Keywords(), test.input) + return + } + + results, err := d.FromData(context.Background(), false, []byte(test.input)) + if err != nil { + t.Errorf("error = %v", err) + return + } + + if len(results) != len(test.want) { + if len(results) == 0 { + t.Errorf("did not receive result") + } else { + t.Errorf("expected %d results, only received %d", len(test.want), len(results)) + } + return + } + + actual := make(map[string]struct{}, len(results)) + for _, r := range results { + if len(r.RawV2) > 0 { + actual[string(r.RawV2)] = struct{}{} + } else { + actual[string(r.Raw)] = struct{}{} + } + } + expected := make(map[string]struct{}, len(test.want)) + for _, v := range test.want { + expected[v] = struct{}{} + } + + if diff := cmp.Diff(expected, actual); diff != "" { + t.Errorf("%s diff: (-want +got)\n%s", test.name, diff) + } + }) + } +} diff --git a/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2.go b/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2.go new file mode 100644 index 000000000000..f1e94e0c853c --- /dev/null +++ b/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2.go @@ -0,0 +1,104 @@ +package v2 + +import ( + "context" + "io" + + // "log" + "fmt" + "net/http" + + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct { + client *http.Client +} + +func (s Scanner) Version() int { return 2 } + +// Ensure the Scanner satisfies the interface at compile time. +var _ interface { + detectors.Detector + detectors.Versioner +} = (*Scanner)(nil) + +var ( + defaultClient = common.SaneHttpClient() + + keyPat = regexp.MustCompile(`\b(pat-(?:eu|na)1-[A-Za-z0-9]{8}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{12})\b`) +) + +// Keywords are used for efficiently pre-filtering chunks. +// Use identifiers in the secret preferably, or the provider name. +func (s Scanner) Keywords() []string { + return []string{"pat-na1-", "pat-eu1-"} +} + +// FromData will find and optionally verify HubSpotApiKey secrets in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + uniqueMatches := make(map[string]struct{}) + for _, match := range keyPat.FindAllStringSubmatch(dataStr, -1) { + uniqueMatches[match[1]] = struct{}{} + } + + for token := range uniqueMatches { + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_HubSpotApiKey, + Raw: []byte(token), + Redacted: token[8:] + "...", + } + + if verify { + client := s.client + if client == nil { + client = defaultClient + } + + verified, verificationErr := verifyToken(ctx, client, token) + s1.Verified = verified + s1.SetVerificationError(verificationErr) + } + + results = append(results, s1) + } + + return results, nil +} +func verifyToken(ctx context.Context, client *http.Client, token string) (bool, error) { + req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://api.hubapi.com/account-info/v3/api-usage/daily/private-apps", nil) + if err != nil { + return false, err + } + req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token)) + res, err := client.Do(req) + if err != nil { + return false, err + } + defer func() { + _, _ = io.Copy(io.Discard, res.Body) + _ = res.Body.Close() + }() + + switch res.StatusCode { + case http.StatusOK: + return true, nil + case http.StatusUnauthorized: + return false, nil + case http.StatusForbidden: + // The token is valid but lacks permission for the endpoint. + return true, nil + default: + return false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) + } +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_HubSpotApiKey +} diff --git a/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2_integration_test.go b/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2_integration_test.go new file mode 100644 index 000000000000..1ef20436d446 --- /dev/null +++ b/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2_integration_test.go @@ -0,0 +1,121 @@ +//go:build detectors +// +build detectors + +package v2 + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/kylelemons/godebug/pretty" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +func TestHubSpotApiKey_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors3") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + secret := testSecrets.MustGetField("HUBSPOTAPIKEY_TOKEN") + inactiveSecret := testSecrets.MustGetField("HUBSPOTAPIKEY_INACTIVE") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a hubspotapikey secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_HubSpotApiKey, + Verified: true, + }, + }, + wantErr: false, + }, + { + name: "found, unverified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a hubspotapikey secret %s within but unverified", inactiveSecret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_HubSpotApiKey, + Verified: false, + }, + }, + wantErr: false, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + s := Scanner{} + got, err := s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("HubSpotApiKey.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + got[i].Raw = nil + } + if diff := pretty.Compare(got, tt.want); diff != "" { + t.Errorf("HubSpotApiKey.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := Scanner{} + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + b.ResetTimer() + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +} diff --git a/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2_test.go b/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2_test.go new file mode 100644 index 000000000000..8abdc56a91d1 --- /dev/null +++ b/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2_test.go @@ -0,0 +1,82 @@ +package v2 + +import ( + "context" + "testing" + + "github.com/google/go-cmp/cmp" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick" +) + +func TestHubspotV2_Pattern(t *testing.T) { + d := Scanner{} + ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d}) + tests := []struct { + name string + input string + want []string + }{ + { + name: "eu key", + input: ` +const private_app_token = 'pat-eu1-1457aed5-04c6-40e2-83ad-a862d3cf19f2'; + +app.get('/homepage', async (req, res) => { + const contactsEndpoint = 'https://api.hubspot.com/crm/v3/objects/contacts';`, + want: []string{"pat-eu1-1457aed5-04c6-40e2-83ad-a862d3cf19f2"}, + }, + { + name: "na key", + input: `hubspot: + api: + url: https://api.hubapi.com + auth-token: pat-na1-ffbb9f50-d96b-4abc-84f1-b986617be1b5 + subscriptions:`, + want: []string{"pat-na1-ffbb9f50-d96b-4abc-84f1-b986617be1b5"}, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input)) + if len(matchedDetectors) == 0 { + t.Errorf("keywords '%v' not matched by: %s", d.Keywords(), test.input) + return + } + + results, err := d.FromData(context.Background(), false, []byte(test.input)) + if err != nil { + t.Errorf("error = %v", err) + return + } + + if len(results) != len(test.want) { + if len(results) == 0 { + t.Errorf("did not receive result") + } else { + t.Errorf("expected %d results, only received %d", len(test.want), len(results)) + } + return + } + + actual := make(map[string]struct{}, len(results)) + for _, r := range results { + if len(r.RawV2) > 0 { + actual[string(r.RawV2)] = struct{}{} + } else { + actual[string(r.Raw)] = struct{}{} + } + } + expected := make(map[string]struct{}, len(test.want)) + for _, v := range test.want { + expected[v] = struct{}{} + } + + if diff := cmp.Diff(expected, actual); diff != "" { + t.Errorf("%s diff: (-want +got)\n%s", test.name, diff) + } + }) + } +} diff --git a/pkg/detectors/hubspotapikey/hubspotapikey.go b/pkg/detectors/hubspotapikey/hubspotapikey.go deleted file mode 100644 index e912dea44096..000000000000 --- a/pkg/detectors/hubspotapikey/hubspotapikey.go +++ /dev/null @@ -1,70 +0,0 @@ -package hubspotapikey - -import ( - "context" - // "log" - regexp "github.com/wasilibs/go-re2" - "net/http" - "strings" - - "github.com/trufflesecurity/trufflehog/v3/pkg/common" - "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" - "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" -) - -type Scanner struct{} - -// Ensure the Scanner satisfies the interface at compile time. -var _ detectors.Detector = (*Scanner)(nil) - -var ( - client = common.SaneHttpClient() - - keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"hubspot"}) + `\b([A-Za-z0-9]{8}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{12})\b`) -) - -// Keywords are used for efficiently pre-filtering chunks. -// Use identifiers in the secret preferably, or the provider name. -func (s Scanner) Keywords() []string { - return []string{"hubspot"} -} - -// FromData will find and optionally verify HubSpotApiKey secrets in a given set of bytes. -func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { - dataStr := string(data) - - matches := keyPat.FindAllStringSubmatch(dataStr, -1) - for _, match := range matches { - if len(match) != 2 { - continue - } - resMatch := strings.TrimSpace(match[1]) - - s1 := detectors.Result{ - DetectorType: detectorspb.DetectorType_HubSpotApiKey, - Raw: []byte(resMatch), - } - - if verify { - req, err := http.NewRequestWithContext(ctx, "GET", "https://api.hubapi.com/contacts/v1/lists?hapikey="+resMatch, nil) - if err != nil { - continue - } - res, err := client.Do(req) - if err == nil { - defer res.Body.Close() - if res.StatusCode >= 200 && res.StatusCode < 300 { - s1.Verified = true - } - } - } - - results = append(results, s1) - } - - return results, nil -} - -func (s Scanner) Type() detectorspb.DetectorType { - return detectorspb.DetectorType_HubSpotApiKey -} diff --git a/pkg/engine/defaults.go b/pkg/engine/defaults.go index cc9fd589ffd0..ef766ddabb93 100644 --- a/pkg/engine/defaults.go +++ b/pkg/engine/defaults.go @@ -331,7 +331,8 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/honeycomb" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/host" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/html2pdf" - "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/hubspotapikey" + hubspot_apikey_v1 "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/hubspot_apikey/v1" + hubspot_apikey_v2 "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/hubspot_apikey/v2" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/huggingface" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/humanity" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/hunter" @@ -854,7 +855,7 @@ func DefaultDetectors() []detectors.Detector { &rapidapi.Scanner{}, &discordbottoken.Scanner{}, &netlify.Scanner{}, - &hubspotapikey.Scanner{}, + &hubspot_apikey_v1.Scanner{}, &travisci.Scanner{}, &scalewaykey.Scanner{}, &fastlypersonaltoken.Scanner{}, @@ -1616,6 +1617,7 @@ func DefaultDetectors() []detectors.Detector { larksuite.Scanner{}, larksuiteapikey.Scanner{}, endorlabs.Scanner{}, + &hubspot_apikey_v2.Scanner{}, } }