From 367bc021c70e29b1d55988529848dc7bbe02deef Mon Sep 17 00:00:00 2001 From: ankushgoel27 Date: Sat, 3 Feb 2024 16:56:47 +0530 Subject: [PATCH 1/4] added hubspotv2 scanner --- .../hubspotapikeyv2/hubspotapikeyv2.go | 73 +++++++++++ .../hubspotapikeyv2/hubspotapikeyv2_test.go | 120 ++++++++++++++++++ pkg/engine/defaults.go | 2 + 3 files changed, 195 insertions(+) create mode 100644 pkg/detectors/hubspotapikeyv2/hubspotapikeyv2.go create mode 100644 pkg/detectors/hubspotapikeyv2/hubspotapikeyv2_test.go diff --git a/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2.go b/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2.go new file mode 100644 index 000000000000..1596227f5131 --- /dev/null +++ b/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2.go @@ -0,0 +1,73 @@ +package hubspotapikeyv2 + +import ( + "context" + // "log" + "fmt" + "net/http" + "strings" + + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct{} + +// Ensure the Scanner satisfies the interface at compile time. +var _ detectors.Detector = (*Scanner)(nil) + +var ( + client = common.SaneHttpClient() + + keyPat = regexp.MustCompile(`\b(pat-na1-[A-Za-z0-9]{8}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{12})\b`) +) + +// Keywords are used for efficiently pre-filtering chunks. +// Use identifiers in the secret preferably, or the provider name. +func (s Scanner) Keywords() []string { + return []string{"pat-na1-"} +} + +// FromData will find and optionally verify HubSpotApiKey secrets in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + matches := keyPat.FindAllStringSubmatch(dataStr, -1) + for _, match := range matches { + if len(match) != 2 { + continue + } + resMatch := strings.TrimSpace(match[1]) + + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_HubSpotApiKey, + Raw: []byte(resMatch), + } + + if verify { + req, err := http.NewRequestWithContext(ctx, "GET", "https://api.hubapi.com/account-info/v3/api-usage/daily/private-apps", nil) + if err != nil { + continue + } + req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", resMatch)) + res, err := client.Do(req) + if err == nil { + defer res.Body.Close() + if res.StatusCode >= 200 && res.StatusCode < 300 { + s1.Verified = true + } + } + } + + results = append(results, s1) + } + + return results, nil +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_HubSpotApiKey +} diff --git a/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2_test.go b/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2_test.go new file mode 100644 index 000000000000..e95cff8093a2 --- /dev/null +++ b/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2_test.go @@ -0,0 +1,120 @@ +//go:build detectors +// +build detectors + +package hubspotapikeyv2 + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/kylelemons/godebug/pretty" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +func TestHubSpotApiKey_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors3") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + secret := testSecrets.MustGetField("HUBSPOTAPIKEY_TOKEN") + inactiveSecret := testSecrets.MustGetField("HUBSPOTAPIKEY_INACTIVE") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a hubspotapikey secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_HubSpotApiKey, + Verified: true, + }, + }, + wantErr: false, + }, + { + name: "found, unverified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a hubspotapikey secret %s within but unverified", inactiveSecret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_HubSpotApiKey, + Verified: false, + }, + }, + wantErr: false, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + s := Scanner{} + got, err := s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("HubSpotApiKey.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + got[i].Raw = nil + } + if diff := pretty.Compare(got, tt.want); diff != "" { + t.Errorf("HubSpotApiKey.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := Scanner{} + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + b.ResetTimer() + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +} diff --git a/pkg/engine/defaults.go b/pkg/engine/defaults.go index cc9fd589ffd0..e1d23c5c070e 100644 --- a/pkg/engine/defaults.go +++ b/pkg/engine/defaults.go @@ -332,6 +332,7 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/host" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/html2pdf" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/hubspotapikey" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/hubspotapikeyv2" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/huggingface" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/humanity" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/hunter" @@ -1616,6 +1617,7 @@ func DefaultDetectors() []detectors.Detector { larksuite.Scanner{}, larksuiteapikey.Scanner{}, endorlabs.Scanner{}, + hubspotapikeyv2.Scanner{}, } } From e9bc154de0da72f3e3a6e94a618c8f45a36601db Mon Sep 17 00:00:00 2001 From: ankushgoel27 Date: Sun, 4 Feb 2024 11:26:30 +0530 Subject: [PATCH 2/4] added versioner interface --- pkg/detectors/hubspotapikey/hubspotapikey.go | 3 +++ pkg/detectors/hubspotapikeyv2/hubspotapikeyv2.go | 3 +++ 2 files changed, 6 insertions(+) diff --git a/pkg/detectors/hubspotapikey/hubspotapikey.go b/pkg/detectors/hubspotapikey/hubspotapikey.go index e912dea44096..eecf6e023632 100644 --- a/pkg/detectors/hubspotapikey/hubspotapikey.go +++ b/pkg/detectors/hubspotapikey/hubspotapikey.go @@ -14,8 +14,11 @@ import ( type Scanner struct{} +func (s Scanner) Version() int { return 1 } + // Ensure the Scanner satisfies the interface at compile time. var _ detectors.Detector = (*Scanner)(nil) +var _ detectors.Versioner = (*Scanner)(nil) var ( client = common.SaneHttpClient() diff --git a/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2.go b/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2.go index 1596227f5131..6c2908651c68 100644 --- a/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2.go +++ b/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2.go @@ -16,8 +16,11 @@ import ( type Scanner struct{} +func (s Scanner) Version() int { return 2 } + // Ensure the Scanner satisfies the interface at compile time. var _ detectors.Detector = (*Scanner)(nil) +var _ detectors.Versioner = (*Scanner)(nil) var ( client = common.SaneHttpClient() From dc387dc42fce42ca480e6874e2d568d99a57b289 Mon Sep 17 00:00:00 2001 From: Richard Gomez Date: Mon, 13 May 2024 20:56:29 -0400 Subject: [PATCH 3/4] feat(hubspot): update v1 detector --- pkg/detectors/hubspotapikey/hubspotapikey.go | 74 ++++++++++++++------ 1 file changed, 51 insertions(+), 23 deletions(-) diff --git a/pkg/detectors/hubspotapikey/hubspotapikey.go b/pkg/detectors/hubspotapikey/hubspotapikey.go index eecf6e023632..24f81b55bd8f 100644 --- a/pkg/detectors/hubspotapikey/hubspotapikey.go +++ b/pkg/detectors/hubspotapikey/hubspotapikey.go @@ -2,17 +2,20 @@ package hubspotapikey import ( "context" + "fmt" + "io" + "net/http" // "log" regexp "github.com/wasilibs/go-re2" - "net/http" - "strings" "github.com/trufflesecurity/trufflehog/v3/pkg/common" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" ) -type Scanner struct{} +type Scanner struct { + client *http.Client +} func (s Scanner) Version() int { return 1 } @@ -21,45 +24,41 @@ var _ detectors.Detector = (*Scanner)(nil) var _ detectors.Versioner = (*Scanner)(nil) var ( - client = common.SaneHttpClient() + defaultClient = common.SaneHttpClient() - keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"hubspot"}) + `\b([A-Za-z0-9]{8}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{12})\b`) + keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"hubapi", "hapi_?key", "hubspot"}) + `\b([a-zA-Z0-9]{8}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{12})\b`) ) // Keywords are used for efficiently pre-filtering chunks. // Use identifiers in the secret preferably, or the provider name. func (s Scanner) Keywords() []string { - return []string{"hubspot"} + return []string{"hubspot", "hubapi", "hapikey", "hapi_key"} } // FromData will find and optionally verify HubSpotApiKey secrets in a given set of bytes. func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { dataStr := string(data) - matches := keyPat.FindAllStringSubmatch(dataStr, -1) - for _, match := range matches { - if len(match) != 2 { - continue - } - resMatch := strings.TrimSpace(match[1]) + uniqueMatches := make(map[string]struct{}) + for _, match := range keyPat.FindAllStringSubmatch(dataStr, -1) { + uniqueMatches[match[1]] = struct{}{} + } + for token := range uniqueMatches { s1 := detectors.Result{ DetectorType: detectorspb.DetectorType_HubSpotApiKey, - Raw: []byte(resMatch), + Raw: []byte(token), } if verify { - req, err := http.NewRequestWithContext(ctx, "GET", "https://api.hubapi.com/contacts/v1/lists?hapikey="+resMatch, nil) - if err != nil { - continue - } - res, err := client.Do(req) - if err == nil { - defer res.Body.Close() - if res.StatusCode >= 200 && res.StatusCode < 300 { - s1.Verified = true - } + client := s.client + if client == nil { + client = defaultClient } + + verified, verificationErr := verifyToken(ctx, client, token) + s1.Verified = verified + s1.SetVerificationError(verificationErr) } results = append(results, s1) @@ -68,6 +67,35 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result return results, nil } +// See https://legacydocs.hubspot.com/docs/methods/auth/oauth-overview +func verifyToken(ctx context.Context, client *http.Client, token string) (bool, error) { + req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://api.hubapi.com/contacts/v1/lists?hapikey="+token, nil) + if err != nil { + return false, err + } + + res, err := client.Do(req) + if err != nil { + return false, err + } + defer func() { + _, _ = io.Copy(io.Discard, res.Body) + _ = res.Body.Close() + }() + + switch res.StatusCode { + case http.StatusOK: + return true, nil + case http.StatusUnauthorized: + return false, nil + case http.StatusForbidden: + // The token is valid but lacks permission for the endpoint. + return true, nil + default: + return false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) + } +} + func (s Scanner) Type() detectorspb.DetectorType { return detectorspb.DetectorType_HubSpotApiKey } From ab7f4d55f9230fa810acc4ee0f966eee5c4668db Mon Sep 17 00:00:00 2001 From: Richard Gomez Date: Tue, 18 Jun 2024 09:53:52 -0400 Subject: [PATCH 4/4] feat(hubspot): unify v1 and v2 implementation --- .../v1/hubspot_apikey_v1.go} | 14 ++- .../v1/hubspot_apikey_v1_integration_test.go} | 3 +- .../v1/hubspot_apikey_v1_test.go | 91 +++++++++++++++ .../hubspot_apikey/v2/hubspot_apikey_v2.go | 104 ++++++++++++++++++ .../v2/hubspot_apikey_v2_integration_test.go} | 3 +- .../v2/hubspot_apikey_v2_test.go | 82 ++++++++++++++ .../hubspotapikeyv2/hubspotapikeyv2.go | 76 ------------- pkg/engine/defaults.go | 8 +- 8 files changed, 293 insertions(+), 88 deletions(-) rename pkg/detectors/{hubspotapikey/hubspotapikey.go => hubspot_apikey/v1/hubspot_apikey_v1.go} (93%) rename pkg/detectors/{hubspotapikey/hubspotapikey_test.go => hubspot_apikey/v1/hubspot_apikey_v1_integration_test.go} (99%) create mode 100644 pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1_test.go create mode 100644 pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2.go rename pkg/detectors/{hubspotapikeyv2/hubspotapikeyv2_test.go => hubspot_apikey/v2/hubspot_apikey_v2_integration_test.go} (99%) create mode 100644 pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2_test.go delete mode 100644 pkg/detectors/hubspotapikeyv2/hubspotapikeyv2.go diff --git a/pkg/detectors/hubspotapikey/hubspotapikey.go b/pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1.go similarity index 93% rename from pkg/detectors/hubspotapikey/hubspotapikey.go rename to pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1.go index 24f81b55bd8f..91488f3663da 100644 --- a/pkg/detectors/hubspotapikey/hubspotapikey.go +++ b/pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1.go @@ -1,4 +1,4 @@ -package hubspotapikey +package v1 import ( "context" @@ -17,11 +17,13 @@ type Scanner struct { client *http.Client } -func (s Scanner) Version() int { return 1 } - // Ensure the Scanner satisfies the interface at compile time. -var _ detectors.Detector = (*Scanner)(nil) -var _ detectors.Versioner = (*Scanner)(nil) +var _ interface { + detectors.Detector + detectors.Versioner +} = (*Scanner)(nil) + +func (s Scanner) Version() int { return 1 } var ( defaultClient = common.SaneHttpClient() @@ -32,7 +34,7 @@ var ( // Keywords are used for efficiently pre-filtering chunks. // Use identifiers in the secret preferably, or the provider name. func (s Scanner) Keywords() []string { - return []string{"hubspot", "hubapi", "hapikey", "hapi_key"} + return []string{"hubapi", "hapikey", "hapi_key", "hubspot"} } // FromData will find and optionally verify HubSpotApiKey secrets in a given set of bytes. diff --git a/pkg/detectors/hubspotapikey/hubspotapikey_test.go b/pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1_integration_test.go similarity index 99% rename from pkg/detectors/hubspotapikey/hubspotapikey_test.go rename to pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1_integration_test.go index 8c8a819c498d..613eb2714eab 100644 --- a/pkg/detectors/hubspotapikey/hubspotapikey_test.go +++ b/pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1_integration_test.go @@ -1,7 +1,7 @@ //go:build detectors // +build detectors -package hubspotapikey +package v1 import ( "context" @@ -10,6 +10,7 @@ import ( "time" "github.com/kylelemons/godebug/pretty" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" "github.com/trufflesecurity/trufflehog/v3/pkg/common" diff --git a/pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1_test.go b/pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1_test.go new file mode 100644 index 000000000000..73379dee639e --- /dev/null +++ b/pkg/detectors/hubspot_apikey/v1/hubspot_apikey_v1_test.go @@ -0,0 +1,91 @@ +package v1 + +import ( + "context" + "testing" + + "github.com/google/go-cmp/cmp" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick" +) + +func TestHubspotV1_Pattern(t *testing.T) { + d := Scanner{} + ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d}) + tests := []struct { + name string + input string + want []string + }{ + { + name: "hapikey", + input: `// const hapikey = 'b714cac4-a45c-42af-9905-da4de8838d75'; +const { HAPI_KEY } = process.env; +const hs = new HubSpotAPI({ hapikey: HAPI_KEY });`, + want: []string{"b714cac4-a45c-42af-9905-da4de8838d75"}, + }, + // TODO: Doesn't work because it's more than 40 characters. + // { + // name: "hubapi", + // input: `curl https://api.hubapi.com/contacts/v1/lists/all/contacts/all \ + //--header "Authorization: Bearer b71aa2ed-9c76-417d-bd8e-c5f4980d21ef"`, + // want: []string{"b71aa2ed-9c76-417d-bd8e-c5f4980d21ef"}, + // }, + { + name: "hubspot_1", + input: `const hs = new HubSpotAPI("76a836c8-469d-4426-8a3b-194ca930b7a1"); + +const blogPosts = hs.blog.getPosts({ name: 'Inbound' });`, + want: []string{"76a836c8-469d-4426-8a3b-194ca930b7a1"}, + }, + { + name: "hubspot_2", + input: ` 'hubspot' => [ + // 'api_key' => 'e9ff285d-6b7f-455a-a56d-9ec8c4abbd47', // @ts dev`, + want: []string{"e9ff285d-6b7f-455a-a56d-9ec8c4abbd47"}, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input)) + if len(matchedDetectors) == 0 { + t.Errorf("keywords '%v' not matched by: %s", d.Keywords(), test.input) + return + } + + results, err := d.FromData(context.Background(), false, []byte(test.input)) + if err != nil { + t.Errorf("error = %v", err) + return + } + + if len(results) != len(test.want) { + if len(results) == 0 { + t.Errorf("did not receive result") + } else { + t.Errorf("expected %d results, only received %d", len(test.want), len(results)) + } + return + } + + actual := make(map[string]struct{}, len(results)) + for _, r := range results { + if len(r.RawV2) > 0 { + actual[string(r.RawV2)] = struct{}{} + } else { + actual[string(r.Raw)] = struct{}{} + } + } + expected := make(map[string]struct{}, len(test.want)) + for _, v := range test.want { + expected[v] = struct{}{} + } + + if diff := cmp.Diff(expected, actual); diff != "" { + t.Errorf("%s diff: (-want +got)\n%s", test.name, diff) + } + }) + } +} diff --git a/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2.go b/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2.go new file mode 100644 index 000000000000..f1e94e0c853c --- /dev/null +++ b/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2.go @@ -0,0 +1,104 @@ +package v2 + +import ( + "context" + "io" + + // "log" + "fmt" + "net/http" + + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct { + client *http.Client +} + +func (s Scanner) Version() int { return 2 } + +// Ensure the Scanner satisfies the interface at compile time. +var _ interface { + detectors.Detector + detectors.Versioner +} = (*Scanner)(nil) + +var ( + defaultClient = common.SaneHttpClient() + + keyPat = regexp.MustCompile(`\b(pat-(?:eu|na)1-[A-Za-z0-9]{8}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{12})\b`) +) + +// Keywords are used for efficiently pre-filtering chunks. +// Use identifiers in the secret preferably, or the provider name. +func (s Scanner) Keywords() []string { + return []string{"pat-na1-", "pat-eu1-"} +} + +// FromData will find and optionally verify HubSpotApiKey secrets in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + uniqueMatches := make(map[string]struct{}) + for _, match := range keyPat.FindAllStringSubmatch(dataStr, -1) { + uniqueMatches[match[1]] = struct{}{} + } + + for token := range uniqueMatches { + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_HubSpotApiKey, + Raw: []byte(token), + Redacted: token[8:] + "...", + } + + if verify { + client := s.client + if client == nil { + client = defaultClient + } + + verified, verificationErr := verifyToken(ctx, client, token) + s1.Verified = verified + s1.SetVerificationError(verificationErr) + } + + results = append(results, s1) + } + + return results, nil +} +func verifyToken(ctx context.Context, client *http.Client, token string) (bool, error) { + req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://api.hubapi.com/account-info/v3/api-usage/daily/private-apps", nil) + if err != nil { + return false, err + } + req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token)) + res, err := client.Do(req) + if err != nil { + return false, err + } + defer func() { + _, _ = io.Copy(io.Discard, res.Body) + _ = res.Body.Close() + }() + + switch res.StatusCode { + case http.StatusOK: + return true, nil + case http.StatusUnauthorized: + return false, nil + case http.StatusForbidden: + // The token is valid but lacks permission for the endpoint. + return true, nil + default: + return false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) + } +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_HubSpotApiKey +} diff --git a/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2_test.go b/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2_integration_test.go similarity index 99% rename from pkg/detectors/hubspotapikeyv2/hubspotapikeyv2_test.go rename to pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2_integration_test.go index e95cff8093a2..1ef20436d446 100644 --- a/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2_test.go +++ b/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2_integration_test.go @@ -1,7 +1,7 @@ //go:build detectors // +build detectors -package hubspotapikeyv2 +package v2 import ( "context" @@ -10,6 +10,7 @@ import ( "time" "github.com/kylelemons/godebug/pretty" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" "github.com/trufflesecurity/trufflehog/v3/pkg/common" diff --git a/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2_test.go b/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2_test.go new file mode 100644 index 000000000000..8abdc56a91d1 --- /dev/null +++ b/pkg/detectors/hubspot_apikey/v2/hubspot_apikey_v2_test.go @@ -0,0 +1,82 @@ +package v2 + +import ( + "context" + "testing" + + "github.com/google/go-cmp/cmp" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick" +) + +func TestHubspotV2_Pattern(t *testing.T) { + d := Scanner{} + ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d}) + tests := []struct { + name string + input string + want []string + }{ + { + name: "eu key", + input: ` +const private_app_token = 'pat-eu1-1457aed5-04c6-40e2-83ad-a862d3cf19f2'; + +app.get('/homepage', async (req, res) => { + const contactsEndpoint = 'https://api.hubspot.com/crm/v3/objects/contacts';`, + want: []string{"pat-eu1-1457aed5-04c6-40e2-83ad-a862d3cf19f2"}, + }, + { + name: "na key", + input: `hubspot: + api: + url: https://api.hubapi.com + auth-token: pat-na1-ffbb9f50-d96b-4abc-84f1-b986617be1b5 + subscriptions:`, + want: []string{"pat-na1-ffbb9f50-d96b-4abc-84f1-b986617be1b5"}, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input)) + if len(matchedDetectors) == 0 { + t.Errorf("keywords '%v' not matched by: %s", d.Keywords(), test.input) + return + } + + results, err := d.FromData(context.Background(), false, []byte(test.input)) + if err != nil { + t.Errorf("error = %v", err) + return + } + + if len(results) != len(test.want) { + if len(results) == 0 { + t.Errorf("did not receive result") + } else { + t.Errorf("expected %d results, only received %d", len(test.want), len(results)) + } + return + } + + actual := make(map[string]struct{}, len(results)) + for _, r := range results { + if len(r.RawV2) > 0 { + actual[string(r.RawV2)] = struct{}{} + } else { + actual[string(r.Raw)] = struct{}{} + } + } + expected := make(map[string]struct{}, len(test.want)) + for _, v := range test.want { + expected[v] = struct{}{} + } + + if diff := cmp.Diff(expected, actual); diff != "" { + t.Errorf("%s diff: (-want +got)\n%s", test.name, diff) + } + }) + } +} diff --git a/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2.go b/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2.go deleted file mode 100644 index 6c2908651c68..000000000000 --- a/pkg/detectors/hubspotapikeyv2/hubspotapikeyv2.go +++ /dev/null @@ -1,76 +0,0 @@ -package hubspotapikeyv2 - -import ( - "context" - // "log" - "fmt" - "net/http" - "strings" - - regexp "github.com/wasilibs/go-re2" - - "github.com/trufflesecurity/trufflehog/v3/pkg/common" - "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" - "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" -) - -type Scanner struct{} - -func (s Scanner) Version() int { return 2 } - -// Ensure the Scanner satisfies the interface at compile time. -var _ detectors.Detector = (*Scanner)(nil) -var _ detectors.Versioner = (*Scanner)(nil) - -var ( - client = common.SaneHttpClient() - - keyPat = regexp.MustCompile(`\b(pat-na1-[A-Za-z0-9]{8}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{4}\-[A-Za-z0-9]{12})\b`) -) - -// Keywords are used for efficiently pre-filtering chunks. -// Use identifiers in the secret preferably, or the provider name. -func (s Scanner) Keywords() []string { - return []string{"pat-na1-"} -} - -// FromData will find and optionally verify HubSpotApiKey secrets in a given set of bytes. -func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { - dataStr := string(data) - - matches := keyPat.FindAllStringSubmatch(dataStr, -1) - for _, match := range matches { - if len(match) != 2 { - continue - } - resMatch := strings.TrimSpace(match[1]) - - s1 := detectors.Result{ - DetectorType: detectorspb.DetectorType_HubSpotApiKey, - Raw: []byte(resMatch), - } - - if verify { - req, err := http.NewRequestWithContext(ctx, "GET", "https://api.hubapi.com/account-info/v3/api-usage/daily/private-apps", nil) - if err != nil { - continue - } - req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", resMatch)) - res, err := client.Do(req) - if err == nil { - defer res.Body.Close() - if res.StatusCode >= 200 && res.StatusCode < 300 { - s1.Verified = true - } - } - } - - results = append(results, s1) - } - - return results, nil -} - -func (s Scanner) Type() detectorspb.DetectorType { - return detectorspb.DetectorType_HubSpotApiKey -} diff --git a/pkg/engine/defaults.go b/pkg/engine/defaults.go index e1d23c5c070e..ef766ddabb93 100644 --- a/pkg/engine/defaults.go +++ b/pkg/engine/defaults.go @@ -331,8 +331,8 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/honeycomb" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/host" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/html2pdf" - "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/hubspotapikey" - "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/hubspotapikeyv2" + hubspot_apikey_v1 "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/hubspot_apikey/v1" + hubspot_apikey_v2 "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/hubspot_apikey/v2" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/huggingface" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/humanity" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/hunter" @@ -855,7 +855,7 @@ func DefaultDetectors() []detectors.Detector { &rapidapi.Scanner{}, &discordbottoken.Scanner{}, &netlify.Scanner{}, - &hubspotapikey.Scanner{}, + &hubspot_apikey_v1.Scanner{}, &travisci.Scanner{}, &scalewaykey.Scanner{}, &fastlypersonaltoken.Scanner{}, @@ -1617,7 +1617,7 @@ func DefaultDetectors() []detectors.Detector { larksuite.Scanner{}, larksuiteapikey.Scanner{}, endorlabs.Scanner{}, - hubspotapikeyv2.Scanner{}, + &hubspot_apikey_v2.Scanner{}, } }