Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feat] Detector implementation for Azure API Management Direct Management Key #3938

Open
wants to merge 11 commits into
base: main
Choose a base branch
from

Conversation

abmussani
Copy link
Contributor

Description:

This PR implements a new Detector for Azure Direct management API key. This detector looks for direct manage url and keys (Primary or Secondary), generates a access token with expiry of 5 seconds (to avoid leakage) and verify the credentials based on generated values.

Test Output:

$ go test -tags=detectors ./pkg/detectors/azuredirectmanagementkey/
ok  	github.com/trufflesecurity/trufflehog/v3/pkg/detectors/azuredirectmanagementkey	6.881s

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

@abmussani abmussani requested review from a team as code owners February 26, 2025 15:54
s1 := detectors.Result{
DetectorType: detectorspb.DetectorType_AzureDirectManagementKey,
Raw: []byte(baseUrl),
RawV2: []byte(baseUrl + primaryKey),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we start making RawV2 structured in new detectors? #3634 (comment)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rgmz I am also not in favor of using RawV2 as structured secret. As @ahrav mentioned that it is tightly coupled with Enterprise and (in future) if we need to restructure it, due to any reason, We wont be able to do it.

My suggestion is to have another Map for this purpose.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

... it is tightly coupled with Enterprise and (in future) if we need to restructure it, due to any reason, We wont be able to do it.

That is the case regardless. Making it structured at least makes it parseable and human-readable, unlike doing a simple concatenation.

var (
defaultClient = common.SaneHttpClient()
urlPat = regexp.MustCompile(`https://([a-z0-9][a-z0-9-]{0,48}[a-z0-9])\.management\.azure-api\.net`) // https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.APIM.Name/
primaryKeyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"azure"}) + `\b([a-zA-Z0-9+\/-]{86,88}\b={0,2})`) // Base64-encoded primary key
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why - at the end?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rgmz Initially I copied that regex from another detector, Azure Storage. After your comment, I generated 20 times a key and confidently say that all of them ended with [a-zA-Z0-9]==. Updated the regex.

@abmussani abmussani force-pushed the azuredirectmanagementapikey-detector-impl branch from eb37f00 to a76aa3d Compare February 28, 2025 10:52
@rgmz rgmz mentioned this pull request Feb 28, 2025
2 tasks
var (
defaultClient = common.SaneHttpClient()
urlPat = regexp.MustCompile(`https://([a-z0-9][a-z0-9-]{0,48}[a-z0-9])\.management\.azure-api\.net`) // https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.APIM.Name/
keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"azure", ".management.azure-api.net"}) + `\b([a-zA-Z0-9+\/]{83,85}[a-zA-Z0-9]==)`) // pattern for both Primary and secondary key
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

\b isn't valid when beside / or +.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has bitten me so many times... 😭

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the regex but AzureContainerRegistry Detector has the similar issue. right ?

@abmussani abmussani changed the title [Feature] Detector implementation for Azure API Management Direct Management Key [Feat] Detector implementation for Azure API Management Direct Management Key Mar 5, 2025
implemented host caching if host is not reachable to avoid unnecessary extra verification calls.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants