-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feat] Detector implementation for Azure API Management Direct Management Key #3938
base: main
Are you sure you want to change the base?
[Feat] Detector implementation for Azure API Management Direct Management Key #3938
Conversation
s1 := detectors.Result{ | ||
DetectorType: detectorspb.DetectorType_AzureDirectManagementKey, | ||
Raw: []byte(baseUrl), | ||
RawV2: []byte(baseUrl + primaryKey), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we start making RawV2
structured in new detectors? #3634 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
... it is tightly coupled with Enterprise and (in future) if we need to restructure it, due to any reason, We wont be able to do it.
That is the case regardless. Making it structured at least makes it parseable and human-readable, unlike doing a simple concatenation.
var ( | ||
defaultClient = common.SaneHttpClient() | ||
urlPat = regexp.MustCompile(`https://([a-z0-9][a-z0-9-]{0,48}[a-z0-9])\.management\.azure-api\.net`) // https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.APIM.Name/ | ||
primaryKeyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"azure"}) + `\b([a-zA-Z0-9+\/-]{86,88}\b={0,2})`) // Base64-encoded primary key |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why -
at the end?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rgmz Initially I copied that regex from another detector, Azure Storage. After your comment, I generated 20 times a key and confidently say that all of them ended with [a-zA-Z0-9]==
. Updated the regex.
code refactoring, remove unnecessary code. updated the description of detector. reduce the expiry to 5 seconds.
refactor variable name for better understanding.
eb37f00
to
a76aa3d
Compare
var ( | ||
defaultClient = common.SaneHttpClient() | ||
urlPat = regexp.MustCompile(`https://([a-z0-9][a-z0-9-]{0,48}[a-z0-9])\.management\.azure-api\.net`) // https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.APIM.Name/ | ||
keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"azure", ".management.azure-api.net"}) + `\b([a-zA-Z0-9+\/]{83,85}[a-zA-Z0-9]==)`) // pattern for both Primary and secondary key |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
\b
isn't valid when beside /
or +
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has bitten me so many times... 😭
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the regex but AzureContainerRegistry Detector has the similar issue. right ?
implemented host caching if host is not reachable to avoid unnecessary extra verification calls.
Description:
This PR implements a new Detector for Azure Direct management API key. This detector looks for direct manage url and keys (Primary or Secondary), generates a access token with expiry of 5 seconds (to avoid leakage) and verify the credentials based on generated values.
Test Output:
Checklist:
make test-community
)?make lint
this requires golangci-lint)?