Skip to content

Salesforce OAuth2 Detector #4252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation

shahzadhaider1
Copy link
Contributor

@shahzadhaider1 shahzadhaider1 commented Jun 20, 2025

Description:

This pull request introduces a new detector for Salesforce OAuth2 Client Credentials. This detector is designed to find and verify the sensitive Consumer Key and Consumer Secret pairs that applications use for server-to-server API authentication with Salesforce.

Implementation Details

The detector was built with a focus on accuracy and robust verification:

  • Detection Strategy: The detector identifies a potential finding by looking for a trio of components:
    1. A Salesforce domain (*.my.salesforce.com)
    2. A Consumer Key (prefixed with 3MVG)
    3. A 64-character hexadecimal Consumer Secret or a string of 19 numbers

It intelligently creates findings for all possible combinations of these three components found within a given data chunk.

  • API Verification: A comprehensive verification function validates found credentials using the standard OAuth 2.0 Client Credentials Flow. This verifier is built to correctly distinguishing between:

    • A valid credential pair (200 OK).
    • A definitively invalid key or secret (invalid_client, invalid_client_id).
    • A potentially valid but misconfigured application (invalid_grant).
  • Comprehensive Testing: The detector is supported by a full test suite to ensure reliability:

    • Pattern Tests: A dedicated suite validates the combinatorial detection logic against numerous positive and negative test cases offline.
    • Integration Tests: Live tests confirm the verification logic against the Salesforce API, including mocked tests for edge cases like network timeouts and unexpected server errors.

This new detector provides robust coverage for a critical and common type of Salesforce secret. Ready for review.

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

salesforce-oauth2-detector-tests

@shahzadhaider1 shahzadhaider1 requested a review from a team as a code owner June 20, 2025 17:36
@shahzadhaider1 shahzadhaider1 force-pushed the feat/OSS-234-detector-salesforce-oauth branch 2 times, most recently from ff443f0 to a88e2e8 Compare June 20, 2025 17:52
@shahzadhaider1 shahzadhaider1 force-pushed the feat/OSS-234-detector-salesforce-oauth branch from a88e2e8 to 4dd42c1 Compare June 20, 2025 18:11
@shahzadhaider1 shahzadhaider1 requested a review from a team as a code owner June 20, 2025 18:11
@shahzadhaider1 shahzadhaider1 linked an issue Jun 20, 2025 that may be closed by this pull request
…r it can be a string of 19 numbers. The consumer PAT can include the characters '+/=' in addition to what is here and it can actually have a character length up to 256.
@shahzadhaider1 shahzadhaider1 force-pushed the feat/OSS-234-detector-salesforce-oauth branch from 103167c to 43f280c Compare June 23, 2025 15:01
Copy link
Contributor

@kashifkhan0771 kashifkhan0771 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

case "invalid_grant":
// This can mean the secret is wrong OR the user isn't configured with the app secret.
// We'll treat it as a VerificationError because the key might be valid but misconfigured.
return false, fmt.Errorf("verification failed: %s", errorResponse.ErrorDescription)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shahzadhaider1 in the invalid_grant case, are the credentials meaningful? I'm scratching my head about whether we should treat this as a verification error

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a great question. The invalid_grant error is returned by the API when the Connected App is misconfigured in Salesforce (for example, a "Run As" user hasn't been assigned for the Client Credentials Flow) in two distinct scenarios:

  1. The Consumer Key is valid, but the Consumer Secret is incorrect.
  2. Both the Key and Secret are valid.

So, to answer your question: when we receive an invalid_grant error, the credentials are potentially very meaningful. We know for certain that the Consumer Key is valid, but we can't distinguish between a bad secret and a configuration problem on the server.

Because of this ambiguity, treating it as a VerificationError is the safest and most accurate approach, in my opinion. It correctly tells our user, "We found a valid key, but the full credential couldn't be confirmed. The issue is either a bad secret OR a server-side setup problem."

Comment on lines 101 to 104
if errors.Is(verificationErr, errNoHost) {
invalidHosts.Set(domain, struct{}{})
continue
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the host is invalid, all the combinations of key and secret should also be invalidate like here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@shahzadhaider1 shahzadhaider1 requested a review from abmussani June 25, 2025 11:28
@shahzadhaider1 shahzadhaider1 requested review from nabeelalam and removed request for nabeelalam June 27, 2025 07:42
Copy link
Contributor

@nabeelalam nabeelalam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shahzadhaider1 shahzadhaider1 merged commit 95afdd6 into trufflesecurity:main Jul 1, 2025
13 checks passed
@shahzadhaider1 shahzadhaider1 deleted the feat/OSS-234-detector-salesforce-oauth branch July 1, 2025 06:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

New Detector for Salesforce
4 participants