diff --git a/pkg/detectors/make/api_token.go b/pkg/detectors/make/api_token.go new file mode 100644 index 000000000000..b8b0cb86083f --- /dev/null +++ b/pkg/detectors/make/api_token.go @@ -0,0 +1,129 @@ +package make + +import ( + "context" + "fmt" + "io" + "net/http" + + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct { + client *http.Client + detectors.DefaultMultiPartCredentialProvider + detectors.EndpointSetter +} + +// Ensure the Scanner satisfies the interface at compile time. +var _ detectors.Detector = (*Scanner)(nil) +var _ detectors.EndpointCustomizer = (*Scanner)(nil) + +var ( + defaultClient = common.SaneHttpClient() + // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. + keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"make"}) + `\b([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})\b`) + // Pattern to match Make.com URLs in the data + urlPat = regexp.MustCompile(`\b(eu|us)[12]\.make\.(com|celonis\.com)`) +) + +func (Scanner) CloudEndpoint() string { return "" } + +// Keywords are used for efficiently pre-filtering chunks. +// Use identifiers in the secret preferably, or the provider name. +func (s Scanner) Keywords() []string { + return []string{"make.com", "make.celonis.com"} +} + +// FromData will find and optionally verify Make secrets in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + uniqueMatches := make(map[string]struct{}) + for _, match := range keyPat.FindAllStringSubmatch(dataStr, -1) { + uniqueMatches[match[1]] = struct{}{} + } + + // Extract Make URLs from the data + foundURLs := urlPat.FindAllString(dataStr, -1) + + // Get endpoints using EndpointCustomizer and deduplicate them + uniqueURLs := make(map[string]struct{}) + for _, endpoint := range s.Endpoints(foundURLs...) { + uniqueURLs[endpoint] = struct{}{} + } + + // Skip creating results if no endpoints are available + if len(uniqueURLs) == 0 { + return + } + + for match := range uniqueMatches { + // Create results for each endpoint + for endpoint := range uniqueURLs { + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_MakeApiToken, + Raw: []byte(match), + RawV2: []byte(match + ":" + endpoint), + } + + if verify { + client := s.client + if client == nil { + client = defaultClient + } + + isVerified, verificationErr := verifyMatch(ctx, client, match, endpoint) + s1.Verified = isVerified + s1.SetVerificationError(verificationErr, match) + } + + results = append(results, s1) + } + } + + return +} + +func verifyMatch(ctx context.Context, client *http.Client, token string, endpoint string) (bool, error) { + // This endpoint returns 200 OK if the token is valid and the correct FQDN for the API is used. + // https://developers.make.com/api-documentation/api-reference/users-greater-than-me#get-users-me-current-authorization + req, err := http.NewRequestWithContext(ctx, http.MethodGet, fmt.Sprintf("https://%s/api/v2/users/me/current-authorization", endpoint), nil) + if err != nil { + return false, err + } + req.Header.Set("Authorization", "Token "+token) + + res, err := client.Do(req) + if err != nil { + return false, err + } + + defer func() { + _, _ = io.Copy(io.Discard, res.Body) + _ = res.Body.Close() + }() + + switch res.StatusCode { + case http.StatusOK: + return true, nil + case http.StatusUnauthorized: + // Determinate failure - invalid token + return false, nil + default: + // Indeterminate failure - unexpected response + return false, fmt.Errorf("unexpected status code: %d", res.StatusCode) + } +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_MakeApiToken +} + +func (s Scanner) Description() string { + return "Make.com is a low-code/no-code automation platform that allows users to connect apps and services typically to automate business workflows. This detector identifies API tokens used for Make.com integrations." +} diff --git a/pkg/detectors/make/api_token_integration_test.go b/pkg/detectors/make/api_token_integration_test.go new file mode 100644 index 000000000000..fdf06f041c1a --- /dev/null +++ b/pkg/detectors/make/api_token_integration_test.go @@ -0,0 +1,164 @@ +//go:build detectors +// +build detectors + +package make + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +func TestMake_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors6") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + secret := testSecrets.MustGetField("MAKE_API_TOKEN") + inactiveSecret := testSecrets.MustGetField("MAKE_API_TOKEN_INACTIVE") + endpoint := testSecrets.MustGetField("MAKE_API_ENDPOINT") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + wantVerificationErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a make secret %s and endpoint %s", secret, endpoint)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_MakeApiToken, + Verified: true, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, unverified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a make secret %s and endpoint %s but not valid", inactiveSecret, endpoint)), // the secret would satisfy the regex but not pass validation + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_MakeApiToken, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, would be verified if not for timeout", + s: Scanner{client: common.SaneHttpClientTimeOut(1 * time.Microsecond)}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a make secret %s and endpoint %s", secret, endpoint)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_MakeApiToken, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + { + name: "found, verified but unexpected api surface", + s: Scanner{client: common.ConstantResponseHttpClient(404, "")}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a make secret %s and endpoint %s", secret, endpoint)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_MakeApiToken, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + tt.s.UseFoundEndpoints(true) + + got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("Make.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + if (got[i].VerificationError() != nil) != tt.wantVerificationErr { + t.Fatalf("wantVerificationError = %v, verification error = %v", tt.wantVerificationErr, got[i].VerificationError()) + } + } + ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "RawV2", "verificationError", "primarySecret") + if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" { + t.Errorf("Make.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := Scanner{} + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + b.ResetTimer() + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +} diff --git a/pkg/detectors/make/api_token_test.go b/pkg/detectors/make/api_token_test.go new file mode 100644 index 000000000000..0f4fad0861f8 --- /dev/null +++ b/pkg/detectors/make/api_token_test.go @@ -0,0 +1,173 @@ +package make + +import ( + "context" + "testing" + + "github.com/google/go-cmp/cmp" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick" +) + +func TestMakeApiToken_Pattern(t *testing.T) { + d := Scanner{} + ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d}) + + tests := []struct { + name string + input string + cloudEndpoint string + useCloudEndpoint bool + useFoundEndpoint bool + want []string + }{ + { + name: "valid pattern with found endpoint", + input: ` + # make api token + MAKE_TOKEN: bbb94d50-239f-4609-9569-63ea15eb0996 + URL: https://eu1.make.com/api/v2/ + `, + useCloudEndpoint: false, + useFoundEndpoint: true, + want: []string{"bbb94d50-239f-4609-9569-63ea15eb0996:eu1.make.com"}, + }, + { + name: "valid pattern with configured endpoint", + input: ` + # make.com api token + MAKE_TOKEN: bbb94d50-239f-4609-9569-63ea15eb0996 + `, + cloudEndpoint: "us1.make.com", + useCloudEndpoint: true, + useFoundEndpoint: false, + want: []string{"bbb94d50-239f-4609-9569-63ea15eb0996:us1.make.com"}, + }, + { + name: "valid pattern with both found and configured endpoints", + input: ` + # make api token + MAKE_TOKEN: bbb94d50-239f-4609-9569-63ea15eb0996 + URL: https://eu1.make.com/api/v2/ + `, + cloudEndpoint: "us1.make.com", + useCloudEndpoint: true, + useFoundEndpoint: true, + want: []string{ + "bbb94d50-239f-4609-9569-63ea15eb0996:us1.make.com", + "bbb94d50-239f-4609-9569-63ea15eb0996:eu1.make.com", + }, + }, + { + name: "valid pattern with disabled found endpoints", + input: ` + # make api token + MAKE_TOKEN: bbb94d50-239f-4609-9569-63ea15eb0996 + URL: https://eu1.make.com/api/v2/ + `, + cloudEndpoint: "us1.make.com", + useCloudEndpoint: true, + useFoundEndpoint: false, + want: []string{ + "bbb94d50-239f-4609-9569-63ea15eb0996:us1.make.com", + }, + }, + { + name: "valid pattern with celonis domain", + input: ` + # make api token + MAKE_TOKEN: bbb94d50-239f-4609-9569-63ea15eb0996 + URL: us1.make.celonis.com + `, + useCloudEndpoint: false, + useFoundEndpoint: true, + want: []string{ + "bbb94d50-239f-4609-9569-63ea15eb0996:us1.make.celonis.com", + }, + }, + { + name: "no endpoints configured or found", + input: ` + # make.com api token + MAKE_TOKEN: bbb94d50-239f-4609-9569-63ea15eb0996 + `, + useCloudEndpoint: false, + useFoundEndpoint: false, + want: nil, + }, + { + name: "duplicate endpoints deduplicated", + input: ` + # make api token with duplicate endpoints + MAKE_TOKEN: bbb94d50-239f-4609-9569-63ea15eb0996 + URL: us1.make.com + URL: us1.make.com + URL: us1.make.com + `, + useCloudEndpoint: false, + useFoundEndpoint: true, + want: []string{ + "bbb94d50-239f-4609-9569-63ea15eb0996:us1.make.com", + }, + }, + { + name: "invalid pattern", + input: ` + # make.com api token + MAKE_TOKEN: invalid-token-format + `, + useFoundEndpoint: true, + want: nil, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + // Configure the detector based on test case + d.UseFoundEndpoints(test.useFoundEndpoint) + d.UseCloudEndpoint(test.useCloudEndpoint) + if test.useCloudEndpoint && test.cloudEndpoint != "" { + d.SetCloudEndpoint(test.cloudEndpoint) + } + + matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input)) + if len(matchedDetectors) == 0 { + t.Errorf("keywords '%v' not matched by: %s", d.Keywords(), test.input) + return + } + + results, err := d.FromData(context.Background(), false, []byte(test.input)) + if err != nil { + t.Errorf("error = %v", err) + return + } + + if len(results) != len(test.want) { + if len(results) == 0 { + t.Errorf("did not receive result") + } else { + t.Errorf("expected %d results, only received %d", len(test.want), len(results)) + } + return + } + + actual := make(map[string]struct{}, len(results)) + for _, r := range results { + if len(r.RawV2) > 0 { + actual[string(r.RawV2)] = struct{}{} + } else { + actual[string(r.Raw)] = struct{}{} + } + } + expected := make(map[string]struct{}, len(test.want)) + for _, v := range test.want { + expected[v] = struct{}{} + } + + if diff := cmp.Diff(expected, actual); diff != "" { + t.Errorf("%s diff: (-want +got)\n%s", test.name, diff) + } + }) + } +} diff --git a/pkg/detectors/makemcptoken/mcp_token.go b/pkg/detectors/makemcptoken/mcp_token.go new file mode 100644 index 000000000000..98c8b6a0bec2 --- /dev/null +++ b/pkg/detectors/makemcptoken/mcp_token.go @@ -0,0 +1,101 @@ +package makemcptoken + +import ( + "context" + "fmt" + "io" + "net/http" + + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct { + client *http.Client +} + +// Ensure the Scanner satisfies the interface at compile time. +var _ detectors.Detector = (*Scanner)(nil) + +var ( + defaultClient = common.SaneHttpClient() + // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. + keyPat = regexp.MustCompile(`\bhttps:\/\/(eu[12]|us[12])\.make\.(?:com|celonis\.com)\/(?:mcp\/)?api\/v[12]\/u\/([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})\/sse\b`) +) + +// Keywords are used for efficiently pre-filtering chunks. +// Use identifiers in the secret preferably, or the provider name. +func (s Scanner) Keywords() []string { + return []string{"make.com", "make.celonis.com"} +} + +// FromData will find and optionally verify Makemcptoken secrets in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + matches := keyPat.FindAllString(dataStr, -1) + uniqueMatches := make(map[string]struct{}) + for _, match := range matches { + uniqueMatches[match] = struct{}{} + } + + for match := range uniqueMatches { + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_MakeMcpToken, + Raw: []byte(match), + } + + if verify { + client := s.client + if client == nil { + client = defaultClient + } + + isVerified, verificationErr := verifyMatch(ctx, client, match) + s1.Verified = isVerified + s1.SetVerificationError(verificationErr, match) + } + + results = append(results, s1) + } + + return +} + +func verifyMatch(ctx context.Context, client *http.Client, url string) (bool, error) { + req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil) + if err != nil { + return false, err + } + + res, err := client.Do(req) + if err != nil { + return false, err + } + defer func() { + _, _ = io.Copy(io.Discard, res.Body) + _ = res.Body.Close() + }() + + switch res.StatusCode { + case http.StatusOK: + return true, nil + case http.StatusUnauthorized: + // Determinate failure (401) + return false, nil + default: + // Any other status code is an indeterminate failure + return false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) + } +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_MakeMcpToken +} + +func (s Scanner) Description() string { + return "Make.com is a low-code/no-code automation platform that allows users to connect apps and services typically to automate business workflows. This detector identifies MCP tokens used for Make.com MCP integrations." +} diff --git a/pkg/detectors/makemcptoken/mcp_token_integration_test.go b/pkg/detectors/makemcptoken/mcp_token_integration_test.go new file mode 100644 index 000000000000..092192493e00 --- /dev/null +++ b/pkg/detectors/makemcptoken/mcp_token_integration_test.go @@ -0,0 +1,161 @@ +//go:build detectors +// +build detectors + +package makemcptoken + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +func TestMakemcptoken_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors6") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + secret := testSecrets.MustGetField("MAKE_MCP_TOKEN") + inactiveSecret := testSecrets.MustGetField("MAKE_MCP_TOKEN_INACTIVE") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + wantVerificationErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a makemcptoken secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_MakeMcpToken, + Verified: true, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, unverified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a makemcptoken secret %s within but not valid", inactiveSecret)), // the secret would satisfy the regex but not pass validation + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_MakeMcpToken, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, would be verified if not for timeout", + s: Scanner{client: common.SaneHttpClientTimeOut(1 * time.Microsecond)}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a makemcptoken secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_MakeMcpToken, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + { + name: "found, verified but unexpected api surface", + s: Scanner{client: common.ConstantResponseHttpClient(404, "")}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a makemcptoken secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_MakeMcpToken, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("Makemcptoken.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + if (got[i].VerificationError() != nil) != tt.wantVerificationErr { + t.Fatalf("wantVerificationError = %v, verification error = %v", tt.wantVerificationErr, got[i].VerificationError()) + } + } + ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "verificationError", "primarySecret") + if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" { + t.Errorf("Makemcptoken.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := Scanner{} + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + b.ResetTimer() + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +} diff --git a/pkg/detectors/makemcptoken/mcp_token_test.go b/pkg/detectors/makemcptoken/mcp_token_test.go new file mode 100644 index 000000000000..efa942fe86fe --- /dev/null +++ b/pkg/detectors/makemcptoken/mcp_token_test.go @@ -0,0 +1,79 @@ +package makemcptoken + +import ( + "context" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick" +) + +func TestMakemcptoken_Pattern(t *testing.T) { + d := Scanner{} + ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d}) + tests := []struct { + name string + input string + want []string + }{ + { + name: "typical pattern", + input: "make_mcp_endpoint = 'https://us2.make.com/mcp/api/v1/u/3b142ebf-e958-4aef-8551-befb27231888/sse'", + want: []string{"https://us2.make.com/mcp/api/v1/u/3b142ebf-e958-4aef-8551-befb27231888/sse"}, + }, + { + name: "finds all matches", + input: `make_mcp_endpoint1 = 'https://us2.make.com/mcp/api/v1/u/3b142ebf-e958-4aef-8551-befb27231888/sse' +make_mcp_endpoint2 = 'https://eu1.make.com/mcp/api/v1/u/3b142ebf-e958-4aef-8551-befb27231889/sse'`, + want: []string{"https://us2.make.com/mcp/api/v1/u/3b142ebf-e958-4aef-8551-befb27231888/sse", "https://eu1.make.com/mcp/api/v1/u/3b142ebf-e958-4aef-8551-befb27231889/sse"}, + }, + { + name: "invalid pattern", + input: "make_mcp_endpoint = 'https://us2.make.com/mcp/api/v1/u/3b142ebf-e958-4aef-8551-befb27231888/foobar'", + want: []string{}, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input)) + if len(matchedDetectors) == 0 { + t.Errorf("keywords '%v' not matched by: %s", d.Keywords(), test.input) + return + } + + results, err := d.FromData(context.Background(), false, []byte(test.input)) + if err != nil { + t.Errorf("error = %v", err) + return + } + + if len(results) != len(test.want) { + if len(results) == 0 { + t.Errorf("did not receive result") + } else { + t.Errorf("expected %d results, only received %d", len(test.want), len(results)) + } + return + } + + actual := make(map[string]struct{}, len(results)) + for _, r := range results { + if len(r.RawV2) > 0 { + actual[string(r.RawV2)] = struct{}{} + } else { + actual[string(r.Raw)] = struct{}{} + } + } + expected := make(map[string]struct{}, len(test.want)) + for _, v := range test.want { + expected[v] = struct{}{} + } + + if diff := cmp.Diff(expected, actual); diff != "" { + t.Errorf("%s diff: (-want +got)\n%s", test.name, diff) + } + }) + } +} diff --git a/pkg/engine/defaults/defaults.go b/pkg/engine/defaults/defaults.go index 45c03b957d94..c54b182151b9 100644 --- a/pkg/engine/defaults/defaults.go +++ b/pkg/engine/defaults/defaults.go @@ -448,6 +448,8 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/mailjetsms" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/mailmodo" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/mailsac" + make_api_token "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/make" + make_mcp_token "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/makemcptoken" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/mandrill" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/mapbox" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/mapquest" @@ -1322,6 +1324,8 @@ func buildDetectorList() []detectors.Detector { &mailjetsms.Scanner{}, &mailmodo.Scanner{}, &mailsac.Scanner{}, + &make_api_token.Scanner{}, + &make_mcp_token.Scanner{}, &mandrill.Scanner{}, // &manifest.Scanner{}, &mapbox.Scanner{}, diff --git a/pkg/engine/engine_test.go b/pkg/engine/engine_test.go index 4e2888e99918..08f19dfc43d9 100644 --- a/pkg/engine/engine_test.go +++ b/pkg/engine/engine_test.go @@ -1228,7 +1228,7 @@ func TestEngineInitializesCloudProviderDetectors(t *testing.T) { for _, det := range e.detectors { if endpoints, ok := det.(interface{ Endpoints(...string) []string }); ok { id := config.GetDetectorID(det) - if len(endpoints.Endpoints()) == 0 && det.Type() != detectorspb.DetectorType_ArtifactoryAccessToken && det.Type() != detectorspb.DetectorType_TableauPersonalAccessToken { // artifactory and tableau does not have any cloud endpoint + if len(endpoints.Endpoints()) == 0 && det.Type() != detectorspb.DetectorType_ArtifactoryAccessToken && det.Type() != detectorspb.DetectorType_TableauPersonalAccessToken && det.Type() != detectorspb.DetectorType_MakeApiToken { // artifactory, tableau, and make api token do not have any cloud endpoint t.Fatalf("detector %q Endpoints() is empty", id.String()) } count++ diff --git a/pkg/pb/detectorspb/detectors.pb.go b/pkg/pb/detectorspb/detectors.pb.go index af94bc51afa5..90ee4aa9c510 100644 --- a/pkg/pb/detectorspb/detectors.pb.go +++ b/pkg/pb/detectorspb/detectors.pb.go @@ -1145,6 +1145,8 @@ const ( DetectorType_HashiCorpVaultAuth DetectorType = 1036 DetectorType_PhraseAccessToken DetectorType = 1037 DetectorType_Photoroom DetectorType = 1038 + DetectorType_MakeApiToken DetectorType = 1039 + DetectorType_MakeMcpToken DetectorType = 1040 ) // Enum value maps for DetectorType. @@ -2185,6 +2187,8 @@ var ( 1036: "HashiCorpVaultAuth", 1037: "PhraseAccessToken", 1038: "Photoroom", + 1039: "MakeApiToken", + 1040: "MakeMcpToken", } DetectorType_value = map[string]int32{ "Alibaba": 0, @@ -3222,6 +3226,8 @@ var ( "HashiCorpVaultAuth": 1036, "PhraseAccessToken": 1037, "Photoroom": 1038, + "MakeApiToken": 1039, + "MakeMcpToken": 1040, } ) @@ -3675,7 +3681,7 @@ var file_detectors_proto_rawDesc = []byte{ 0x4c, 0x41, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x42, 0x41, 0x53, 0x45, 0x36, 0x34, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x54, 0x46, 0x31, 0x36, 0x10, 0x03, 0x12, 0x13, 0x0a, 0x0f, 0x45, 0x53, 0x43, 0x41, 0x50, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x49, 0x43, 0x4f, 0x44, 0x45, - 0x10, 0x04, 0x2a, 0xbb, 0x86, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, + 0x10, 0x04, 0x2a, 0xe1, 0x86, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4d, 0x51, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x57, 0x53, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x10, 0x03, 0x12, @@ -4751,11 +4757,13 @@ var file_detectors_proto_rawDesc = []byte{ 0x6c, 0x74, 0x41, 0x75, 0x74, 0x68, 0x10, 0x8c, 0x08, 0x12, 0x16, 0x0a, 0x11, 0x50, 0x68, 0x72, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x10, 0x8d, 0x08, 0x12, 0x0e, 0x0a, 0x09, 0x50, 0x68, 0x6f, 0x74, 0x6f, 0x72, 0x6f, 0x6f, 0x6d, 0x10, 0x8e, - 0x08, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, - 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, - 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, - 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, - 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x08, 0x12, 0x11, 0x0a, 0x0c, 0x4d, 0x61, 0x6b, 0x65, 0x41, 0x70, 0x69, 0x54, 0x6f, 0x6b, 0x65, + 0x6e, 0x10, 0x8f, 0x08, 0x12, 0x11, 0x0a, 0x0c, 0x4d, 0x61, 0x6b, 0x65, 0x4d, 0x63, 0x70, 0x54, + 0x6f, 0x6b, 0x65, 0x6e, 0x10, 0x90, 0x08, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, + 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, 0x63, + 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, 0x67, + 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, 0x63, + 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/proto/detectors.proto b/proto/detectors.proto index 0c1ea05eebb7..4f337c0c65a1 100644 --- a/proto/detectors.proto +++ b/proto/detectors.proto @@ -1048,6 +1048,8 @@ enum DetectorType { HashiCorpVaultAuth = 1036; PhraseAccessToken = 1037; Photoroom = 1038; + MakeApiToken = 1039; + MakeMcpToken = 1040; } message Result {