Skip to content

Commit

Permalink
Extend algoliaadminkey with additional checks
Browse files Browse the repository at this point in the history
  • Loading branch information
0x2b3bfa0 authored Oct 21, 2024
1 parent 86d2c6d commit 4dc3365
Show file tree
Hide file tree
Showing 2 changed files with 78 additions and 15 deletions.
91 changes: 76 additions & 15 deletions pkg/detectors/algoliaadminkey/algoliaadminkey.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ package algoliaadminkey

import (
"context"
"fmt"
"encoding/json"
regexp "github.com/wasilibs/go-re2"
"net/http"
"strings"
Expand All @@ -22,14 +24,14 @@ var (
client = common.SaneHttpClient()

// Make sure that your group is surrounded in boundary characters such as below to reduce false positives.
keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"algolia"}) + `\b([a-zA-Z0-9]{32})\b`)
idPat = regexp.MustCompile(detectors.PrefixRegex([]string{"algolia"}) + `\b([A-Z0-9]{10})\b`)
keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"algolia", "docsearch", "apiKey"}) + `\b([a-zA-Z0-9]{32})\b`)
idPat = regexp.MustCompile(detectors.PrefixRegex([]string{"algolia", "docsearch", "appId"}) + `\b([A-Z0-9]{10})\b`)
)

// Keywords are used for efficiently pre-filtering chunks.
// Use identifiers in the secret preferably, or the provider name.
func (s Scanner) Keywords() []string {
return []string{"algolia"}
return []string{"algolia", "docsearch"}
}

// FromData will find and optionally verify AlgoliaAdminKey secrets in a given set of bytes.
Expand Down Expand Up @@ -57,19 +59,16 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
}

if verify {
req, err := http.NewRequestWithContext(ctx, "GET", "https://"+resIdMatch+"-dsn.algolia.net/1/keys", nil)
if err != nil {
continue
}
req.Header.Add("X-Algolia-Application-Id", resIdMatch)
req.Header.Add("X-Algolia-API-Key", resMatch)
res, err := client.Do(req)
if err == nil {
defer res.Body.Close()
if res.StatusCode >= 200 && res.StatusCode < 300 {
s1.Verified = true
}
// Verify if the key is a valid Algolia Admin Key.
isVerified, verificationErr := verifyAlgoliaKey(ctx, resIdMatch, resMatch)

// Verify if the key has sensitive permissions, even if it's not an Admin Key.
if !isVerified {
isVerified, verificationErr = verifyAlgoliaKeyACL(ctx, resIdMatch, resMatch)
}

s1.SetVerificationError(verificationErr, resMatch)
s1.Verified = isVerified
}

results = append(results, s1)
Expand All @@ -78,6 +77,68 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
return results, nil
}

func verifyAlgoliaKey(ctx context.Context, appId, apiKey string) (bool, error) {
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://"+appId+"-dsn.algolia.net/1/keys", nil)
if err != nil {
return false, err
}

req.Header.Add("X-Algolia-Application-Id", appId)
req.Header.Add("X-Algolia-API-Key", apiKey)

res, err := client.Do(req)
if err != nil {
return false, err
}
defer res.Body.Close()

if res.StatusCode == 403 {
return false, nil
} else if res.StatusCode < 200 || res.StatusCode > 299 {
return false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode)
}

return true, nil
}

func verifyAlgoliaKeyACL(ctx context.Context, appId, apiKey string) (bool, error) {
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://"+appId+".algolia.net/1/keys/"+apiKey, nil)
if err != nil {
return false, err
}

req.Header.Add("X-Algolia-Application-Id", appId)
req.Header.Add("X-Algolia-API-Key", apiKey)

res, err := client.Do(req)
if err != nil {
return false, err
}
defer res.Body.Close()

if res.StatusCode == 403 {
return false, nil
} else if res.StatusCode < 200 || res.StatusCode > 299 {
return false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode)
}

var jsonResponse struct {
ACL []string `json:"acl"`
}

if err := json.NewDecoder(res.Body).Decode(&jsonResponse); err != nil {
return false, err
}

for _, acl := range jsonResponse.ACL {
if acl != "search" && acl != "listIndexes" && acl != "settings" {
return true, nil // Other permissions are sensitive.
}
}

return false, nil
}

func (s Scanner) Type() detectorspb.DetectorType {
return detectorspb.DetectorType_AlgoliaAdminKey
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ func TestAlgoliaAdminKey_FromChunk(t *testing.T) {
{
DetectorType: detectorspb.DetectorType_AlgoliaAdminKey,
Verified: true,
RawV2: []byte(fmt.Sprintf("%s%s", secret, id)),
},
},
wantErr: false,
Expand All @@ -67,6 +68,7 @@ func TestAlgoliaAdminKey_FromChunk(t *testing.T) {
{
DetectorType: detectorspb.DetectorType_AlgoliaAdminKey,
Verified: false,
RawV2: []byte(fmt.Sprintf("%s%s", inactiveSecret, id)),
},
},
wantErr: false,
Expand Down

0 comments on commit 4dc3365

Please sign in to comment.