From d68510eeff4e2263307181f126a2fdffc9c69df5 Mon Sep 17 00:00:00 2001 From: kashif khan Date: Fri, 18 Oct 2024 11:16:01 +0500 Subject: [PATCH 1/3] Addeded 403 account block status code handling for gitlab --- pkg/detectors/gitlab/v1/gitlab.go | 39 ++++++++++++++++++++++++------- 1 file changed, 30 insertions(+), 9 deletions(-) diff --git a/pkg/detectors/gitlab/v1/gitlab.go b/pkg/detectors/gitlab/v1/gitlab.go index a4d57be56b2e..b41f51133489 100644 --- a/pkg/detectors/gitlab/v1/gitlab.go +++ b/pkg/detectors/gitlab/v1/gitlab.go @@ -20,6 +20,10 @@ type Scanner struct { detectors.EndpointSetter } +type gitlabMessage struct { + Message string `json:"message"` +} + // Ensure the Scanner satisfies the interfaces at compile time. var ( _ detectors.Detector = (*Scanner)(nil) @@ -34,6 +38,8 @@ func (Scanner) CloudEndpoint() string { return "https://gitlab.com" } var ( defaultClient = common.SaneHttpClient() keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"gitlab"}) + `\b([a-zA-Z0-9\-=_]{20,22})\b`) + + blockedUserMessage = "403 Forbidden - Your account has been blocked" ) // Keywords are used for efficiently pre-filtering chunks. @@ -60,6 +66,7 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result s1 := detectors.Result{ DetectorType: detectorspb.DetectorType_Gitlab, Raw: []byte(resMatch), + ExtraData: map[string]string{}, } s1.ExtraData = map[string]string{ "rotation_guide": "https://howtorotate.com/docs/tutorials/gitlab/", @@ -67,8 +74,13 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result } if verify { - isVerified, verificationErr := s.verifyGitlab(ctx, resMatch) + isVerified, isUserBlocked, verificationErr := s.verifyGitlab(ctx, resMatch) s1.Verified = isVerified + // if user account is blocked, add this information in the extra data + if isUserBlocked { + s1.ExtraData["User Account Blocked"] = "Yes" + } + s1.SetVerificationError(verificationErr, resMatch) } @@ -78,7 +90,7 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result return results, nil } -func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, error) { +func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, bool, error) { // there are 4 read 'scopes' for a gitlab token: api, read_user, read_repo, and read_registry // they all grant access to different parts of the API. I couldn't find an endpoint that every // one of these scopes has access to, so we just check an example endpoint for each scope. If any @@ -98,13 +110,13 @@ func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, error req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", resMatch)) res, err := client.Do(req) if err != nil { - return false, err + return false, false, err } defer res.Body.Close() body, err := io.ReadAll(res.Body) if err != nil { - return false, err + return false, false, err } // 200 means good key and has `read_user` scope @@ -112,19 +124,28 @@ func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, error // 401 is bad key switch res.StatusCode { case http.StatusOK: - return json.Valid(body), nil + return json.Valid(body), false, nil case http.StatusForbidden: + // check if the user account is blocked or not + var apiResp gitlabMessage + if err := json.Unmarshal(body, &apiResp); err == nil { + if apiResp.Message == blockedUserMessage { + return true, true, nil + } + } + // Good key but not the right scope - return true, nil + return true, false, nil case http.StatusUnauthorized: // Nothing to do; zero values are the ones we want - return false, nil + return false, false, nil default: - return false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) + return false, false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) } } - return false, nil + + return false, false, nil } func (s Scanner) Type() detectorspb.DetectorType { From 294a2fe98c0c02612553031bf07a66a0a09f469f Mon Sep 17 00:00:00 2001 From: kashif khan Date: Mon, 21 Oct 2024 12:06:13 +0500 Subject: [PATCH 2/3] resolved comments --- pkg/detectors/gitlab/v1/gitlab.go | 35 +++++++++++++------------ pkg/detectors/gitlab/v2/gitlab_v2.go | 38 +++++++++++++++++++++------- 2 files changed, 46 insertions(+), 27 deletions(-) diff --git a/pkg/detectors/gitlab/v1/gitlab.go b/pkg/detectors/gitlab/v1/gitlab.go index b41f51133489..f1d801f205f1 100644 --- a/pkg/detectors/gitlab/v1/gitlab.go +++ b/pkg/detectors/gitlab/v1/gitlab.go @@ -20,7 +20,7 @@ type Scanner struct { detectors.EndpointSetter } -type gitlabMessage struct { +type GitLabMessage struct { Message string `json:"message"` } @@ -39,7 +39,7 @@ var ( defaultClient = common.SaneHttpClient() keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"gitlab"}) + `\b([a-zA-Z0-9\-=_]{20,22})\b`) - blockedUserMessage = "403 Forbidden - Your account has been blocked" + BlockedUserMessage = "403 Forbidden - Your account has been blocked" ) // Keywords are used for efficiently pre-filtering chunks. @@ -74,12 +74,9 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result } if verify { - isVerified, isUserBlocked, verificationErr := s.verifyGitlab(ctx, resMatch) + isVerified, extraData, verificationErr := s.verifyGitlab(ctx, resMatch) s1.Verified = isVerified - // if user account is blocked, add this information in the extra data - if isUserBlocked { - s1.ExtraData["User Account Blocked"] = "Yes" - } + s1.ExtraData = extraData s1.SetVerificationError(verificationErr, resMatch) } @@ -90,7 +87,7 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result return results, nil } -func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, bool, error) { +func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, map[string]string, error) { // there are 4 read 'scopes' for a gitlab token: api, read_user, read_repo, and read_registry // they all grant access to different parts of the API. I couldn't find an endpoint that every // one of these scopes has access to, so we just check an example endpoint for each scope. If any @@ -110,13 +107,13 @@ func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, bool, req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", resMatch)) res, err := client.Do(req) if err != nil { - return false, false, err + return false, nil, err } defer res.Body.Close() body, err := io.ReadAll(res.Body) if err != nil { - return false, false, err + return false, nil, err } // 200 means good key and has `read_user` scope @@ -124,28 +121,30 @@ func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, bool, // 401 is bad key switch res.StatusCode { case http.StatusOK: - return json.Valid(body), false, nil + return json.Valid(body), nil, nil case http.StatusForbidden: // check if the user account is blocked or not - var apiResp gitlabMessage + var apiResp GitLabMessage if err := json.Unmarshal(body, &apiResp); err == nil { - if apiResp.Message == blockedUserMessage { - return true, true, nil + if apiResp.Message == BlockedUserMessage { + return true, map[string]string{ + "blocked": "True", + }, nil } } // Good key but not the right scope - return true, false, nil + return true, nil, nil case http.StatusUnauthorized: // Nothing to do; zero values are the ones we want - return false, false, nil + return false, nil, nil default: - return false, false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) + return false, nil, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) } } - return false, false, nil + return false, nil, nil } func (s Scanner) Type() detectorspb.DetectorType { diff --git a/pkg/detectors/gitlab/v2/gitlab_v2.go b/pkg/detectors/gitlab/v2/gitlab_v2.go index 19284fdd71dd..3b08f7fa884a 100644 --- a/pkg/detectors/gitlab/v2/gitlab_v2.go +++ b/pkg/detectors/gitlab/v2/gitlab_v2.go @@ -2,7 +2,9 @@ package gitlab import ( "context" + "encoding/json" "fmt" + "io" "net/http" "strings" @@ -10,6 +12,7 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/common" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + v1 "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/gitlab/v1" "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" ) @@ -49,6 +52,7 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result s1 := detectors.Result{ DetectorType: detectorspb.DetectorType_Gitlab, Raw: []byte(resMatch), + ExtraData: map[string]string{}, } s1.ExtraData = map[string]string{ "rotation_guide": "https://howtorotate.com/docs/tutorials/gitlab/", @@ -56,8 +60,10 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result } if verify { - isVerified, verificationErr := s.verifyGitlab(ctx, resMatch) + isVerified, extraData, verificationErr := s.verifyGitlab(ctx, resMatch) s1.Verified = isVerified + s1.ExtraData = extraData + s1.SetVerificationError(verificationErr, resMatch) } @@ -67,7 +73,7 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result return results, nil } -func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, error) { +func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, map[string]string, error) { // there are 4 read 'scopes' for a gitlab token: api, read_user, read_repo, and read_registry // they all grant access to different parts of the API. I couldn't find an endpoint that every // one of these scopes has access to, so we just check an example endpoint for each scope. If any @@ -86,28 +92,42 @@ func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, error req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", resMatch)) res, err := client.Do(req) if err != nil { - return false, err + return false, nil, err + } + defer res.Body.Close() + body, err := io.ReadAll(res.Body) + if err != nil { + return false, nil, err } - defer res.Body.Close() // The request body is unused. // 200 means good key and has `read_user` scope // 403 means good key but not the right scope // 401 is bad key switch res.StatusCode { case http.StatusOK: - return true, nil + return true, nil, nil case http.StatusForbidden: + // check if the user account is blocked or not + var apiResp v1.GitLabMessage + if err := json.Unmarshal(body, &apiResp); err == nil { + if apiResp.Message == v1.BlockedUserMessage { + return true, map[string]string{ + "blocked": "True", + }, nil + } + } + // Good key but not the right scope - return true, nil + return true, nil, nil case http.StatusUnauthorized: // Nothing to do; zero values are the ones we want - return false, nil + return false, nil, nil default: - return false, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) + return false, nil, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) } } - return false, nil + return false, nil, nil } func (s Scanner) Type() detectorspb.DetectorType { From 56e8f9bfb2c7e920b08d00dd731de16b0dcc8015 Mon Sep 17 00:00:00 2001 From: kashif khan Date: Mon, 28 Oct 2024 16:30:59 +0500 Subject: [PATCH 3/3] removed unmarshalling logic --- pkg/detectors/gitlab/v1/gitlab.go | 21 ++++++++------------- pkg/detectors/gitlab/v2/gitlab_v2.go | 16 +++++++--------- 2 files changed, 15 insertions(+), 22 deletions(-) diff --git a/pkg/detectors/gitlab/v1/gitlab.go b/pkg/detectors/gitlab/v1/gitlab.go index f1d801f205f1..62a5db140e96 100644 --- a/pkg/detectors/gitlab/v1/gitlab.go +++ b/pkg/detectors/gitlab/v1/gitlab.go @@ -20,10 +20,6 @@ type Scanner struct { detectors.EndpointSetter } -type GitLabMessage struct { - Message string `json:"message"` -} - // Ensure the Scanner satisfies the interfaces at compile time. var ( _ detectors.Detector = (*Scanner)(nil) @@ -111,7 +107,8 @@ func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, map[s } defer res.Body.Close() - body, err := io.ReadAll(res.Body) + + bodyBytes, err := io.ReadAll(res.Body) if err != nil { return false, nil, err } @@ -121,16 +118,14 @@ func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, map[s // 401 is bad key switch res.StatusCode { case http.StatusOK: - return json.Valid(body), nil, nil + return json.Valid(bodyBytes), nil, nil case http.StatusForbidden: // check if the user account is blocked or not - var apiResp GitLabMessage - if err := json.Unmarshal(body, &apiResp); err == nil { - if apiResp.Message == BlockedUserMessage { - return true, map[string]string{ - "blocked": "True", - }, nil - } + stringBody := string(bodyBytes) + if strings.Contains(stringBody, BlockedUserMessage) { + return true, map[string]string{ + "blocked": "True", + }, nil } // Good key but not the right scope diff --git a/pkg/detectors/gitlab/v2/gitlab_v2.go b/pkg/detectors/gitlab/v2/gitlab_v2.go index 3b08f7fa884a..ee04aee6f2f4 100644 --- a/pkg/detectors/gitlab/v2/gitlab_v2.go +++ b/pkg/detectors/gitlab/v2/gitlab_v2.go @@ -2,7 +2,6 @@ package gitlab import ( "context" - "encoding/json" "fmt" "io" "net/http" @@ -95,7 +94,8 @@ func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, map[s return false, nil, err } defer res.Body.Close() - body, err := io.ReadAll(res.Body) + + bodyBytes, err := io.ReadAll(res.Body) if err != nil { return false, nil, err } @@ -108,13 +108,11 @@ func (s Scanner) verifyGitlab(ctx context.Context, resMatch string) (bool, map[s return true, nil, nil case http.StatusForbidden: // check if the user account is blocked or not - var apiResp v1.GitLabMessage - if err := json.Unmarshal(body, &apiResp); err == nil { - if apiResp.Message == v1.BlockedUserMessage { - return true, map[string]string{ - "blocked": "True", - }, nil - } + stringBody := string(bodyBytes) + if strings.Contains(stringBody, v1.BlockedUserMessage) { + return true, map[string]string{ + "blocked": "True", + }, nil } // Good key but not the right scope