From e828423668b00d5f6359f50c361e9c52bd00bca9 Mon Sep 17 00:00:00 2001 From: Patrick Pichler Date: Tue, 28 Apr 2026 11:03:50 +0200 Subject: [PATCH] Add support for detecting and validating CastAI API tokens Fixes #4925 --- pkg/detectors/aws/access_keys/accesskey.go | 5 +- pkg/detectors/castai/castai.go | 145 +++++++++++++++ .../castai/castai_integration_test.go | 170 ++++++++++++++++++ pkg/detectors/castai/castai_test.go | 102 +++++++++++ pkg/engine/defaults/defaults.go | 2 + pkg/pb/detector_typepb/detector_type.pb.go | 16 +- proto/detector_type.proto | 1 + 7 files changed, 432 insertions(+), 9 deletions(-) create mode 100644 pkg/detectors/castai/castai.go create mode 100644 pkg/detectors/castai/castai_integration_test.go create mode 100644 pkg/detectors/castai/castai_test.go diff --git a/pkg/detectors/aws/access_keys/accesskey.go b/pkg/detectors/aws/access_keys/accesskey.go index 95bb86c76d6e..4433ee589847 100644 --- a/pkg/detectors/aws/access_keys/accesskey.go +++ b/pkg/detectors/aws/access_keys/accesskey.go @@ -1,6 +1,7 @@ package access_keys import ( + "maps" "context" "fmt" "net" @@ -220,9 +221,7 @@ func (s scanner) FromData(ctx context.Context, verify bool, data []byte) (result } // Append the extraData to the existing ExtraData map. - for k, v := range extraData { - s1.ExtraData[k] = v - } + maps.Copy(s1.ExtraData, extraData) s1.SetVerificationError(verificationErr, secretMatch) } } diff --git a/pkg/detectors/castai/castai.go b/pkg/detectors/castai/castai.go new file mode 100644 index 000000000000..d6b58c574639 --- /dev/null +++ b/pkg/detectors/castai/castai.go @@ -0,0 +1,145 @@ +package castai + +import ( + "context" + "fmt" + "io" + "maps" + "net/http" + + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detector_typepb" +) + +type scanner struct { + client *http.Client + detectors.EndpointSetter +} + +func New(opts ...func(*scanner)) *scanner { + scanner := &scanner{} + + // Default endpoints. + _ = scanner.SetConfiguredEndpoints( + "https://api.cast.ai/v1/kubernetes/external-clusters", + "https://api.eu.cast.ai/v1/kubernetes/external-clusters", + ) + + for _, opt := range opts { + opt(scanner) + } + + return scanner +} + +func WithClient(c *http.Client) func(*scanner) { + return func(s *scanner) { + s.client = c + } +} + +// Ensure the Scanner satisfies the interface at compile time. +var _ detectors.Detector = (*scanner)(nil) +var _ detectors.EndpointCustomizer = (*scanner)(nil) +var _ detectors.Versioner = (*scanner)(nil) + +var ( + defaultClient = common.SaneHttpClient() + // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. + keyPat = regexp.MustCompile(`\b(castai_v1_[a-z0-9]{64}_[a-z0-9]{8})\b`) +) + +// Keywords are used for efficiently pre-filtering chunks. +// Use identifiers in the secret preferably, or the provider name. +func (s scanner) Keywords() []string { + return []string{"castai_v1_"} // Prefix +} + +func (scanner) Version() int { + return 1 +} + +// FromData will find and optionally verify Castai secrets in a given set of bytes. +func (s scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + uniqueMatches := make(map[string]struct{}) + for _, match := range keyPat.FindAllStringSubmatch(dataStr, -1) { + uniqueMatches[match[1]] = struct{}{} + } + + for match := range uniqueMatches { + s1 := detectors.Result{ + DetectorType: detector_typepb.DetectorType_CastAI, + Raw: []byte(match), + SecretParts: map[string]string{"key": match}, + } + + if verify { + client := s.client + if client == nil { + client = defaultClient + } + + for _, endpoint := range s.Endpoints() { + isVerified, extraData, verificationErr := verifyMatch(ctx, client, endpoint, match) + // A token can only be valid in a single environment. + if !isVerified && verificationErr == nil { + continue + } + + s1.Verified = isVerified + s1.ExtraData = map[string]string{ + "endpoint": endpoint, + } + maps.Copy(s1.ExtraData, extraData) + s1.SetVerificationError(verificationErr, match) + break + } + } + + results = append(results, s1) + } + + return +} + +func verifyMatch(ctx context.Context, client *http.Client, endpoint string, token string) (bool, map[string]string, error) { + req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil) + if err != nil { + return false, nil, err + } + + req.Header.Set("X-API-Key", token) + + res, err := client.Do(req) + if err != nil { + return false, nil, err + } + defer func() { + _, _ = io.Copy(io.Discard, res.Body) + _ = res.Body.Close() + }() + + switch res.StatusCode { + case http.StatusOK: + // If the endpoint returns useful information, we can return it as a map. + return true, nil, nil + case http.StatusUnauthorized: + // The secret is determinately not verified (nothing to do) + return false, nil, nil + default: + return false, nil, fmt.Errorf("unexpected HTTP response status %d", res.StatusCode) + } +} + +func (s scanner) Type() detector_typepb.DetectorType { + return detector_typepb.DetectorType_CastAI +} + +func (s scanner) Description() string { + return "Castai is a blockchain development platform that provides a suite of tools and services for building and scaling decentralized applications. Castai API keys can be used to access these services." +} diff --git a/pkg/detectors/castai/castai_integration_test.go b/pkg/detectors/castai/castai_integration_test.go new file mode 100644 index 000000000000..1683eb96389a --- /dev/null +++ b/pkg/detectors/castai/castai_integration_test.go @@ -0,0 +1,170 @@ +//go:build detectors +// +build detectors + +package castai + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detector_typepb" +) + +func TestCastai_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors5") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + secret := testSecrets.MustGetField("CASTAI") + inactiveSecret := testSecrets.MustGetField("CASTAI_INACTIVE") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s *scanner + args args + want []detectors.Result + wantErr bool + wantVerificationErr bool + }{ + { + name: "found, verified", + s: New(), + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a castai secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detector_typepb.DetectorType_CastAI, + Verified: true, + ExtraData: map[string]string{ + "endpoint": "https://api.cast.ai/v1/kubernetes/external-clusters", + }, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, unverified", + s: New(), + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a castai secret %s within but not valid", inactiveSecret)), // the secret would satisfy the regex but not pass validation + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detector_typepb.DetectorType_CastAI, + Verified: false, + }, + }, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "not found", + s: New(), + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + wantVerificationErr: false, + }, + { + name: "found, would be verified if not for timeout", + s: New(WithClient(common.SaneHttpClientTimeOut(1 * time.Microsecond))), + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a castai secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detector_typepb.DetectorType_CastAI, + Verified: false, + ExtraData: map[string]string{ + "endpoint": "https://api.cast.ai/v1/kubernetes/external-clusters", + }, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + { + name: "found, verified but unexpected api surface", + s: New(WithClient(common.ConstantResponseHttpClient(404, ""))), + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a castai secret %s within", secret)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detector_typepb.DetectorType_CastAI, + Verified: false, + ExtraData: map[string]string{ + "endpoint": "https://api.cast.ai/v1/kubernetes/external-clusters", + }, + }, + }, + wantErr: false, + wantVerificationErr: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("Castai.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + if (got[i].VerificationError() != nil) != tt.wantVerificationErr { + t.Fatalf("wantVerificationError = %v, verification error = %v", tt.wantVerificationErr, got[i].VerificationError()) + } + } + ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "RawV2", "verificationError", "primarySecret", "SecretParts") + if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" { + t.Errorf("Castai.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := New() + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + b.ResetTimer() + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +} diff --git a/pkg/detectors/castai/castai_test.go b/pkg/detectors/castai/castai_test.go new file mode 100644 index 000000000000..da66420691e9 --- /dev/null +++ b/pkg/detectors/castai/castai_test.go @@ -0,0 +1,102 @@ +package castai + +import ( + "context" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/stretchr/testify/require" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick" +) + +func TestCastai_Pattern(t *testing.T) { + d := New() + ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d}) + tests := []struct { + name string + input string + want []string + }{ + { + name: "valid pattern", + input: ` + [INFO] Sending request to the castai API + [DEBUG] Using castai_v1_2cb5a70064f60ba2f5507bcbb02938a5a0483bf2a9742d08c5c274c827c9f6ea_aaabbbb5 + [INFO] Response received: 200 OK + `, + want: []string{"castai_v1_2cb5a70064f60ba2f5507bcbb02938a5a0483bf2a9742d08c5c274c827c9f6ea_aaabbbb5"}, + }, + { + name: "valid pattern - xml", + input: ` + + GLOBAL + {castai} + {castai_v1_2cb5a70064f60ba2f5507bcbb02938a5a0483bf2a9742d08c5c274c827c9f6ea_aaabbbb5} + configuration for production + 2023-05-18T14:32:10Z + jenkins-admin + + `, + want: []string{"castai_v1_2cb5a70064f60ba2f5507bcbb02938a5a0483bf2a9742d08c5c274c827c9f6ea_aaabbbb5"}, + }, + { + name: "finds all matches", + input: ` + [INFO] Sending request to the castai API + [DEBUG] Using Key=castai_v1_2cb5a70064f60ba2f5507bcbb02938a5a0483bf2a9742d08c5c274c827c9f6ea_aaabbbb5 + [ERROR] Response received 401 UnAuthorized + [DEBUG] Using castai Key=castai_v1_2cb5a70064f60ba2f5507bcbb02938a5a0483bf2a9742d08c5c274c827c9f6ea_aaabbccc + [INFO] Response received: 200 OK + `, + want: []string{"castai_v1_2cb5a70064f60ba2f5507bcbb02938a5a0483bf2a9742d08c5c274c827c9f6ea_aaabbbb5", "castai_v1_2cb5a70064f60ba2f5507bcbb02938a5a0483bf2a9742d08c5c274c827c9f6ea_aaabbccc"}, + }, + { + name: "invalid pattern", + input: ` + [INFO] Sending request to the castai API + [DEBUG] Using Key=castai_v1_2cb5a70xxxx + [ERROR] Response received: 401 UnAuthorized + `, + want: []string{}, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input)) + if len(matchedDetectors) == 0 { + t.Errorf("test %q failed: expected keywords %v to be found in the input", test.name, d.Keywords()) + return + } + + results, err := d.FromData(context.Background(), false, []byte(test.input)) + require.NoError(t, err) + + if len(results) != len(test.want) { + t.Errorf("mismatch in result count: expected %d, got %d", len(test.want), len(results)) + return + } + + actual := make(map[string]struct{}, len(results)) + for _, r := range results { + if len(r.RawV2) > 0 { + actual[string(r.RawV2)] = struct{}{} + } else { + actual[string(r.Raw)] = struct{}{} + } + } + + expected := make(map[string]struct{}, len(test.want)) + for _, v := range test.want { + expected[v] = struct{}{} + } + + if diff := cmp.Diff(expected, actual); diff != "" { + t.Errorf("%s diff: (-want +got)\n%s", test.name, diff) + } + }) + } +} diff --git a/pkg/engine/defaults/defaults.go b/pkg/engine/defaults/defaults.go index f769af2c5614..572a3108f005 100644 --- a/pkg/engine/defaults/defaults.go +++ b/pkg/engine/defaults/defaults.go @@ -135,6 +135,7 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/carboninterface" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/cashboard" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/caspio" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/castai" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/censys" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/centralstationcrm" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/cexio" @@ -1007,6 +1008,7 @@ func buildDetectorList() []detectors.Detector { &carboninterface.Scanner{}, &cashboard.Scanner{}, &caspio.Scanner{}, + castai.New(), &censys.Scanner{}, ¢ralstationcrm.Scanner{}, &cexio.Scanner{}, diff --git a/pkg/pb/detector_typepb/detector_type.pb.go b/pkg/pb/detector_typepb/detector_type.pb.go index 51f668528ce4..93e46d8ebfd4 100644 --- a/pkg/pb/detector_typepb/detector_type.pb.go +++ b/pkg/pb/detector_typepb/detector_type.pb.go @@ -1101,6 +1101,7 @@ const ( DetectorType_BitbucketDataCenter DetectorType = 1045 DetectorType_JiraDataCenterPAT DetectorType = 1046 DetectorType_ConfluenceDataCenter DetectorType = 1047 + DetectorType_CastAI DetectorType = 1048 ) // Enum value maps for DetectorType. @@ -2150,6 +2151,7 @@ var ( 1045: "BitbucketDataCenter", 1046: "JiraDataCenterPAT", 1047: "ConfluenceDataCenter", + 1048: "CastAI", } DetectorType_value = map[string]int32{ "Alibaba": 0, @@ -3196,6 +3198,7 @@ var ( "BitbucketDataCenter": 1045, "JiraDataCenterPAT": 1046, "ConfluenceDataCenter": 1047, + "CastAI": 1048, } ) @@ -3231,7 +3234,7 @@ var File_detector_type_proto protoreflect.FileDescriptor var file_detector_type_proto_rawDesc = []byte{ 0x0a, 0x13, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0d, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, - 0x74, 0x79, 0x70, 0x65, 0x2a, 0x8c, 0x88, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, + 0x74, 0x79, 0x70, 0x65, 0x2a, 0x99, 0x88, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4d, 0x51, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x57, 0x53, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x10, @@ -4320,11 +4323,12 @@ var file_detector_type_proto_rawDesc = []byte{ 0x08, 0x12, 0x16, 0x0a, 0x11, 0x4a, 0x69, 0x72, 0x61, 0x44, 0x61, 0x74, 0x61, 0x43, 0x65, 0x6e, 0x74, 0x65, 0x72, 0x50, 0x41, 0x54, 0x10, 0x96, 0x08, 0x12, 0x19, 0x0a, 0x14, 0x43, 0x6f, 0x6e, 0x66, 0x6c, 0x75, 0x65, 0x6e, 0x63, 0x65, 0x44, 0x61, 0x74, 0x61, 0x43, 0x65, 0x6e, 0x74, 0x65, - 0x72, 0x10, 0x97, 0x08, 0x42, 0x41, 0x5a, 0x3f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, - 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, - 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, - 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, - 0x5f, 0x74, 0x79, 0x70, 0x65, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x72, 0x10, 0x97, 0x08, 0x12, 0x0b, 0x0a, 0x06, 0x43, 0x61, 0x73, 0x74, 0x41, 0x49, 0x10, 0x98, + 0x08, 0x42, 0x41, 0x5a, 0x3f, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, + 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, + 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, + 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, 0x74, 0x79, + 0x70, 0x65, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/proto/detector_type.proto b/proto/detector_type.proto index ddd4c83c654f..124ca008189c 100644 --- a/proto/detector_type.proto +++ b/proto/detector_type.proto @@ -1049,4 +1049,5 @@ enum DetectorType { BitbucketDataCenter = 1045; JiraDataCenterPAT = 1046; ConfluenceDataCenter = 1047; + CastAI = 1048; }