From cd1d9c93b5cd649303a82bf55590a56468697f5e Mon Sep 17 00:00:00 2001 From: Julien Doutre Date: Tue, 12 Mar 2024 18:20:52 +0100 Subject: [PATCH] Detect Slack workflows webhook --- pkg/detectors/slackwebhook/slackwebhook.go | 107 +++++++++++---------- 1 file changed, 56 insertions(+), 51 deletions(-) diff --git a/pkg/detectors/slackwebhook/slackwebhook.go b/pkg/detectors/slackwebhook/slackwebhook.go index ba0892292462..405182131bc1 100644 --- a/pkg/detectors/slackwebhook/slackwebhook.go +++ b/pkg/detectors/slackwebhook/slackwebhook.go @@ -4,7 +4,6 @@ import ( "bytes" "context" "fmt" - regexp "github.com/wasilibs/go-re2" "io" "net/http" "strings" @@ -12,6 +11,7 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/common" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" + regexp "github.com/wasilibs/go-re2" ) type Scanner struct { @@ -24,7 +24,10 @@ var _ detectors.Detector = (*Scanner)(nil) var ( defaultClient = common.SaneHttpClient() // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. - keyPat = regexp.MustCompile(`(https://hooks\.slack\.com/services/T[A-Z0-9]+/B[A-Z0-9]+/[A-Za-z0-9]{23,25})`) + keyPats = map[string]*regexp.Regexp{ + "Slack Service Web Hook": regexp.MustCompile(`(https://hooks\.slack\.com/services/T[A-Z0-9]+/B[A-Z0-9]+/[A-Za-z0-9]{23,25})`), + "Slack Workflow Web Hook ": regexp.MustCompile(`(https://hooks\.slack\.com/workflows/T[A-Z0-9]+/A[A-Z0-9]+/[0-9]{17,19}/[A-Za-z0-9]{23,25})`), + } ) // Keywords are used for efficiently pre-filtering chunks. @@ -37,67 +40,69 @@ func (s Scanner) Keywords() []string { func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { dataStr := string(data) - matches := keyPat.FindAllStringSubmatch(dataStr, -1) + for _, keyPat := range keyPats { + matches := keyPat.FindAllStringSubmatch(dataStr, -1) - for _, match := range matches { - if len(match) != 2 { - continue - } - resMatch := strings.TrimSpace(match[1]) + for _, match := range matches { + if len(match) != 2 { + continue + } + resMatch := strings.TrimSpace(match[1]) - s1 := detectors.Result{ - DetectorType: detectorspb.DetectorType_SlackWebhook, - Raw: []byte(resMatch), - } - s1.ExtraData = map[string]string{ - "rotation_guide": "https://howtorotate.com/docs/tutorials/slack-webhook/", - } + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_SlackWebhook, + Raw: []byte(resMatch), + } + s1.ExtraData = map[string]string{ + "rotation_guide": "https://howtorotate.com/docs/tutorials/slack-webhook/", + } - if verify { + if verify { - client := s.client - if client == nil { - client = defaultClient - } + client := s.client + if client == nil { + client = defaultClient + } - // We don't want to actually send anything to webhooks we find. To verify them without spamming them, we - // send an intentionally malformed message and look for a particular expected error message. - payload := strings.NewReader(`intentionally malformed JSON from Trufflehog scan`) - req, err := http.NewRequestWithContext(ctx, "POST", resMatch, payload) - if err != nil { - continue - } - req.Header.Add("Content-Type", "application/json") - res, err := client.Do(req) - if err == nil { - defer res.Body.Close() - bodyBytes, err := io.ReadAll(res.Body) + // We don't want to actually send anything to webhooks we find. To verify them without spamming them, we + // send an intentionally malformed message and look for a particular expected error message. + payload := strings.NewReader(`intentionally malformed JSON from Trufflehog scan`) + req, err := http.NewRequestWithContext(ctx, "POST", resMatch, payload) if err != nil { continue } - - defer res.Body.Close() - - switch { - case res.StatusCode >= http.StatusOK && res.StatusCode < http.StatusMultipleChoices: - // Hopefully this never happens - it means we actually sent something to a channel somewhere. But - // we at least know the secret is verified. - s1.Verified = true - case res.StatusCode == http.StatusBadRequest && bytes.Equal(bodyBytes, []byte("invalid_payload")): - s1.Verified = true - case res.StatusCode == http.StatusNotFound: - // Not a real webhook or the owning app's OAuth token has been revoked or the app has been deleted - // You might want to handle this case or log it. - default: - err = fmt.Errorf("unexpected HTTP response status %d: %s", res.StatusCode, bodyBytes) + req.Header.Add("Content-Type", "application/json") + res, err := client.Do(req) + if err == nil { + defer res.Body.Close() + bodyBytes, err := io.ReadAll(res.Body) + if err != nil { + continue + } + + defer res.Body.Close() + + switch { + case res.StatusCode >= http.StatusOK && res.StatusCode < http.StatusMultipleChoices: + // Hopefully this never happens - it means we actually sent something to a channel somewhere. But + // we at least know the secret is verified. + s1.Verified = true + case res.StatusCode == http.StatusBadRequest && bytes.Equal(bodyBytes, []byte("invalid_payload")): + s1.Verified = true + case res.StatusCode == http.StatusNotFound: + // Not a real webhook or the owning app's OAuth token has been revoked or the app has been deleted + // You might want to handle this case or log it. + default: + err = fmt.Errorf("unexpected HTTP response status %d: %s", res.StatusCode, bodyBytes) + s1.SetVerificationError(err, resMatch) + } + } else { s1.SetVerificationError(err, resMatch) } - } else { - s1.SetVerificationError(err, resMatch) } - } - results = append(results, s1) + results = append(results, s1) + } } return results, nil