You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The revoked Microsoft Teams webhook should not have been shown as verified.
Actual Behavior
The revoked Microsoft Teams webhook was shown as verified.
Steps to Reproduce
Create a Microsoft Teams webhook, and put the webhook URL in a file.
Scan the file with TruffleHog. Observe a (correctly) verified result.
Delete the webhook through Microsoft Teams.
Scan the file with TruffleHog. Observe an erroneous verified result.
Additional Context
The test in TruffleHog's detector sends an empty message to the webhook, and declares the result verified if Microsoft respond saying that text is required. However, this response is the same for both valid and revoked webhook URLs.
ifstrings.Contains(string(body), "Text is required") {
returntrue, nil
}
I suspect Microsoft's payload validation is now happening before the webhook destination is validated. Sending a request with a message (even an empty string) to a revoked webhook, correctly returns a 404 error with the below text.
Webhook message delivery failed with error: Microsoft Teams endpoint returned HTTP error 404
However, sending a non-empty message to a Microsoft Teams webhook is a mutative action. If the webhook is valid, a message will be produced on the channel.
The text was updated successfully, but these errors were encountered:
TruffleHog Version
Bug also present in enterprise version.
Expected Behavior
The revoked Microsoft Teams webhook should not have been shown as verified.
Actual Behavior
The revoked Microsoft Teams webhook was shown as verified.
Steps to Reproduce
Additional Context
The test in TruffleHog's detector sends an empty message to the webhook, and declares the result verified if Microsoft respond saying that text is required. However, this response is the same for both valid and revoked webhook URLs.
trufflehog/pkg/detectors/microsoftteamswebhook/microsoftteamswebhook.go
Lines 99 to 101 in 08b6f90
I suspect Microsoft's payload validation is now happening before the webhook destination is validated. Sending a request with a message (even an empty string) to a revoked webhook, correctly returns a
404
error with the below text.However, sending a non-empty message to a Microsoft Teams webhook is a mutative action. If the webhook is valid, a message will be produced on the channel.
The text was updated successfully, but these errors were encountered: