Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do local URI verification, while attempting to defuse SSRF #879

Merged
merged 8 commits into from Nov 2, 2022
Merged

Do local URI verification, while attempting to defuse SSRF #879

merged 8 commits into from Nov 2, 2022

Conversation

dustin-decker
Copy link
Contributor

@dustin-decker dustin-decker commented Oct 28, 2022
edited

Previously we used the SSRF proxy to mitigate SSRF concerns of potential malicious payloads. However this meant that URI credentials were sent up to the proxy, and verification only worked if the resource was externally accessible.

This change performs verification locally to the scanner, after attempting to defuse http and https payloads. It does so with the following 3 modifications to the detected URI:

  • drop the filename on the suffix - basic auth often applies on a directory level and this is one measure to prevent invoking state-changing dynamic content
  • drop query parameters
  • drop fragments

Additionally it verifies using a GET request.

So if there is a blind SSRF payload on a state-changing GET endpoint with no filepath, it could still fire, but otherwise it should be defused.

The SSRF proxy also previously verified redis and ftp, and these have been split up into new detectors.

@dustin-decker dustin-decker requested a review from a team as a code owner October 28, 2022 22:52
dustin-decker
dustin-decker commented Oct 29, 2022
View reviewed changes
pkg/detectors/mongodb/mongodb.go Outdated
@@ -21,7 +21,7 @@ var _ detectors.Detector = (*Scanner)(nil)

var (
// Make sure that your group is surrounded in boundary characters such as below to reduce false positives.
keyPat = regexp.MustCompile(`\b(mongodb(\+srv)?://(?:[^:]+:(?:[^@]+)?@)?(?:[^/]+|/.+.sock?,?)+(?:/([^/."*<>:|?]*))?\?(?:(.+=?=\S+)&?)+)\b`)
keyPat = regexp.MustCompile(`\b(mongodb(\+srv)?://[-.%\w{}]{1,50}:([-.%\S]{3,50})@[-.%\w\/:]+)\b`)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The previous regex was a bit too inclusive and exclusive, sometimes grabbing html nearby and sometimes missing things that were picked up by this pattern, which is a modified version of the URI pattern but only for the mongodb scheme.

@dustin-decker dustin-decker marked this pull request as draft October 31, 2022 17:18
@dustin-decker dustin-decker marked this pull request as ready for review November 1, 2022 22:44
ahrav
ahrav approved these changes Nov 1, 2022
View reviewed changes
Copy link
Collaborator

@ahrav ahrav left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we also need to add the two new detectors to the default detectors?

pkg/detectors/ftp/ftp.go Outdated Show resolved Hide resolved
pkg/detectors/ftp/ftp.go Outdated Show resolved Hide resolved
pkg/detectors/ftp/ftp.go Outdated Show resolved Hide resolved
pkg/detectors/ftp/ftp.go
return results, nil
}

func verifyFTP(ctx context.Context, u *url.URL) bool {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: We can remove ctx as an arg since it doesn't look to be used.

pkg/detectors/npmtokenv2/npmtokenv2_test.go Show resolved Hide resolved
pkg/detectors/redis/redis.go Outdated Show resolved Hide resolved
pkg/detectors/redis/redis.go
return results, nil
}

func verifyRedis(ctx context.Context, u *url.URL) bool {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we can remove ctx as an arg here if unused.

pkg/detectors/uri/uri.go Outdated Show resolved Hide resolved
pkg/detectors/uri/uri.go
keyPat = regexp.MustCompile(`\b[a-zA-Z]{1,10}:?\/\/[-.%\w{}]{1,50}:([-.%\S]{3,50})@[-.%\w\/:]+\b`)
keyPat = regexp.MustCompile(`\b(?:http(?:s)?:)?\/\/[\S]{3,50}:([\S]{3,50})@[-.%\w\/:]+\b`)

client = common.SaneHttpClient()
)

type proxyRes struct {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I know you didn't touch this, but looks like we no longer use this struct. We can probably remove?

pkg/detectors/uri/uri.go
return false
}

time.Sleep(time.Millisecond * 10)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤣

@dustin-decker dustin-decker merged commit a7fc122 into main Nov 2, 2022
@dustin-decker dustin-decker deleted the uri-detector-local branch November 2, 2022 00:27
mac2000 pushed a commit to mac2000/trufflehog that referenced this pull request Nov 16, 2022
@dustin-decker @mac2000
Do local URI verification, while attempting to defuse SSRF (trufflese…
60c1e3d 
…curity#879)

* simplify monogo pattern

* do URI verification locally, while attempting to defuse SSRF

* test SSRF defuse

* simplify err check logic per linter recommendation

* split up detectors

* address comments

* remove unused var
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ahrav ahrav ahrav approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@dustin-decker @ahrav