diff --git a/pkg/detectors/shopify/shopify.go b/pkg/detectors/shopify/shopify.go new file mode 100644 index 000000000000..0f4ce05e13ea --- /dev/null +++ b/pkg/detectors/shopify/shopify.go @@ -0,0 +1,99 @@ +package shopify + +import ( + "context" + "encoding/json" + "net/http" + "regexp" + "strings" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct{} + +// Ensure the Scanner satisfies the interface at compile time +var _ detectors.Detector = (*Scanner)(nil) + +var ( + client = common.SaneHttpClient() + + // Make sure that your group is surrounded in boundry characters such as below to reduce false positives. + keyPat = regexp.MustCompile(`\b(shppa_|shpat_)([0-9A-Fa-f]{32})\b`) + domainPat = regexp.MustCompile(`[a-zA-Z0-9-]+\.myshopify\.com`) +) + +// Keywords are used for efficiently pre-filtering chunks. +// Use identifiers in the secret preferably, or the provider name. +func (s Scanner) Keywords() []string { + return []string{"shppa_", "shpat_"} +} + +// FromData will find and optionally verify Shopify secrets in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + keyMatches := keyPat.FindAllString(dataStr, -1) + domainMatches := domainPat.FindAllString(dataStr, -1) + + for _, match := range keyMatches { + key := strings.TrimSpace(match) + + for _, domainMatch := range domainMatches { + domainRes := strings.TrimSpace(domainMatch) + + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_Shopify, + Redacted: domainRes, + Raw: []byte(key + domainRes), + } + + if verify { + req, err := http.NewRequestWithContext(ctx, "GET", "https://"+domainRes+"/admin/oauth/access_scopes.json", nil) + if err != nil { + continue + } + req.Header.Add("X-Shopify-Access-Token", key) + res, err := client.Do(req) + if err == nil { + if res.StatusCode >= 200 && res.StatusCode < 300 { + shopifyTokenAccessScopes := shopifyTokenAccessScopes{} + err := json.NewDecoder(res.Body).Decode(&shopifyTokenAccessScopes) + if err == nil { + var handleArray []string + for _, handle := range shopifyTokenAccessScopes.AccessScopes { + handleArray = append(handleArray, handle.Handle) + + } + s1.Verified = true + s1.ExtraData = map[string]string{ + "access_scopes": strings.Join(handleArray, ","), + } + } + res.Body.Close() + } + } else { + // This function will check false positives for common test words, but also it will make sure the key appears 'random' enough to be a real key. + if detectors.IsKnownFalsePositive(key, detectors.DefaultFalsePositives, true) { + continue + } + } + } + + results = append(results, s1) + + } + + } + + return results, nil + +} + +type shopifyTokenAccessScopes struct { + AccessScopes []struct { + Handle string `json:"handle"` + } `json:"access_scopes"` +} diff --git a/pkg/detectors/shopify/shopify_test.go b/pkg/detectors/shopify/shopify_test.go new file mode 100644 index 000000000000..475da6c53d8c --- /dev/null +++ b/pkg/detectors/shopify/shopify_test.go @@ -0,0 +1,123 @@ +package shopify + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/kylelemons/godebug/pretty" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +func TestShopify_FromChunk(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) + defer cancel() + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors4") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + secret := testSecrets.MustGetField("SHOPIFY_ADMIN_SECRET") + inactiveSecret := testSecrets.MustGetField("SHOPIFY_ADMIN_SECRET_INACTIVE") + domain := testSecrets.MustGetField("SHOPIFY_DOMAIN") + + type args struct { + ctx context.Context + data []byte + verify bool + } + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a shopify secret %s domain https://%s", secret, domain)), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_Shopify, + Redacted: domain, + Verified: true, + ExtraData: map[string]string{ + "access_scopes": "read_analytics,unauthenticated_read_selling_plans", + }, + }, + }, + wantErr: false, + }, + { + name: "found, unverified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte(fmt.Sprintf("You can find a shopify secret %s within (domain https://%s) but not valid", inactiveSecret, domain)), // the secret would satisfy the regex but not pass validation + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detectorspb.DetectorType_Shopify, + Redacted: domain, + Verified: false, + ExtraData: nil, + }, + }, + wantErr: false, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("You cannot find the secret within"), + verify: true, + }, + want: nil, + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + s := Scanner{} + got, err := s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Errorf("Shopify.FromData() error = %v, wantErr %v", err, tt.wantErr) + return + } + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatalf("no raw secret present: \n %+v", got[i]) + } + got[i].Raw = nil + } + if diff := pretty.Compare(got, tt.want); diff != "" { + t.Errorf("Shopify.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkFromData(benchmark *testing.B) { + ctx := context.Background() + s := Scanner{} + for name, data := range detectors.MustGetBenchmarkData() { + benchmark.Run(name, func(b *testing.B) { + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +} diff --git a/pkg/engine/defaults.go b/pkg/engine/defaults.go index 1ea37ba4c88f..a6b252ef3126 100644 --- a/pkg/engine/defaults.go +++ b/pkg/engine/defaults.go @@ -564,6 +564,7 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/sherpadesk" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/shipday" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/shodankey" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/shopify" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/shortcut" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/shotstack" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/shutterstock" @@ -1488,5 +1489,6 @@ func DefaultDetectors() []detectors.Detector { sqlserver.Scanner{}, redis.Scanner{}, ftp.Scanner{}, + shopify.Scanner{}, } } diff --git a/pkg/pb/detectorspb/detectors.pb.go b/pkg/pb/detectorspb/detectors.pb.go index 724bb8dd76a5..f300db7eca4d 100644 --- a/pkg/pb/detectorspb/detectors.pb.go +++ b/pkg/pb/detectorspb/detectors.pb.go @@ -969,6 +969,7 @@ const ( DetectorType_SQLServer DetectorType = 898 DetectorType_FTP DetectorType = 899 DetectorType_Redis DetectorType = 900 + DetectorType_Shopify DetectorType = 902 ) // Enum value maps for DetectorType. @@ -1871,6 +1872,7 @@ var ( 898: "SQLServer", 899: "FTP", 900: "Redis", + 902: "Shopify", } DetectorType_value = map[string]int32{ "Alibaba": 0, @@ -2770,6 +2772,7 @@ var ( "SQLServer": 898, "FTP": 899, "Redis": 900, + "Shopify": 902, } ) @@ -3134,7 +3137,7 @@ var file_detectors_proto_rawDesc = []byte{ 0x0a, 0x0b, 0x44, 0x65, 0x63, 0x6f, 0x64, 0x65, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x50, 0x4c, 0x41, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x42, 0x41, 0x53, 0x45, 0x36, 0x34, 0x10, - 0x02, 0x2a, 0xd7, 0x70, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x54, 0x79, + 0x02, 0x2a, 0xe5, 0x70, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4d, 0x51, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x57, 0x53, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x10, 0x03, 0x12, 0x0a, 0x0a, @@ -4035,12 +4038,12 @@ var file_detectors_proto_rawDesc = []byte{ 0x12, 0x13, 0x0a, 0x0e, 0x44, 0x69, 0x67, 0x69, 0x74, 0x61, 0x6c, 0x4f, 0x63, 0x65, 0x61, 0x6e, 0x56, 0x32, 0x10, 0x81, 0x07, 0x12, 0x0e, 0x0a, 0x09, 0x53, 0x51, 0x4c, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x10, 0x82, 0x07, 0x12, 0x08, 0x0a, 0x03, 0x46, 0x54, 0x50, 0x10, 0x83, 0x07, 0x12, - 0x0a, 0x0a, 0x05, 0x52, 0x65, 0x64, 0x69, 0x73, 0x10, 0x84, 0x07, 0x42, 0x3d, 0x5a, 0x3b, 0x67, - 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, - 0x65, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, - 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, - 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x33, + 0x0a, 0x0a, 0x05, 0x52, 0x65, 0x64, 0x69, 0x73, 0x10, 0x84, 0x07, 0x12, 0x0c, 0x0a, 0x07, 0x53, + 0x68, 0x6f, 0x70, 0x69, 0x66, 0x79, 0x10, 0x86, 0x07, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, + 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, + 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, + 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, + 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/proto/detectors.proto b/proto/detectors.proto index 289ea950a58c..313c3aec1e15 100644 --- a/proto/detectors.proto +++ b/proto/detectors.proto @@ -908,6 +908,7 @@ enum DetectorType { SQLServer = 898; FTP = 899; Redis = 900; + Shopify = 902; } message Result {