Detector-Competition-New - Created Grafana Cloud API Key detector #1959
Conversation
dustin-decker
added
the
Hacktoberfest-Detector-Competition-New
pkg/detectors/grafana/grafana.go
Outdated
| var ( | ||
| defaultClient = common.SaneHttpClient() | ||
| // Make sure that your group is surrounded in boundary characters such as below to reduce false positives. | ||
| keyPat = regexp.MustCompile(`(glc_[A-Za-z0-9+\/]{50,150}\={0,2})`) |
There was a problem hiding this comment.
we should add a prefix, and word bounds
regexp.MustCompile(detectors.PrefixRegex([]string{"grafana"}) + `\b(glc_[A-Za-z0-9+\/]{50,150}\={0,2})\b`)
There was a problem hiding this comment.
also, what made you add \={0,2}? i was not able to generate a token with that format
There was a problem hiding this comment.
I agree with word bounds, but I'd argue that a prefix isn't necessary due to the token's glc_ prefix. Adding "grafana" as a prefix will result in valid secrets being missed, in part because of #2035.
also, what made you add ={0,2}? i was not able to generate a token with that format
The part after glc_ is a base64-encoded JWK, so = at the end is possible even if unlikely.
There was a problem hiding this comment.
yes @rgmz you are correct. adding word bound /b is causing issue due the presence of == sign in the secret. Also , its base64 encoded so == presence is possible. also glc_ is unique in itself so i didn't include the prefix regex of "grafana"
There was a problem hiding this comment.
if i include the /b word boundary and the token contains an = sign. the regex is not picking it up and only picks up the part before it missing the = sign all together from the secret detection.
There was a problem hiding this comment.
makes sense, let's omit the prefix. i don't understand why the word bounds causes the = to not be picked up, but you're right that is indeed the case. i think it still makes sense to add at the beginning at least
There was a problem hiding this comment.
its because "=" is part of the word boundary char so it's not picked up. I added the /b at the beginning of the regex.
There was a problem hiding this comment.
i don't understand why the word bounds causes the = to not be picked up
@ankushgoel27 is correct.
Word boundaries (\b) match the following conditions:
^[a-zA-Z0-9_](start followed by word character)[a-zA-Z0-9_]$(word character followed by end)[^a-zA-Z0-9_][a-zA-Z0-9_](non-word character followed by word character)[a-zA-Z0-9_][^a-zA-Z0-9_](word character followed by non-word character)
Hence, the = at the end isn't picked up because it is treated as a word boundary itself.
Description:
This PR adds the detector to detect the Grafana cloud API detector. Opened before in PR #1865
How to create a token is described here - https://grafana.com/docs/grafana-cloud/developer-resources/api-reference/cloud-api/
Checklist:
make test-community)?make lintthis requires golangci-lint)?