feat: google oauth2 detector

Onboardbase · Oct 23, 2024 · 3a16733 · 3a16733
1 parent cfb3fd9
commit 3a16733
Show file tree

Hide file tree

Showing 9 changed files with 156 additions and 60 deletions.
diff --git a/src/detectors/detectors.ts b/src/detectors/detectors.ts
@@ -30,6 +30,7 @@ import { GitHubClassicTokenDetectorV1 } from "./github/classic/v1";
 import { GitHubClassicTokenDetectorV2 } from "./github/classic/v2";
 import { GitLabDetectorV1 } from "./gitlab/v1";
 import { GitLabDetectorV2 } from "./gitlab/v2";
+import { GoogleOauth2Detector } from "./googleoauth2";
 import { MailgunDetector } from "./mailgun";
 import { MailjetBasicAuthDetector } from "./mailjet/basicAuth";
 import { MailjetSmsDetector } from "./mailjet/sms";
@@ -52,56 +53,56 @@ import { SlackWebhooksDetector } from "./slackwebhook";
 import { StripeDetector } from "./stripe";
 
 export const detectors: Detector[] = [
-  // AgoraDetector,
-  // AlgoliaDetector,
-  // AnthropicDetector,
-  // ApifyDetector,
-  // AWSDetector,
-  // AzureDetector,
-  // BraintreeDetector,
-  // GCPDetector,
-  // GeminiDetector,
-  // GitHubClassicTokenDetectorV1,
-  // GitHubClassicTokenDetectorV2,
-  // GitLabDetectorV1,
-  // GitLabDetectorV2,
-  // MailgunDetector,
-  // MailjetBasicAuthDetector,
-  // MailjetSmsDetector,
-  // MixpanelDetector,
-  // MongoDBDetector,
-  // MuxDetector,
-  // MySQLDetector,
-  // OktaDetector,
-  // OpenAIDetector,
-  // PaystackDetector,
-  // PostgreSQLDetector,
-  // PostmanDetector,
-  // RedisDetector,
-  // SendgridDetector,
-  // SlackDetector,
-
-  // AtlassianV1Detector,
-  // AtlassianV2Detector,
-  // CensysDetector,
-  // ChatbotDetector,
-  // CloudflareDetector,
-  // CodacyDetector,
-  // CodeClimateDetector,
-  // CoinApiDetector,
-  // CoinbaseDetector,
-  // ConfluentDetector,
-  // DigitaloceanV1Detector,
-  // DigitaloceanV2Detector,
-  // DiscordBotTokenDetector,
-  // DiscordWebhookDetector,
-  // DisqusDetector,
-  // DocusignDetector,
-  // DropboxDetector,
-  // FlickrDetector,
-  // StripeDetector,
-  // SlackWebhooksDetector,
+  AgoraDetector,
+  AlgoliaDetector,
+  AnthropicDetector,
+  ApifyDetector,
+  AWSDetector,
+  AzureDetector,
+  BraintreeDetector,
+  GCPDetector,
+  GeminiDetector,
+  GitHubClassicTokenDetectorV1,
+  GitHubClassicTokenDetectorV2,
+  GitLabDetectorV1,
+  GitLabDetectorV2,
+  MailgunDetector,
+  MailjetBasicAuthDetector,
+  MailjetSmsDetector,
+  MixpanelDetector,
+  MongoDBDetector,
+  MuxDetector,
+  MySQLDetector,
+  OktaDetector,
+  OpenAIDetector,
+  PaystackDetector,
+  PostgreSQLDetector,
+  PostmanDetector,
+  RedisDetector,
+  SendgridDetector,
+  SlackDetector,
+  AtlassianV1Detector,
+  AtlassianV2Detector,
+  CensysDetector,
+  ChatbotDetector,
+  CloudflareDetector,
+  CodacyDetector,
+  CodeClimateDetector,
+  CoinApiDetector,
+  CoinbaseDetector,
+  ConfluentDetector,
+  DigitaloceanV1Detector,
+  DigitaloceanV2Detector,
+  DiscordBotTokenDetector,
+  DiscordWebhookDetector,
+  DisqusDetector,
+  DocusignDetector,
+  DropboxDetector,
+  FlickrDetector,
+  StripeDetector,
+  SlackWebhooksDetector,
   NpmV1Detector,
   NpmV2Detector,
   NotionDetector,
+  GoogleOauth2Detector,
 ];
diff --git a/src/detectors/docusign/index.ts b/src/detectors/docusign/index.ts
@@ -14,7 +14,8 @@ const keyPattern: Re2 = new Re2(
 const idPattern = new Re2(
   `${surroundWithGroups([
     "secret",
-  ])}\\b([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\\b`
+  ])}\\b([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\\b`,
+  "gi"
 );
 
 const scan = async (

diff --git a/src/detectors/flickr/index.ts b/src/detectors/flickr/index.ts
@@ -27,7 +27,7 @@ const scan = async (
     if (verify) {
       try {
         await axios.get(
-          `https://www.flickr.com/services/rest/?method=flickr.tags.getHotList&api_key=${resMatch}`
+          `https://flickr.com/services/rest/?method=flickr.tags.getHotList&api_key=${resMatch}`
         );
 
         result.verified = true;

diff --git a/src/detectors/googleoauth2/index.ts b/src/detectors/googleoauth2/index.ts
@@ -0,0 +1,43 @@
+import Re2 from "re2";
+import axios from "axios";
+import { Detector, ScanResult } from "../../types/detector";
+
+const keywords: string[] = ["ya29."];
+const keyPattern = new Re2(/ya29\.[\w\-\.]+/, "gi");
+
+const scan = async (
+  verify: boolean | undefined,
+  data: string
+): Promise<ScanResult | null> => {
+  const matches = data.matchAll(keyPattern);
+  let result: ScanResult = { detectorType: "Google Oauth2", verified: false };
+
+  for (const match of matches) {
+    if (!match) continue;
+    const resMatch = match[0].trim();
+    result.rawValue = resMatch;
+    result.position = match.index;
+
+    if (verify) {
+      try {
+        const { data } = await axios.get(
+          `https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=${resMatch}`
+        );
+
+        result.verified = true;
+      } catch (error) {}
+    }
+
+    return result;
+  }
+
+  return null;
+};
+
+const detectorType = "GOOGLE_OAUTH2_DETECTOR";
+
+export const GoogleOauth2Detector: Detector = {
+  scan,
+  keywords,
+  detectorType,
+};
diff --git a/src/detectors/stripe/index.ts b/src/detectors/stripe/index.ts
@@ -2,7 +2,7 @@ import Re2 from "re2";
 import axios from "axios";
 import { Detector, ScanResult } from "../../types/detector";
 
-const keywords: string[] = ["k_live", "k_test"];
+const keywords: string[] = ["rk_live", "rk_test"];
 
 /**
  * we only support scanning stripe restricted keys at the moment to reduce false

diff --git a/src/fileScanner.ts b/src/fileScanner.ts
@@ -23,6 +23,30 @@ const scanFileForSecrets = async (
   await processPossibleSecrets(filePath, trimmedFile, verify, core, mask, url);
 };
 
+export const processPossibleSecretsInString = async (
+  rawValue: string,
+  core: AhoCorasickCore
+) => {
+  if (rawValue === "") return;
+  let modifiedValue = rawValue;
+  const detectors = core.findMatchingDetectors(rawValue);
+
+  await Promise.all(
+    detectors.map(async (detector) => {
+      const { scan } = detector;
+      const scanResponse = await scan(false, rawValue);
+      if (scanResponse) {
+        modifiedValue = modifiedValue.replaceAll(
+          scanResponse.rawValue as string,
+          maskString(scanResponse.rawValue as string)
+        );
+      }
+    })
+  );
+
+  console.log(modifiedValue);
+};
+
 /**
  * Processes possible secrets and checks for matches.
  */
@@ -80,17 +104,22 @@ const logPotentialSecret = (
       `${
         verified
           ? "\n💯 Found verified secret"
-          : `\nPotential secret detected in ${url || filePath}`
+          : `\nPotential secret detected in ${
+              url || filePath === "" ? "RawValue" : filePath
+            }`
       }`
     )
   );
   console.log(`${chalk.bold("Detector:")} ${detector}`);
   console.log(`${chalk.bold("Line:")} ${line}`);
-  console.log(
-    `${chalk.bold("File Path:")} ${
-      url ? getActualGitURLFilePath(filePath) : filePath
-    }`
-  );
+  if (filePath !== "") {
+    console.log(
+      `${chalk.bold("File Path:")} ${
+        url ? getActualGitURLFilePath(filePath) : filePath
+      }`
+    );
+  }
+
   console.log(`${chalk.bold("Raw Value:")} ${rawValue}${extras ? "" : "\n"}`);
 
   if (extras) {

diff --git a/src/index.ts b/src/index.ts
@@ -29,6 +29,7 @@ program
     false
   )
   .option("-m, --mask", "Should mask secret values", false)
+  .option("--rawValue <string>", "a text string to scan for secrets")
   .action(async (options) => await scan(options));
 
 program

diff --git a/src/scan.ts b/src/scan.ts
@@ -1,6 +1,6 @@
 import path from "path";
 import fs from "fs";
-import { scanDirectory } from "./fileScanner";
+import { processPossibleSecretsInString, scanDirectory } from "./fileScanner";
 import { scanGitCommitsForSecrets } from "./gitScanner";
 import { configHandler } from "./configHandler";
 import { buildCustomDetectors } from "./regexHandler";
@@ -31,13 +31,33 @@ export const scan = async (options: ScanOptions): Promise<void> => {
 
     const scanPromises: Promise<void>[] = [];
 
+    if (options.rawValue && options.dir) {
+      console.log(
+        chalk.yellow(
+          "info: --rawValue & --dir was specified, defaulting to --dir"
+        )
+      );
+    }
+
+    if (options.rawValue && !options.dir && !options.url) {
+      scanPromises.push(processPossibleSecretsInString(options.rawValue, core));
+    }
+
+    /**
+     * Remote git scanning
+     */
     if (options.url) {
       scanPromises.push(
         scanUrl(options, excludedFolders, excludedExtensions, core)
       );
     }
 
-    if (!options.changed && !options.url) {
+    /**
+     * Scans specified directory or current working directory
+     * only runs if --url is not specified that is user is not trying
+     * to scan a git repo
+     */
+    if (options.dir && !options.url) {
       scanPromises.push(
         scanCodebase(
           startDirectory,

diff --git a/src/types/index.ts b/src/types/index.ts
@@ -10,6 +10,7 @@ export interface ScanOptions {
   changed?: boolean;
   verify?: boolean;
   mask?: boolean;
+  rawValue?: string;
 }
 
 export interface Config {