From 6c542a5ae69ddd1214cb9dcb57ec2efbaf9ee42d Mon Sep 17 00:00:00 2001 From: Muneeb Ullah Khan <100969065+MuneebUllahKhan222@users.noreply.github.com> Date: Thu, 14 May 2026 11:55:20 +0500 Subject: [PATCH] [INS-335] Added AWS Appsync Detector (#4803) * Added AWS Appsync Detector * added detector to defaults.go * imprved regex and regen protos * added secretparts * ignored secret parts in test * resolved bugbot comment --- pkg/detectors/aws/appsync/appsync.go | 172 +++++++++++++++ .../aws/appsync/appsync_integration_test.go | 201 ++++++++++++++++++ pkg/detectors/aws/appsync/appsync_test.go | 136 ++++++++++++ pkg/engine/defaults/defaults.go | 2 + pkg/pb/detector_typepb/detector_type.pb.go | 18 +- proto/detector_type.proto | 1 + 6 files changed, 523 insertions(+), 7 deletions(-) create mode 100644 pkg/detectors/aws/appsync/appsync.go create mode 100644 pkg/detectors/aws/appsync/appsync_integration_test.go create mode 100644 pkg/detectors/aws/appsync/appsync_test.go diff --git a/pkg/detectors/aws/appsync/appsync.go b/pkg/detectors/aws/appsync/appsync.go new file mode 100644 index 000000000..4d3abed0a --- /dev/null +++ b/pkg/detectors/aws/appsync/appsync.go @@ -0,0 +1,172 @@ +package appsync + +import ( + "bytes" + "context" + "fmt" + "io" + "net/http" + + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detector_typepb" +) + +type Scanner struct { + client *http.Client + detectors.DefaultMultiPartCredentialProvider +} + +// Compile-time interface check +var _ detectors.Detector = (*Scanner)(nil) + +var ( + defaultClient = common.SaneHttpClient() + + apiKeyPat = regexp.MustCompile( + `\b(da2-[a-z0-9]{26})\b`, + ) + + endpointPat = regexp.MustCompile( + `(https:\/\/[a-z0-9]{26}\.appsync-api\.[a-z0-9-]+\.amazonaws\.com)([^a-zA-Z0-9.-]|$)`, + ) +) + +func (s Scanner) Keywords() []string { + return []string{"da2-"} +} + +func (s Scanner) getClient() *http.Client { + if s.client != nil { + return s.client + } + return defaultClient +} + +func (s Scanner) FromData( + ctx context.Context, + verify bool, + data []byte, +) (results []detectors.Result, err error) { + + dataStr := string(data) + + keys := make(map[string]struct{}) + endpoints := make(map[string]struct{}) + + for _, m := range apiKeyPat.FindAllStringSubmatch(dataStr, -1) { + keys[m[1]] = struct{}{} + } + + for _, m := range endpointPat.FindAllStringSubmatch(dataStr, -1) { + normalizedEndpoint := m[1] + "/graphql" + endpoints[normalizedEndpoint] = struct{}{} + } + + for key := range keys { + for endpoint := range endpoints { + + result := detectors.Result{ + DetectorType: detector_typepb.DetectorType_AWSAppSync, + Raw: []byte(key), + RawV2: []byte(fmt.Sprintf("%s:%s", endpoint, key)), + SecretParts: map[string]string{ + "key": key, + "endpoint": endpoint, + }, + ExtraData: map[string]string{ + "base_url": endpoint, + }, + } + + if verify { + verified, verificationErr := verifyAppSyncKey( + ctx, + s.getClient(), + endpoint, + key, + ) + + result.SetVerificationError(verificationErr, key) + result.Verified = verified + } + + results = append(results, result) + } + } + + return +} + +func verifyAppSyncKey( + ctx context.Context, + client *http.Client, + endpoint string, + key string, +) (bool, error) { + + query := `{"query":"query { __typename }"}` + + req, err := http.NewRequestWithContext( + ctx, + http.MethodPost, + endpoint, + bytes.NewBufferString(query), + ) + if err != nil { + return false, err + } + + req.Header.Set("Content-Type", "application/json") + req.Header.Set("x-api-key", key) + + res, err := client.Do(req) + if err != nil { + return false, err + } + + defer func() { + _, _ = io.Copy(io.Discard, res.Body) + _ = res.Body.Close() + }() + + // https://docs.aws.amazon.com/appsync/latest/APIReference/CommonErrors.html + switch res.StatusCode { + + case http.StatusOK: + return true, nil + + case http.StatusBadGateway: + bodyBytes, err := io.ReadAll(res.Body) + if err != nil { + return false, err + } + // Appsync returns 502 with a specific error message in the body when the key is valid but has no schema defined, + // so we treat that as a valid key + if bytes.Contains(bodyBytes, []byte("No schema definition exists")) { + return true, nil + } + return false, fmt.Errorf("502 Bad Gateway: unexpected response") + + // Appsync return 401 for invalid keys + // Appsync return 403 for some time after the token is deleted + case http.StatusUnauthorized, http.StatusForbidden: + return false, nil + + default: + return false, fmt.Errorf( + "unexpected HTTP response status %d", + res.StatusCode, + ) + } +} + +func (s Scanner) Type() detector_typepb.DetectorType { + return detector_typepb.DetectorType_AWSAppSync +} + +func (s Scanner) Description() string { + return "AWS AppSync is a managed GraphQL service. This detector identifies exposed AppSync API keys." +} diff --git a/pkg/detectors/aws/appsync/appsync_integration_test.go b/pkg/detectors/aws/appsync/appsync_integration_test.go new file mode 100644 index 000000000..4be954141 --- /dev/null +++ b/pkg/detectors/aws/appsync/appsync_integration_test.go @@ -0,0 +1,201 @@ +//go:build detectors +// +build detectors + +package appsync + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detector_typepb" +) + +func TestAppSync_FromData(t *testing.T) { + ctx, cancel := context.WithTimeout(context.Background(), time.Second*10) + defer cancel() + + // Secrets are expected to be stored similarly to other detector tests + testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors6") + if err != nil { + t.Fatalf("could not get test secrets from GCP: %s", err) + } + + activeKey := testSecrets.MustGetField("APPSYNC_API_KEY") + endpoint := testSecrets.MustGetField("APPSYNC_API_URL") + + revokedEndpoint := "https://nr2nchyfwvc53lgrlvsa2pfpzq.appsync-api.us-east-1.amazonaws.com/graphql" + inactiveKey := "da2-abcdefghijklmnopqrstuvwxyz" + + type args struct { + ctx context.Context + data []byte + verify bool + } + + tests := []struct { + name string + s Scanner + args args + want []detectors.Result + wantErr bool + wantVerificationErr bool + }{ + { + name: "found, verified", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: fmt.Appendf([]byte{}, "endpoint=%s key=%s", endpoint, activeKey), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detector_typepb.DetectorType_AWSAppSync, + Verified: true, + Raw: []byte(activeKey), + RawV2: []byte(fmt.Sprintf("%s:%s", endpoint, activeKey)), + }, + }, + }, + { + name: "found, verification error due to timeout", + s: Scanner{client: common.SaneHttpClientTimeOut(1 * time.Microsecond)}, + args: args{ + ctx: context.Background(), + data: fmt.Appendf([]byte{}, "endpoint=%s key=%s", endpoint, activeKey), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detector_typepb.DetectorType_AWSAppSync, + Verified: false, + Raw: []byte(activeKey), + RawV2: []byte(fmt.Sprintf("%s:%s", endpoint, activeKey)), + }, + }, + wantVerificationErr: true, + }, + { + name: "found, verification error unexpected api surface", + s: Scanner{client: common.ConstantResponseHttpClient(500, "{}")}, + args: args{ + ctx: context.Background(), + data: fmt.Appendf([]byte{}, "endpoint=%s key=%s", endpoint, activeKey), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detector_typepb.DetectorType_AWSAppSync, + Verified: false, + Raw: []byte(activeKey), + RawV2: []byte(fmt.Sprintf("%s:%s", endpoint, activeKey)), + }, + }, + wantVerificationErr: true, + }, + // Host will be unreachable for such cases + { + name: "found, Revoked key and endpoint", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: fmt.Appendf([]byte{}, "endpoint=%s key=%s", revokedEndpoint, inactiveKey), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detector_typepb.DetectorType_AWSAppSync, + Verified: false, + Raw: []byte(inactiveKey), + RawV2: []byte(fmt.Sprintf("%s:%s", revokedEndpoint, inactiveKey)), + }, + }, + wantVerificationErr: true, + }, + { + name: "found, valid endpoint and invalid key", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: fmt.Appendf([]byte{}, "endpoint=%s key=%s", endpoint, inactiveKey), + verify: true, + }, + want: []detectors.Result{ + { + DetectorType: detector_typepb.DetectorType_AWSAppSync, + Verified: false, + Raw: []byte(inactiveKey), + RawV2: []byte(fmt.Sprintf("%s:%s", endpoint, inactiveKey)), + }, + }, + }, + { + name: "not found", + s: Scanner{}, + args: args{ + ctx: context.Background(), + data: []byte("no secrets here"), + verify: true, + }, + want: nil, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data) + if (err != nil) != tt.wantErr { + t.Fatalf("AppSync.FromData() error = %v, wantErr %v", err, tt.wantErr) + } + + for i := range got { + if len(got[i].Raw) == 0 { + t.Fatal("no raw secret present") + } + if (got[i].VerificationError() != nil) != tt.wantVerificationErr { + t.Fatalf( + "wantVerificationError = %v, verification error = %v", + tt.wantVerificationErr, + got[i].VerificationError(), + ) + } + } + + ignoreOpts := cmpopts.IgnoreFields( + detectors.Result{}, + "ExtraData", + "verificationError", + "primarySecret", + "SecretParts", + ) + + if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" { + t.Errorf("AppSync.FromData() %s diff: (-got +want)\n%s", tt.name, diff) + } + }) + } +} + +func BenchmarkAppSync_FromData(b *testing.B) { + ctx := context.Background() + s := Scanner{} + + for name, data := range detectors.MustGetBenchmarkData() { + b.Run(name, func(b *testing.B) { + b.ResetTimer() + for n := 0; n < b.N; n++ { + _, err := s.FromData(ctx, false, data) + if err != nil { + b.Fatal(err) + } + } + }) + } +} diff --git a/pkg/detectors/aws/appsync/appsync_test.go b/pkg/detectors/aws/appsync/appsync_test.go new file mode 100644 index 000000000..3002b0ecf --- /dev/null +++ b/pkg/detectors/aws/appsync/appsync_test.go @@ -0,0 +1,136 @@ +package appsync + +import ( + "context" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/stretchr/testify/require" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick" +) + +func TestAppSync_Pattern(t *testing.T) { + d := Scanner{} + ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d}) + + tests := []struct { + name string + input string + want []string + }{ + { + name: "valid pattern - key and endpoint", + input: ` + const endpoint = "https://abcdefghijklmnopqrstuvwxyz.appsync-api.us-east-1.amazonaws.com/graphql"; + const key = "da2-abcdefghijklmnopqrstuvwxyz"; + `, + want: []string{ + "https://abcdefghijklmnopqrstuvwxyz.appsync-api.us-east-1.amazonaws.com/graphql:da2-abcdefghijklmnopqrstuvwxyz", + }, + }, + { + name: "valid pattern - key and endpoint(endpoint without /graphql)", + input: ` + const endpoint = "https://abcdefghijklmnopqrstuvwxyz.appsync-api.us-east-1.amazonaws.com"; + const key = "da2-abcdefghijklmnopqrstuvwxyz"; + `, + want: []string{ + "https://abcdefghijklmnopqrstuvwxyz.appsync-api.us-east-1.amazonaws.com/graphql:da2-abcdefghijklmnopqrstuvwxyz", + }, + }, + { + name: "valid pattern - multiple keys and endpoints", + input: ` + https://aaaaaaaaaaaaaaaaaaaaaaaaaa.appsync-api.us-west-2.amazonaws.com/graphql + da2-aaaaaaaaaaaaaaaaaaaaaaaaaa + + https://bbbbbbbbbbbbbbbbbbbbbbbbbb.appsync-api.eu-central-1.amazonaws.com/graphql + da2-bbbbbbbbbbbbbbbbbbbbbbbbbb + `, + want: []string{ + "https://aaaaaaaaaaaaaaaaaaaaaaaaaa.appsync-api.us-west-2.amazonaws.com/graphql:da2-aaaaaaaaaaaaaaaaaaaaaaaaaa", + "https://bbbbbbbbbbbbbbbbbbbbbbbbbb.appsync-api.eu-central-1.amazonaws.com/graphql:da2-aaaaaaaaaaaaaaaaaaaaaaaaaa", + "https://aaaaaaaaaaaaaaaaaaaaaaaaaa.appsync-api.us-west-2.amazonaws.com/graphql:da2-bbbbbbbbbbbbbbbbbbbbbbbbbb", + "https://bbbbbbbbbbbbbbbbbbbbbbbbbb.appsync-api.eu-central-1.amazonaws.com/graphql:da2-bbbbbbbbbbbbbbbbbbbbbbbbbb", + }, + }, + { + name: "invalid pattern - uppercase key", + input: ` + https://abcdefghijklmnopqrstuvwxyz.appsync-api.us-east-1.amazonaws.com/graphql + da2-ABCDEFGHIJKLMNOPQRSTUVWXYZ + `, + want: nil, + }, + { + name: "invalid pattern - key too short", + input: ` + https://abcdefghijklmnopqrstuvwxyz.appsync-api.us-east-1.amazonaws.com/graphql + da2-abc123 + `, + want: nil, + }, + { + name: "invalid pattern - key only", + input: ` + da2-abcdefghijklmnopqrstuvwxyz + `, + want: nil, + }, + { + name: "invalid pattern - malformed endpoint", + input: ` + https://abc.appsync-api.us-east-1.amazonaws.com/graphql + da2-abcdefghijklmnopqrstuvwxyz + `, + want: nil, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + + matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input)) + if len(matchedDetectors) == 0 { + t.Errorf( + "test %q failed: expected keywords %v to be found in the input", + test.name, + d.Keywords(), + ) + return + } + + results, err := d.FromData(context.Background(), false, []byte(test.input)) + require.NoError(t, err) + + if len(results) != len(test.want) { + t.Errorf( + "mismatch in result count: expected %d, got %d", + len(test.want), + len(results), + ) + return + } + + actual := make(map[string]struct{}, len(results)) + for _, r := range results { + if len(r.RawV2) > 0 { + actual[string(r.RawV2)] = struct{}{} + } else { + actual[string(r.Raw)] = struct{}{} + } + } + + expected := make(map[string]struct{}, len(test.want)) + for _, v := range test.want { + expected[v] = struct{}{} + } + + if diff := cmp.Diff(expected, actual); diff != "" { + t.Errorf("%s diff: (-want +got)\n%s", test.name, diff) + } + }) + } +} diff --git a/pkg/engine/defaults/defaults.go b/pkg/engine/defaults/defaults.go index 93b7a2d2d..ff5c5e6ab 100644 --- a/pkg/engine/defaults/defaults.go +++ b/pkg/engine/defaults/defaults.go @@ -65,6 +65,7 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/avazapersonalaccesstoken" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/aviationstack" aws_access_keys "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/aws/access_keys" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/aws/appsync" aws_session_keys "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/aws/session_keys" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/axonaut" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/aylien" @@ -918,6 +919,7 @@ func buildDetectorList() []detectors.Detector { &appfollow.Scanner{}, &appointedd.Scanner{}, &appoptics.Scanner{}, + &appsync.Scanner{}, &appsynergy.Scanner{}, &apptivo.Scanner{}, &artifactory.Scanner{}, diff --git a/pkg/pb/detector_typepb/detector_type.pb.go b/pkg/pb/detector_typepb/detector_type.pb.go index 25a829693..11428679d 100644 --- a/pkg/pb/detector_typepb/detector_type.pb.go +++ b/pkg/pb/detector_typepb/detector_type.pb.go @@ -1105,6 +1105,7 @@ const ( DetectorType_Pinecone DetectorType = 1049 DetectorType_GitLabOauth2 DetectorType = 1050 DetectorType_SpectralOps DetectorType = 1051 + DetectorType_AWSAppSync DetectorType = 1052 ) // Enum value maps for DetectorType. @@ -2158,6 +2159,7 @@ var ( 1049: "Pinecone", 1050: "GitLabOauth2", 1051: "SpectralOps", + 1052: "AWSAppSync", } DetectorType_value = map[string]int32{ "Alibaba": 0, @@ -3208,6 +3210,7 @@ var ( "Pinecone": 1049, "GitLabOauth2": 1050, "SpectralOps": 1051, + "AWSAppSync": 1052, } ) @@ -3243,7 +3246,7 @@ var File_detector_type_proto protoreflect.FileDescriptor var file_detector_type_proto_rawDesc = []byte{ 0x0a, 0x13, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0d, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, - 0x74, 0x79, 0x70, 0x65, 0x2a, 0xd1, 0x88, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, + 0x74, 0x79, 0x70, 0x65, 0x2a, 0xe2, 0x88, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4d, 0x51, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x57, 0x53, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x10, @@ -4336,12 +4339,13 @@ var file_detector_type_proto_rawDesc = []byte{ 0x72, 0x79, 0x10, 0x98, 0x08, 0x12, 0x0d, 0x0a, 0x08, 0x50, 0x69, 0x6e, 0x65, 0x63, 0x6f, 0x6e, 0x65, 0x10, 0x99, 0x08, 0x12, 0x11, 0x0a, 0x0c, 0x47, 0x69, 0x74, 0x4c, 0x61, 0x62, 0x4f, 0x61, 0x75, 0x74, 0x68, 0x32, 0x10, 0x9a, 0x08, 0x12, 0x10, 0x0a, 0x0b, 0x53, 0x70, 0x65, 0x63, 0x74, - 0x72, 0x61, 0x6c, 0x4f, 0x70, 0x73, 0x10, 0x9b, 0x08, 0x42, 0x41, 0x5a, 0x3f, 0x67, 0x69, 0x74, - 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73, - 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68, - 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74, - 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x33, + 0x72, 0x61, 0x6c, 0x4f, 0x70, 0x73, 0x10, 0x9b, 0x08, 0x12, 0x0f, 0x0a, 0x0a, 0x41, 0x57, 0x53, + 0x41, 0x70, 0x70, 0x53, 0x79, 0x6e, 0x63, 0x10, 0x9c, 0x08, 0x42, 0x41, 0x5a, 0x3f, 0x67, 0x69, + 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, + 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, + 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, + 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x70, 0x62, 0x62, 0x06, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/proto/detector_type.proto b/proto/detector_type.proto index 0e82a7238..6423f9ede 100644 --- a/proto/detector_type.proto +++ b/proto/detector_type.proto @@ -1053,4 +1053,5 @@ enum DetectorType { Pinecone = 1049; GitLabOauth2 = 1050; SpectralOps = 1051; + AWSAppSync = 1052; }