[INS-335] Added AWS Appsync Detector (#4803)

* Added AWS Appsync Detector * added detector to defaults.go * imprved regex and regen protos * added secretparts * ignored secret parts in test * resolved bugbot comment
2026-05-16 13:20:35 +00:00 · 2026-05-14 11:55:20 +05:00
parent 2edd4d326a
commit 6c542a5ae6
6 changed files with 523 additions and 7 deletions
@@ -0,0 +1,172 @@
+package appsync
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+
+	regexp "github.com/wasilibs/go-re2"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detector_typepb"
+)
+
+type Scanner struct {
+	client *http.Client
+	detectors.DefaultMultiPartCredentialProvider
+}
+
+// Compile-time interface check
+var _ detectors.Detector = (*Scanner)(nil)
+
+var (
+	defaultClient = common.SaneHttpClient()
+
+	apiKeyPat = regexp.MustCompile(
+		`\b(da2-[a-z0-9]{26})\b`,
+	)
+
+	endpointPat = regexp.MustCompile(
+		`(https:\/\/[a-z0-9]{26}\.appsync-api\.[a-z0-9-]+\.amazonaws\.com)([^a-zA-Z0-9.-]|$)`,
+	)
+)
+
+func (s Scanner) Keywords() []string {
+	return []string{"da2-"}
+}
+
+func (s Scanner) getClient() *http.Client {
+	if s.client != nil {
+		return s.client
+	}
+	return defaultClient
+}
+
+func (s Scanner) FromData(
+	ctx context.Context,
+	verify bool,
+	data []byte,
+) (results []detectors.Result, err error) {
+
+	dataStr := string(data)
+
+	keys := make(map[string]struct{})
+	endpoints := make(map[string]struct{})
+
+	for _, m := range apiKeyPat.FindAllStringSubmatch(dataStr, -1) {
+		keys[m[1]] = struct{}{}
+	}
+
+	for _, m := range endpointPat.FindAllStringSubmatch(dataStr, -1) {
+		normalizedEndpoint := m[1] + "/graphql"
+		endpoints[normalizedEndpoint] = struct{}{}
+	}
+
+	for key := range keys {
+		for endpoint := range endpoints {
+
+			result := detectors.Result{
+				DetectorType: detector_typepb.DetectorType_AWSAppSync,
+				Raw:          []byte(key),
+				RawV2:        []byte(fmt.Sprintf("%s:%s", endpoint, key)),
+				SecretParts: map[string]string{
+					"key":      key,
+					"endpoint": endpoint,
+				},
+				ExtraData: map[string]string{
+					"base_url": endpoint,
+				},
+			}
+
+			if verify {
+				verified, verificationErr := verifyAppSyncKey(
+					ctx,
+					s.getClient(),
+					endpoint,
+					key,
+				)
+
+				result.SetVerificationError(verificationErr, key)
+				result.Verified = verified
+			}
+
+			results = append(results, result)
+		}
+	}
+
+	return
+}
+
+func verifyAppSyncKey(
+	ctx context.Context,
+	client *http.Client,
+	endpoint string,
+	key string,
+) (bool, error) {
+
+	query := `{"query":"query { __typename }"}`
+
+	req, err := http.NewRequestWithContext(
+		ctx,
+		http.MethodPost,
+		endpoint,
+		bytes.NewBufferString(query),
+	)
+	if err != nil {
+		return false, err
+	}
+
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("x-api-key", key)
+
+	res, err := client.Do(req)
+	if err != nil {
+		return false, err
+	}
+
+	defer func() {
+		_, _ = io.Copy(io.Discard, res.Body)
+		_ = res.Body.Close()
+	}()
+
+	// https://docs.aws.amazon.com/appsync/latest/APIReference/CommonErrors.html
+	switch res.StatusCode {
+
+	case http.StatusOK:
+		return true, nil
+
+	case http.StatusBadGateway:
+		bodyBytes, err := io.ReadAll(res.Body)
+		if err != nil {
+			return false, err
+		}
+		// Appsync returns 502 with a specific error message in the body when the key is valid but has no schema defined,
+		// so we treat that as a valid key
+		if bytes.Contains(bodyBytes, []byte("No schema definition exists")) {
+			return true, nil
+		}
+		return false, fmt.Errorf("502 Bad Gateway: unexpected response")
+
+	// Appsync return 401 for invalid keys
+	// Appsync return 403 for some time after the token is deleted
+	case http.StatusUnauthorized, http.StatusForbidden:
+		return false, nil
+
+	default:
+		return false, fmt.Errorf(
+			"unexpected HTTP response status %d",
+			res.StatusCode,
+		)
+	}
+}
+
+func (s Scanner) Type() detector_typepb.DetectorType {
+	return detector_typepb.DetectorType_AWSAppSync
+}
+
+func (s Scanner) Description() string {
+	return "AWS AppSync is a managed GraphQL service. This detector identifies exposed AppSync API keys."
+}
@@ -0,0 +1,201 @@
+//go:build detectors
+// +build detectors
+
+package appsync
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detector_typepb"
+)
+
+func TestAppSync_FromData(t *testing.T) {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
+	defer cancel()
+
+	// Secrets are expected to be stored similarly to other detector tests
+	testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors6")
+	if err != nil {
+		t.Fatalf("could not get test secrets from GCP: %s", err)
+	}
+
+	activeKey := testSecrets.MustGetField("APPSYNC_API_KEY")
+	endpoint := testSecrets.MustGetField("APPSYNC_API_URL")
+
+	revokedEndpoint := "https://nr2nchyfwvc53lgrlvsa2pfpzq.appsync-api.us-east-1.amazonaws.com/graphql"
+	inactiveKey := "da2-abcdefghijklmnopqrstuvwxyz"
+
+	type args struct {
+		ctx    context.Context
+		data   []byte
+		verify bool
+	}
+
+	tests := []struct {
+		name                string
+		s                   Scanner
+		args                args
+		want                []detectors.Result
+		wantErr             bool
+		wantVerificationErr bool
+	}{
+		{
+			name: "found, verified",
+			s:    Scanner{},
+			args: args{
+				ctx:    context.Background(),
+				data:   fmt.Appendf([]byte{}, "endpoint=%s key=%s", endpoint, activeKey),
+				verify: true,
+			},
+			want: []detectors.Result{
+				{
+					DetectorType: detector_typepb.DetectorType_AWSAppSync,
+					Verified:     true,
+					Raw:          []byte(activeKey),
+					RawV2:        []byte(fmt.Sprintf("%s:%s", endpoint, activeKey)),
+				},
+			},
+		},
+		{
+			name: "found, verification error due to timeout",
+			s:    Scanner{client: common.SaneHttpClientTimeOut(1 * time.Microsecond)},
+			args: args{
+				ctx:    context.Background(),
+				data:   fmt.Appendf([]byte{}, "endpoint=%s key=%s", endpoint, activeKey),
+				verify: true,
+			},
+			want: []detectors.Result{
+				{
+					DetectorType: detector_typepb.DetectorType_AWSAppSync,
+					Verified:     false,
+					Raw:          []byte(activeKey),
+					RawV2:        []byte(fmt.Sprintf("%s:%s", endpoint, activeKey)),
+				},
+			},
+			wantVerificationErr: true,
+		},
+		{
+			name: "found, verification error unexpected api surface",
+			s:    Scanner{client: common.ConstantResponseHttpClient(500, "{}")},
+			args: args{
+				ctx:    context.Background(),
+				data:   fmt.Appendf([]byte{}, "endpoint=%s key=%s", endpoint, activeKey),
+				verify: true,
+			},
+			want: []detectors.Result{
+				{
+					DetectorType: detector_typepb.DetectorType_AWSAppSync,
+					Verified:     false,
+					Raw:          []byte(activeKey),
+					RawV2:        []byte(fmt.Sprintf("%s:%s", endpoint, activeKey)),
+				},
+			},
+			wantVerificationErr: true,
+		},
+		// Host will be unreachable for such cases
+		{
+			name: "found, Revoked key and endpoint",
+			s:    Scanner{},
+			args: args{
+				ctx:    context.Background(),
+				data:   fmt.Appendf([]byte{}, "endpoint=%s key=%s", revokedEndpoint, inactiveKey),
+				verify: true,
+			},
+			want: []detectors.Result{
+				{
+					DetectorType: detector_typepb.DetectorType_AWSAppSync,
+					Verified:     false,
+					Raw:          []byte(inactiveKey),
+					RawV2:        []byte(fmt.Sprintf("%s:%s", revokedEndpoint, inactiveKey)),
+				},
+			},
+			wantVerificationErr: true,
+		},
+		{
+			name: "found, valid endpoint and invalid key",
+			s:    Scanner{},
+			args: args{
+				ctx:    context.Background(),
+				data:   fmt.Appendf([]byte{}, "endpoint=%s key=%s", endpoint, inactiveKey),
+				verify: true,
+			},
+			want: []detectors.Result{
+				{
+					DetectorType: detector_typepb.DetectorType_AWSAppSync,
+					Verified:     false,
+					Raw:          []byte(inactiveKey),
+					RawV2:        []byte(fmt.Sprintf("%s:%s", endpoint, inactiveKey)),
+				},
+			},
+		},
+		{
+			name: "not found",
+			s:    Scanner{},
+			args: args{
+				ctx:    context.Background(),
+				data:   []byte("no secrets here"),
+				verify: true,
+			},
+			want: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data)
+			if (err != nil) != tt.wantErr {
+				t.Fatalf("AppSync.FromData() error = %v, wantErr %v", err, tt.wantErr)
+			}
+
+			for i := range got {
+				if len(got[i].Raw) == 0 {
+					t.Fatal("no raw secret present")
+				}
+				if (got[i].VerificationError() != nil) != tt.wantVerificationErr {
+					t.Fatalf(
+						"wantVerificationError = %v, verification error = %v",
+						tt.wantVerificationErr,
+						got[i].VerificationError(),
+					)
+				}
+			}
+
+			ignoreOpts := cmpopts.IgnoreFields(
+				detectors.Result{},
+				"ExtraData",
+				"verificationError",
+				"primarySecret",
+				"SecretParts",
+			)
+
+			if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" {
+				t.Errorf("AppSync.FromData() %s diff: (-got +want)\n%s", tt.name, diff)
+			}
+		})
+	}
+}
+
+func BenchmarkAppSync_FromData(b *testing.B) {
+	ctx := context.Background()
+	s := Scanner{}
+
+	for name, data := range detectors.MustGetBenchmarkData() {
+		b.Run(name, func(b *testing.B) {
+			b.ResetTimer()
+			for n := 0; n < b.N; n++ {
+				_, err := s.FromData(ctx, false, data)
+				if err != nil {
+					b.Fatal(err)
+				}
+			}
+		})
+	}
+}
@@ -0,0 +1,136 @@
+package appsync
+
+import (
+	"context"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/require"
+
+	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick"
+)
+
+func TestAppSync_Pattern(t *testing.T) {
+	d := Scanner{}
+	ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d})
+
+	tests := []struct {
+		name  string
+		input string
+		want  []string
+	}{
+		{
+			name: "valid pattern - key and endpoint",
+			input: `
+				const endpoint = "https://abcdefghijklmnopqrstuvwxyz.appsync-api.us-east-1.amazonaws.com/graphql";
+				const key = "da2-abcdefghijklmnopqrstuvwxyz";
+			`,
+			want: []string{
+				"https://abcdefghijklmnopqrstuvwxyz.appsync-api.us-east-1.amazonaws.com/graphql:da2-abcdefghijklmnopqrstuvwxyz",
+			},
+		},
+		{
+			name: "valid pattern - key and endpoint(endpoint without /graphql)",
+			input: `
+				const endpoint = "https://abcdefghijklmnopqrstuvwxyz.appsync-api.us-east-1.amazonaws.com";
+				const key = "da2-abcdefghijklmnopqrstuvwxyz";
+			`,
+			want: []string{
+				"https://abcdefghijklmnopqrstuvwxyz.appsync-api.us-east-1.amazonaws.com/graphql:da2-abcdefghijklmnopqrstuvwxyz",
+			},
+		},
+		{
+			name: "valid pattern - multiple keys and endpoints",
+			input: `
+				https://aaaaaaaaaaaaaaaaaaaaaaaaaa.appsync-api.us-west-2.amazonaws.com/graphql
+				da2-aaaaaaaaaaaaaaaaaaaaaaaaaa
+
+				https://bbbbbbbbbbbbbbbbbbbbbbbbbb.appsync-api.eu-central-1.amazonaws.com/graphql
+				da2-bbbbbbbbbbbbbbbbbbbbbbbbbb
+			`,
+			want: []string{
+				"https://aaaaaaaaaaaaaaaaaaaaaaaaaa.appsync-api.us-west-2.amazonaws.com/graphql:da2-aaaaaaaaaaaaaaaaaaaaaaaaaa",
+				"https://bbbbbbbbbbbbbbbbbbbbbbbbbb.appsync-api.eu-central-1.amazonaws.com/graphql:da2-aaaaaaaaaaaaaaaaaaaaaaaaaa",
+				"https://aaaaaaaaaaaaaaaaaaaaaaaaaa.appsync-api.us-west-2.amazonaws.com/graphql:da2-bbbbbbbbbbbbbbbbbbbbbbbbbb",
+				"https://bbbbbbbbbbbbbbbbbbbbbbbbbb.appsync-api.eu-central-1.amazonaws.com/graphql:da2-bbbbbbbbbbbbbbbbbbbbbbbbbb",
+			},
+		},
+		{
+			name: "invalid pattern - uppercase key",
+			input: `
+				https://abcdefghijklmnopqrstuvwxyz.appsync-api.us-east-1.amazonaws.com/graphql
+				da2-ABCDEFGHIJKLMNOPQRSTUVWXYZ
+			`,
+			want: nil,
+		},
+		{
+			name: "invalid pattern - key too short",
+			input: `
+				https://abcdefghijklmnopqrstuvwxyz.appsync-api.us-east-1.amazonaws.com/graphql
+				da2-abc123
+			`,
+			want: nil,
+		},
+		{
+			name: "invalid pattern - key only",
+			input: `
+				da2-abcdefghijklmnopqrstuvwxyz
+			`,
+			want: nil,
+		},
+		{
+			name: "invalid pattern - malformed endpoint",
+			input: `
+				https://abc.appsync-api.us-east-1.amazonaws.com/graphql
+				da2-abcdefghijklmnopqrstuvwxyz
+			`,
+			want: nil,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+
+			matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input))
+			if len(matchedDetectors) == 0 {
+				t.Errorf(
+					"test %q failed: expected keywords %v to be found in the input",
+					test.name,
+					d.Keywords(),
+				)
+				return
+			}
+
+			results, err := d.FromData(context.Background(), false, []byte(test.input))
+			require.NoError(t, err)
+
+			if len(results) != len(test.want) {
+				t.Errorf(
+					"mismatch in result count: expected %d, got %d",
+					len(test.want),
+					len(results),
+				)
+				return
+			}
+
+			actual := make(map[string]struct{}, len(results))
+			for _, r := range results {
+				if len(r.RawV2) > 0 {
+					actual[string(r.RawV2)] = struct{}{}
+				} else {
+					actual[string(r.Raw)] = struct{}{}
+				}
+			}
+
+			expected := make(map[string]struct{}, len(test.want))
+			for _, v := range test.want {
+				expected[v] = struct{}{}
+			}
+
+			if diff := cmp.Diff(expected, actual); diff != "" {
+				t.Errorf("%s diff: (-want +got)\n%s", test.name, diff)
+			}
+		})
+	}
+}
@@ -65,6 +65,7 @@ import (
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/avazapersonalaccesstoken"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/aviationstack"
 	aws_access_keys "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/aws/access_keys"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/aws/appsync"
 	aws_session_keys "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/aws/session_keys"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/axonaut"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors/aylien"
@@ -918,6 +919,7 @@ func buildDetectorList() []detectors.Detector {
 		&appfollow.Scanner{},
 		&appointedd.Scanner{},
 		&appoptics.Scanner{},
+		&appsync.Scanner{},
 		&appsynergy.Scanner{},
 		&apptivo.Scanner{},
 		&artifactory.Scanner{},
@@ -1105,6 +1105,7 @@ const (
 	DetectorType_Pinecone                                DetectorType = 1049
 	DetectorType_GitLabOauth2                            DetectorType = 1050
 	DetectorType_SpectralOps                             DetectorType = 1051
+	DetectorType_AWSAppSync                              DetectorType = 1052
 )

 // Enum value maps for DetectorType.
@@ -2158,6 +2159,7 @@ var (
 		1049: "Pinecone",
 		1050: "GitLabOauth2",
 		1051: "SpectralOps",
+		1052: "AWSAppSync",
 	}
 	DetectorType_value = map[string]int32{
 		"Alibaba":                               0,
@@ -3208,6 +3210,7 @@ var (
 		"Pinecone":                          1049,
 		"GitLabOauth2":                      1050,
 		"SpectralOps":                       1051,
+		"AWSAppSync":                        1052,
 	}
 )

@@ -3243,7 +3246,7 @@ var File_detector_type_proto protoreflect.FileDescriptor
 var file_detector_type_proto_rawDesc = []byte{
 	0x0a, 0x13, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x2e,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0d, 0x64, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f,
-	0x74, 0x79, 0x70, 0x65, 0x2a, 0xd1, 0x88, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74,
+	0x74, 0x79, 0x70, 0x65, 0x2a, 0xe2, 0x88, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74,
 	0x6f, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x6c, 0x69, 0x62, 0x61, 0x62,
 	0x61, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4d, 0x51, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a,
 	0x03, 0x41, 0x57, 0x53, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x10,
@@ -4336,12 +4339,13 @@ var file_detector_type_proto_rawDesc = []byte{
 	0x72, 0x79, 0x10, 0x98, 0x08, 0x12, 0x0d, 0x0a, 0x08, 0x50, 0x69, 0x6e, 0x65, 0x63, 0x6f, 0x6e,
 	0x65, 0x10, 0x99, 0x08, 0x12, 0x11, 0x0a, 0x0c, 0x47, 0x69, 0x74, 0x4c, 0x61, 0x62, 0x4f, 0x61,
 	0x75, 0x74, 0x68, 0x32, 0x10, 0x9a, 0x08, 0x12, 0x10, 0x0a, 0x0b, 0x53, 0x70, 0x65, 0x63, 0x74,
-	0x72, 0x61, 0x6c, 0x4f, 0x70, 0x73, 0x10, 0x9b, 0x08, 0x42, 0x41, 0x5a, 0x3f, 0x67, 0x69, 0x74,
-	0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x73,
-	0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, 0x68,
-	0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, 0x74,
-	0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x33,
+	0x72, 0x61, 0x6c, 0x4f, 0x70, 0x73, 0x10, 0x9b, 0x08, 0x12, 0x0f, 0x0a, 0x0a, 0x41, 0x57, 0x53,
+	0x41, 0x70, 0x70, 0x53, 0x79, 0x6e, 0x63, 0x10, 0x9c, 0x08, 0x42, 0x41, 0x5a, 0x3f, 0x67, 0x69,
+	0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65,
+	0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65,
+	0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65,
+	0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x70, 0x62, 0x62, 0x06, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
@@ -1053,4 +1053,5 @@ enum DetectorType {
  Pinecone = 1049;
  GitLabOauth2 = 1050;
  SpectralOps = 1051;
+  AWSAppSync = 1052;
 }