diff --git a/pkg/detectors/testmuai/testmuai.go b/pkg/detectors/testmuai/testmuai.go new file mode 100644 index 000000000000..c377c0236de0 --- /dev/null +++ b/pkg/detectors/testmuai/testmuai.go @@ -0,0 +1,182 @@ +package testmuai + +import ( + "bytes" + "context" + "encoding/json" + "net/http" + "strings" + + regexp "github.com/wasilibs/go-re2" + + "github.com/trufflesecurity/trufflehog/v3/pkg/common" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" +) + +type Scanner struct { + detectors.DefaultMultiPartCredentialProvider + client *http.Client +} + +// Ensure the Scanner satisfies the interface at compile time. +var _ detectors.Detector = (*Scanner)(nil) + +const verifyURL = "https://auth.lambdatest.com/api/user/token/auth" + +var ( + defaultClient = common.SaneHttpClient() + + // Access key pattern: LT_ prefix followed by 47 alphanumeric characters (50 total) + // Example: LT_abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJK + keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{ + "hub.lambdatest.com", + "testmu", + "lambdatest", + "accessKey", + "access_key", + "ACCESS_KEY", + "lambdatestKey", + "LT_AUTHKEY", + "LT_ACCESS_KEY", + }) + `(LT_[a-zA-Z0-9]{47})\b`) + + // Username pattern: alphanumeric characters + userPat = regexp.MustCompile(detectors.PrefixRegex([]string{ + "hub.lambdatest.com", + "testmu", + "lambdatest", + "userName", + "username", + "USER_NAME", + "lambdatestUser", + "LT_USERNAME", + "LAMBDATEST_USERNAME", + }) + `([a-zA-Z0-9_]{3,50})\b`) +) + +// Keywords are used for efficiently pre-filtering chunks. +func (s Scanner) Keywords() []string { + return []string{"LT_"} +} + +func (s Scanner) Description() string { + return "TestMu AI (formerly LambdaTest) is a cloud testing platform that provides browser and app testing infrastructure. TestMu AI credentials (username and access key) can be used to access the testing platform and its APIs." +} + +func (s Scanner) getClient() *http.Client { + if s.client != nil { + return s.client + } + return defaultClient +} + +// FromData will find and optionally verify TestMu AI secrets in a given set of bytes. +func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) { + dataStr := string(data) + + keyMatches := keyPat.FindAllStringSubmatch(dataStr, -1) + userMatches := userPat.FindAllStringSubmatch(dataStr, -1) + + // Use a map to deduplicate username:accessKey combinations + seen := make(map[string]struct{}) + + for _, keyMatch := range keyMatches { + if len(keyMatch) != 2 { + continue + } + accessKey := strings.TrimSpace(keyMatch[1]) + + for _, userMatch := range userMatches { + if len(userMatch) != 2 { + continue + } + username := strings.TrimSpace(userMatch[1]) + + // Skip if we've already seen this combination + combination := username + ":" + accessKey + if _, exists := seen[combination]; exists { + continue + } + seen[combination] = struct{}{} + + s1 := detectors.Result{ + DetectorType: detectorspb.DetectorType_TestMuAI, + Raw: []byte(accessKey), + RawV2: []byte(combination), + Redacted: username, + } + + if verify { + client := s.getClient() + isVerified, verificationErr := verifyTestMuAI(ctx, client, username, accessKey) + s1.Verified = isVerified + s1.SetVerificationError(verificationErr, accessKey) + } + + results = append(results, s1) + } + } + + return results, nil +} + +type authRequest struct { + Username string `json:"username"` + Token string `json:"token"` +} + +type authResponse struct { + Type string `json:"type"` + Title string `json:"title"` + Message string `json:"message"` +} + +func verifyTestMuAI(ctx context.Context, client *http.Client, username, accessKey string) (bool, error) { + reqBody := authRequest{ + Username: username, + Token: accessKey, + } + + jsonBody, err := json.Marshal(reqBody) + if err != nil { + return false, err + } + + req, err := http.NewRequestWithContext(ctx, http.MethodPost, verifyURL, bytes.NewBuffer(jsonBody)) + if err != nil { + return false, err + } + + req.Header.Set("Content-Type", "application/json") + + res, err := client.Do(req) + if err != nil { + return false, err + } + defer res.Body.Close() + + switch res.StatusCode { + case http.StatusOK: + return true, nil + case http.StatusUnauthorized, http.StatusForbidden: + // Invalid credentials + return false, nil + default: + var authResp authResponse + if err := json.NewDecoder(res.Body).Decode(&authResp); err != nil { + return false, err + } + + // Check for specific error message indicating invalid credentials + if authResp.Type == "error" && strings.Contains(authResp.Message, "Access key not present") { + return false, nil + } + + return false, nil + } +} + +func (s Scanner) Type() detectorspb.DetectorType { + return detectorspb.DetectorType_TestMuAI +} diff --git a/pkg/detectors/testmuai/testmuai_test.go b/pkg/detectors/testmuai/testmuai_test.go new file mode 100644 index 000000000000..c8163506cd19 --- /dev/null +++ b/pkg/detectors/testmuai/testmuai_test.go @@ -0,0 +1,94 @@ +package testmuai + +import ( + "context" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/stretchr/testify/require" + + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors" + "github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick" +) + +func TestTestMuAI_Pattern(t *testing.T) { + d := Scanner{} + ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d}) + + // Valid 50-character access key (LT_ + 47 alphanumeric) - using fake test key + validKey := "LT_abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJK" + + tests := []struct { + name string + input string + want []string + }{ + { + name: "valid pattern - environment variables", + input: ` + export LT_USERNAME=testuser + export LT_ACCESS_KEY=` + validKey + ` + `, + want: []string{"testuser:" + validKey}, + }, + { + name: "valid pattern - single line", + input: `LT_USERNAME=qauser LT_ACCESS_KEY=LT_1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJK`, + want: []string{"qauser:LT_1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJK"}, + }, + { + name: "invalid pattern - access key too short", + input: ` + export LT_USERNAME=testuser + export LT_ACCESS_KEY=LT_tooshort123 + `, + want: nil, + }, + { + name: "invalid pattern - missing LT_ prefix", + input: ` + export LT_USERNAME=testuser + export LT_ACCESS_KEY=abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJK + `, + want: nil, + }, + } + + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + matchedDetectors := ahoCorasickCore.FindDetectorMatches([]byte(test.input)) + if len(matchedDetectors) == 0 { + if len(test.want) > 0 { + t.Errorf("test %q failed: expected keywords %v to be found in the input", test.name, d.Keywords()) + } + return + } + + results, err := d.FromData(context.Background(), false, []byte(test.input)) + require.NoError(t, err) + + if len(results) != len(test.want) { + t.Errorf("mismatch in result count: expected %d, got %d", len(test.want), len(results)) + return + } + + actual := make(map[string]struct{}, len(results)) + for _, r := range results { + if len(r.RawV2) > 0 { + actual[string(r.RawV2)] = struct{}{} + } else { + actual[string(r.Raw)] = struct{}{} + } + } + + expected := make(map[string]struct{}, len(test.want)) + for _, v := range test.want { + expected[v] = struct{}{} + } + + if diff := cmp.Diff(expected, actual); diff != "" { + t.Errorf("%s diff: (-want +got)\n%s", test.name, diff) + } + }) + } +} diff --git a/pkg/engine/defaults/defaults.go b/pkg/engine/defaults/defaults.go index 0b272af4408e..5044cf622f2c 100644 --- a/pkg/engine/defaults/defaults.go +++ b/pkg/engine/defaults/defaults.go @@ -415,6 +415,7 @@ import ( "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/kylas" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/langfuse" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/langsmith" + "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/testmuai" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/languagelayer" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/larksuite" "github.com/trufflesecurity/trufflehog/v3/pkg/detectors/larksuiteapikey" @@ -1288,6 +1289,7 @@ func buildDetectorList() []detectors.Detector { &kylas.Scanner{}, &langfuse.Scanner{}, &langsmith.Scanner{}, + &testmuai.Scanner{}, &languagelayer.Scanner{}, &larksuite.Scanner{}, &larksuiteapikey.Scanner{}, diff --git a/pkg/pb/detectorspb/detectors.pb.go b/pkg/pb/detectorspb/detectors.pb.go index d2ae6abe8ed9..174ba13526fa 100644 --- a/pkg/pb/detectorspb/detectors.pb.go +++ b/pkg/pb/detectorspb/detectors.pb.go @@ -1146,6 +1146,7 @@ const ( DetectorType_PhraseAccessToken DetectorType = 1037 DetectorType_Photoroom DetectorType = 1038 DetectorType_JWT DetectorType = 1039 + DetectorType_TestMuAI DetectorType = 1040 ) // Enum value maps for DetectorType. @@ -2187,6 +2188,7 @@ var ( 1037: "PhraseAccessToken", 1038: "Photoroom", 1039: "JWT", + 1040: "TestMuAI", } DetectorType_value = map[string]int32{ "Alibaba": 0, @@ -3225,6 +3227,7 @@ var ( "PhraseAccessToken": 1037, "Photoroom": 1038, "JWT": 1039, + "TestMuAI": 1040, } ) @@ -3678,7 +3681,7 @@ var file_detectors_proto_rawDesc = []byte{ 0x4c, 0x41, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x42, 0x41, 0x53, 0x45, 0x36, 0x34, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x54, 0x46, 0x31, 0x36, 0x10, 0x03, 0x12, 0x13, 0x0a, 0x0f, 0x45, 0x53, 0x43, 0x41, 0x50, 0x45, 0x44, 0x5f, 0x55, 0x4e, 0x49, 0x43, 0x4f, 0x44, 0x45, - 0x10, 0x04, 0x2a, 0xc5, 0x86, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, + 0x10, 0x04, 0x2a, 0xd4, 0x86, 0x01, 0x0a, 0x0c, 0x44, 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x41, 0x6c, 0x69, 0x62, 0x61, 0x62, 0x61, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x41, 0x4d, 0x51, 0x50, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x57, 0x53, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x7a, 0x75, 0x72, 0x65, 0x10, 0x03, 0x12, @@ -4754,12 +4757,13 @@ var file_detectors_proto_rawDesc = []byte{ 0x6c, 0x74, 0x41, 0x75, 0x74, 0x68, 0x10, 0x8c, 0x08, 0x12, 0x16, 0x0a, 0x11, 0x50, 0x68, 0x72, 0x61, 0x73, 0x65, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x10, 0x8d, 0x08, 0x12, 0x0e, 0x0a, 0x09, 0x50, 0x68, 0x6f, 0x74, 0x6f, 0x72, 0x6f, 0x6f, 0x6d, 0x10, 0x8e, - 0x08, 0x12, 0x08, 0x0a, 0x03, 0x4a, 0x57, 0x54, 0x10, 0x8f, 0x08, 0x42, 0x3d, 0x5a, 0x3b, 0x67, - 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, - 0x65, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, - 0x65, 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, - 0x65, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x33, + 0x08, 0x12, 0x08, 0x0a, 0x03, 0x4a, 0x57, 0x54, 0x10, 0x8f, 0x08, 0x12, 0x0d, 0x0a, 0x08, 0x54, + 0x65, 0x73, 0x74, 0x4d, 0x75, 0x41, 0x49, 0x10, 0x90, 0x08, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, + 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, + 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x72, 0x75, 0x66, 0x66, 0x6c, 0x65, + 0x68, 0x6f, 0x67, 0x2f, 0x76, 0x33, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x70, 0x62, 0x2f, 0x64, 0x65, + 0x74, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x73, 0x70, 0x62, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x33, } var ( diff --git a/proto/detectors.proto b/proto/detectors.proto index 1d93440a9141..b2e19932958d 100644 --- a/proto/detectors.proto +++ b/proto/detectors.proto @@ -1049,6 +1049,7 @@ enum DetectorType { PhraseAccessToken = 1037; Photoroom = 1038; JWT = 1039; + TestMuAI = 1040; } message Result {