Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detection of postgres URI connection string - Maybe undesired behavior #3886

Open
arielril opened this issue Feb 7, 2025 · 1 comment
Open

Detection of postgres URI connection string - Maybe undesired behavior #3886

arielril opened this issue Feb 7, 2025 · 1 comment

Comments

@arielril
Copy link
Contributor

arielril commented Feb 7, 2025
edited
Loading

Hey guys, I am using Trufflehog in a test folder where I have different Kubernetes deployment files, one of those files has a postgres URI connection string pointing to a local database.

Trufflehog fails to find this URI connection string because the connection string doesn't have the password set.

Question: Is this the desired behavior to not detect URI connection strings without the password set or it should detect?

This issue happens because of a verification if the URI connection has the password set or not. This is the code that stops the detection of the URI connection:

// https://github.com/trufflesecurity/trufflehog/blob/c05bb4d7ea587a541e39bae217ab2049a7de1628/pkg/detectors/postgres/postgres.go#L80
func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) ([]detectors.Result, error) {
	var results []detectors.Result
	candidateParamSets := findUriMatches(data)

	for _, params := range candidateParamSets {
		if common.IsDone(ctx) {
			break
		}
		user, ok := params[pgUser]
		if !ok {
			continue
		}

		password, ok := params[pgPassword]
		if !ok { // this condition stops the detection
			continue
		}
....

File that I'm using to test:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    name: web
  name: web
spec:
  replicas: 1
  selector:
    matchLabels:
      name: web
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        name: web
    spec:
      containers:
        - name: web
          env:
            - name: ALLOWED_HOSTS
              value: localhost,127.0.0.1,172.211.157.208
            - name: DATABASE_URL
              value: postgres://root:@localhost:26257/defaultdb?sslmode=disable # this should be detected
            - name: DEBUG
              value: 'False'
            - name: DJANGO_SUPERUSER_EMAIL
              value: [email protected]
            - name: DJANGO_SUPERUSER_PASSWORD
              value: put_your_super_secret_password_here
            - name: DJANGO_SUPERUSER_USERNAME
              value: django
            - name: SECRET_KEY
              value: create_a_super_secure_secret_key_and_change_me
          image: nginx:latest
          ports:
            - containerPort: 8000
              protocol: TCP
      restartPolicy: Always

Trufflehog vesion: dev // installed Trufflehog directly from source, master branch.

Trufflehog command: trufflehog filesystem example-file.yaml

Expected behavior: Detection of postgres URI connection string
Current behavior: No detection

Execution log:

trufflehog filesystem example.yaml --log-level=5
2025-02-07T12:16:08+01:00	info-2	trufflehog	trufflehog dev
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

2025-02-07T12:16:08+01:00	info-4	trufflehog	default engine options set
2025-02-07T12:16:08+01:00	info-4	trufflehog	engine initialized
2025-02-07T12:16:08+01:00	info-4	trufflehog	setting up aho-corasick core
2025-02-07T12:16:08+01:00	info-4	trufflehog	set up aho-corasick core
2025-02-07T12:16:08+01:00	info-2	trufflehog	starting scanner workers	{"count": 12}
2025-02-07T12:16:08+01:00	info-2	trufflehog	starting detector workers	{"count": 96}
2025-02-07T12:16:08+01:00	info-2	trufflehog	starting verificationOverlap workers	{"count": 12}
2025-02-07T12:16:08+01:00	info-2	trufflehog	starting notifier workers	{"count": 12}
2025-02-07T12:16:08+01:00	info-0	trufflehog	running source	{"source_manager_worker_id": "5xJe5", "with_units": true}
2025-02-07T12:16:08+01:00	info-2	trufflehog	enumerating source	{"source_manager_worker_id": "5xJe5"}
2025-02-07T12:16:08+01:00	info-3	trufflehog	chunking unit	{"source_manager_worker_id": "5xJe5", "unit_kind": "unit", "unit": "example.yaml"}
2025-02-07T12:16:08+01:00	info-3	trufflehog	scanning file	{"source_manager_worker_id": "5xJe5", "unit_kind": "unit", "unit": "example.yaml", "path": "example.yaml"}
2025-02-07T12:16:08+01:00	info-5	trufflehog	dataErrChan closed, all chunks processed	{"source_manager_worker_id": "5xJe5", "unit_kind": "unit", "unit": "example.yaml", "path": "example.yaml", "mime": "text/plain; charset=utf-8", "timeout": 60}
2025-02-07T12:16:08+01:00	info-4	trufflehog	finished scanning chunks	{"scanner_worker_id": "OQmKY"}
2025-02-07T12:16:08+01:00	info-4	trufflehog	finished scanning chunks	{"scanner_worker_id": "RDdbB"}
2025-02-07T12:16:08+01:00	info-4	trufflehog	finished scanning chunks	{"scanner_worker_id": "xyZTT"}
2025-02-07T12:16:08+01:00	info-4	trufflehog	finished scanning chunks	{"scanner_worker_id": "bX4f6"}
2025-02-07T12:16:08+01:00	info-4	trufflehog	finished scanning chunks	{"scanner_worker_id": "eXQm2"}
2025-02-07T12:16:08+01:00	info-4	trufflehog	finished scanning chunks	{"scanner_worker_id": "swyF8"}
2025-02-07T12:16:08+01:00	info-4	trufflehog	finished scanning chunks	{"scanner_worker_id": "WvMtY"}
2025-02-07T12:16:08+01:00	info-4	trufflehog	finished scanning chunks	{"scanner_worker_id": "1zQRb"}
2025-02-07T12:16:08+01:00	info-4	trufflehog	finished scanning chunks	{"scanner_worker_id": "WAKr7"}
2025-02-07T12:16:08+01:00	info-4	trufflehog	finished scanning chunks	{"scanner_worker_id": "zgHF9"}
2025-02-07T12:16:08+01:00	info-4	trufflehog	finished scanning chunks	{"scanner_worker_id": "f5VhL"}
2025-02-07T12:16:08+01:00	info-5	trufflehog	decoder not applicable for chunk	{"scanner_worker_id": "6HUvG", "decoder": "BASE64", "chunk": {"Data":"YXBpVmVyc2lvbjogYXBwcy92MQpraW5kOiBEZXBsb3ltZW50Cm1ldGFkYXRhOgogIGxhYmVsczoKICAgIG5hbWU6IHdlYgogIG5hbWU6IHdlYgpzcGVjOgogIHJlcGxpY2FzOiAxCiAgc2VsZWN0b3I6CiAgICBtYXRjaExhYmVsczoKICAgICAgbmFtZTogd2ViCiAgc3RyYXRlZ3k6CiAgICB0eXBlOiBSZWNyZWF0ZQogIHRlbXBsYXRlOgogICAgbWV0YWRhdGE6CiAgICAgIGxhYmVsczoKICAgICAgICBuYW1lOiB3ZWIKICAgIHNwZWM6CiAgICAgIGNvbnRhaW5lcnM6CiAgICAgICAgLSBuYW1lOiB3ZWIKICAgICAgICAgIGVudjoKICAgICAgICAgICAgLSBuYW1lOiBBTExPV0VEX0hPU1RTCiAgICAgICAgICAgICAgdmFsdWU6IGxvY2FsaG9zdCwxMjcuMC4wLjEsMTcyLjIxMS4xNTcuMjA4CiAgICAgICAgICAgIC0gbmFtZTogREFUQUJBU0VfVVJMCiAgICAgICAgICAgICAgdmFsdWU6IHBvc3RncmVzOi8vcm9vdDpAbG9jYWxob3N0OjI2MjU3L2RlZmF1bHRkYj9zc2xtb2RlPWRpc2FibGUKICAgICAgICAgICAgLSBuYW1lOiBERUJVRwogICAgICAgICAgICAgIHZhbHVlOiAnRmFsc2UnCiAgICAgICAgICAgIC0gbmFtZTogREpBTkdPX1NVUEVSVVNFUl9FTUFJTAogICAgICAgICAgICAgIHZhbHVlOiBkamFuZ29AZGphbmdvLmNvbQogICAgICAgICAgICAtIG5hbWU6IERKQU5HT19TVVBFUlVTRVJfUEFTU1dPUkQKICAgICAgICAgICAgICB2YWx1ZTogcHV0X3lvdXJfc3VwZXJfc2VjcmV0X3Bhc3N3b3JkX2hlcmUKICAgICAgICAgICAgLSBuYW1lOiBESkFOR09fU1VQRVJVU0VSX1VTRVJOQU1FCiAgICAgICAgICAgICAgdmFsdWU6IGRqYW5nbwogICAgICAgICAgICAtIG5hbWU6IFNFQ1JFVF9LRVkKICAgICAgICAgICAgICB2YWx1ZTogY3JlYXRlX2Ffc3VwZXJfc2VjdXJlX3NlY3JldF9rZXlfYW5kX2NoYW5nZV9tZQogICAgICAgICAgaW1hZ2U6IG5naW54OmxhdGVzdAogICAgICAgICAgcG9ydHM6CiAgICAgICAgICAgIC0gY29udGFpbmVyUG9ydDogODAwMAogICAgICAgICAgICAgIHByb3RvY29sOiBUQ1AKICAgICAgcmVzdGFydFBvbGljeTogQWx3YXlzCg==","SourceName":"trufflehog - filesystem","SourceID":1,"JobID":1,"SecretID":0,"SourceMetadata":{"Data":{"Filesystem":{"file":"example.yaml"}}},"SourceType":15,"Verify":true}}
2025-02-07T12:16:08+01:00	info-5	trufflehog	decoder not applicable for chunk	{"scanner_worker_id": "6HUvG", "decoder": "UTF16", "chunk": {"Data":"YXBpVmVyc2lvbjogYXBwcy92MQpraW5kOiBEZXBsb3ltZW50Cm1ldGFkYXRhOgogIGxhYmVsczoKICAgIG5hbWU6IHdlYgogIG5hbWU6IHdlYgpzcGVjOgogIHJlcGxpY2FzOiAxCiAgc2VsZWN0b3I6CiAgICBtYXRjaExhYmVsczoKICAgICAgbmFtZTogd2ViCiAgc3RyYXRlZ3k6CiAgICB0eXBlOiBSZWNyZWF0ZQogIHRlbXBsYXRlOgogICAgbWV0YWRhdGE6CiAgICAgIGxhYmVsczoKICAgICAgICBuYW1lOiB3ZWIKICAgIHNwZWM6CiAgICAgIGNvbnRhaW5lcnM6CiAgICAgICAgLSBuYW1lOiB3ZWIKICAgICAgICAgIGVudjoKICAgICAgICAgICAgLSBuYW1lOiBBTExPV0VEX0hPU1RTCiAgICAgICAgICAgICAgdmFsdWU6IGxvY2FsaG9zdCwxMjcuMC4wLjEsMTcyLjIxMS4xNTcuMjA4CiAgICAgICAgICAgIC0gbmFtZTogREFUQUJBU0VfVVJMCiAgICAgICAgICAgICAgdmFsdWU6IHBvc3RncmVzOi8vcm9vdDpAbG9jYWxob3N0OjI2MjU3L2RlZmF1bHRkYj9zc2xtb2RlPWRpc2FibGUKICAgICAgICAgICAgLSBuYW1lOiBERUJVRwogICAgICAgICAgICAgIHZhbHVlOiAnRmFsc2UnCiAgICAgICAgICAgIC0gbmFtZTogREpBTkdPX1NVUEVSVVNFUl9FTUFJTAogICAgICAgICAgICAgIHZhbHVlOiBkamFuZ29AZGphbmdvLmNvbQogICAgICAgICAgICAtIG5hbWU6IERKQU5HT19TVVBFUlVTRVJfUEFTU1dPUkQKICAgICAgICAgICAgICB2YWx1ZTogcHV0X3lvdXJfc3VwZXJfc2VjcmV0X3Bhc3N3b3JkX2hlcmUKICAgICAgICAgICAgLSBuYW1lOiBESkFOR09fU1VQRVJVU0VSX1VTRVJOQU1FCiAgICAgICAgICAgICAgdmFsdWU6IGRqYW5nbwogICAgICAgICAgICAtIG5hbWU6IFNFQ1JFVF9LRVkKICAgICAgICAgICAgICB2YWx1ZTogY3JlYXRlX2Ffc3VwZXJfc2VjdXJlX3NlY3JldF9rZXlfYW5kX2NoYW5nZV9tZQogICAgICAgICAgaW1hZ2U6IG5naW54OmxhdGVzdAogICAgICAgICAgcG9ydHM6CiAgICAgICAgICAgIC0gY29udGFpbmVyUG9ydDogODAwMAogICAgICAgICAgICAgIHByb3RvY29sOiBUQ1AKICAgICAgcmVzdGFydFBvbGljeTogQWx3YXlzCg==","SourceName":"trufflehog - filesystem","SourceID":1,"JobID":1,"SecretID":0,"SourceMetadata":{"Data":{"Filesystem":{"file":"example.yaml"}}},"SourceType":15,"Verify":true}}
2025-02-07T12:16:08+01:00	info-5	trufflehog	decoder not applicable for chunk	{"scanner_worker_id": "6HUvG", "decoder": "ESCAPED_UNICODE", "chunk": {"Data":"YXBpVmVyc2lvbjogYXBwcy92MQpraW5kOiBEZXBsb3ltZW50Cm1ldGFkYXRhOgogIGxhYmVsczoKICAgIG5hbWU6IHdlYgogIG5hbWU6IHdlYgpzcGVjOgogIHJlcGxpY2FzOiAxCiAgc2VsZWN0b3I6CiAgICBtYXRjaExhYmVsczoKICAgICAgbmFtZTogd2ViCiAgc3RyYXRlZ3k6CiAgICB0eXBlOiBSZWNyZWF0ZQogIHRlbXBsYXRlOgogICAgbWV0YWRhdGE6CiAgICAgIGxhYmVsczoKICAgICAgICBuYW1lOiB3ZWIKICAgIHNwZWM6CiAgICAgIGNvbnRhaW5lcnM6CiAgICAgICAgLSBuYW1lOiB3ZWIKICAgICAgICAgIGVudjoKICAgICAgICAgICAgLSBuYW1lOiBBTExPV0VEX0hPU1RTCiAgICAgICAgICAgICAgdmFsdWU6IGxvY2FsaG9zdCwxMjcuMC4wLjEsMTcyLjIxMS4xNTcuMjA4CiAgICAgICAgICAgIC0gbmFtZTogREFUQUJBU0VfVVJMCiAgICAgICAgICAgICAgdmFsdWU6IHBvc3RncmVzOi8vcm9vdDpAbG9jYWxob3N0OjI2MjU3L2RlZmF1bHRkYj9zc2xtb2RlPWRpc2FibGUKICAgICAgICAgICAgLSBuYW1lOiBERUJVRwogICAgICAgICAgICAgIHZhbHVlOiAnRmFsc2UnCiAgICAgICAgICAgIC0gbmFtZTogREpBTkdPX1NVUEVSVVNFUl9FTUFJTAogICAgICAgICAgICAgIHZhbHVlOiBkamFuZ29AZGphbmdvLmNvbQogICAgICAgICAgICAtIG5hbWU6IERKQU5HT19TVVBFUlVTRVJfUEFTU1dPUkQKICAgICAgICAgICAgICB2YWx1ZTogcHV0X3lvdXJfc3VwZXJfc2VjcmV0X3Bhc3N3b3JkX2hlcmUKICAgICAgICAgICAgLSBuYW1lOiBESkFOR09fU1VQRVJVU0VSX1VTRVJOQU1FCiAgICAgICAgICAgICAgdmFsdWU6IGRqYW5nbwogICAgICAgICAgICAtIG5hbWU6IFNFQ1JFVF9LRVkKICAgICAgICAgICAgICB2YWx1ZTogY3JlYXRlX2Ffc3VwZXJfc2VjdXJlX3NlY3JldF9rZXlfYW5kX2NoYW5nZV9tZQogICAgICAgICAgaW1hZ2U6IG5naW54OmxhdGVzdAogICAgICAgICAgcG9ydHM6CiAgICAgICAgICAgIC0gY29udGFpbmVyUG9ydDogODAwMAogICAgICAgICAgICAgIHByb3RvY29sOiBUQ1AKICAgICAgcmVzdGFydFBvbGljeTogQWx3YXlzCg==","SourceName":"trufflehog - filesystem","SourceID":1,"JobID":1,"SecretID":0,"SourceMetadata":{"Data":{"Filesystem":{"file":"example.yaml"}}},"SourceType":15,"Verify":true}}
2025-02-07T12:16:08+01:00	info-4	trufflehog	finished scanning chunks	{"scanner_worker_id": "6HUvG"}
2025-02-07T12:16:08+01:00	info-0	trufflehog	finished scanning	{"chunks": 1, "bytes": 1054, "verified_secrets": 0, "unverified_secrets": 0, "scan_duration": "1.159292ms", "trufflehog_version": "dev", "verification_caching": {"Hits":0,"Misses":0,"HitsWasted":0,"AttemptsSaved":0,"VerificationTimeSpentMS":0}}
@arielril
Copy link
Contributor Author

If this is not the intentional behavior I'm happy to send a PR with the expected execution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@arielril