feat [detector]: added hasura detector #3427
Conversation
sahil9001
changed the title
|
@rgmz This is ready for review, can you please check? |
|
Oh wow, I can't believe we didn't have a Hasura detector. This is great, thanks @sahil9001 ❤️ |
| if len(match) != 2 { | ||
| continue | ||
| } | ||
| key := strings.TrimSpace(match[1]) |
There was a problem hiding this comment.
I would base your implementation on the Alchemy example. This line len(match) != 2, strings.TrimSpace, etc. are old practices that aren't ideal. https://github.com/trufflesecurity/trufflehog/blob/main/pkg/detectors/alchemy/alchemy.go
I'd recommend using the steps linked in CONTRIBUTING.md, as it will generate a detector that has solid logic + integration and unit tests.
https://github.com/trufflesecurity/trufflehog/blob/main/CONTRIBUTING.md#adding-new-secret-detectors
There was a problem hiding this comment.
I did use that only, which gave me this logic
There was a problem hiding this comment.
Hmm, that doesn't make sense. The code in Alchemy is completely different from this, it was changed at least several months ago. 🤔
There was a problem hiding this comment.
yeah, my bad, I changed the logic from some other detector though, was just talking about the generation
There was a problem hiding this comment.
Upon talking with Zach, I got to know that we are deprioritising adding a new detector code as it doesn't qualify for Hacktoberfest
| continue | ||
| } | ||
| defer res.Body.Close() | ||
|
|
There was a problem hiding this comment.
Verify should be a separate function to mitigate issues with defer inside a for loop.
https://stackoverflow.com/questions/45617758/proper-way-to-release-resources-with-defer-in-a-loop
| continue | ||
| } | ||
|
|
||
| if res.StatusCode >= 200 && res.StatusCode < 300 && len(response.Errors) == 0 { |
There was a problem hiding this comment.
Status code check should be specific. Ranges are error-prone.
Description:
Relates to #3424
This PR introduces a new detector for Hasura GraphQL Engine admin secrets. Hasura is a popular open-source engine that provides instant GraphQL APIs over databases. Detecting exposed Hasura admin secrets is crucial for preventing unauthorized access to GraphQL APIs and underlying databases.
Tests:
Checklist:
make test-community)?make lintthis requires golangci-lint)?