Grafana Detectors update #4411
Grafana Detectors update #4411
Conversation
Updated grafana and grafanaserviceaccount and added a new detector for grafana api keys.
| } | ||
|
|
||
| if verify { | ||
| res.SetVerificationError(fmt.Errorf("no grafana instance detected to verify against"), match) |
There was a problem hiding this comment.
We don't seem to be verifying the matched credentials
There was a problem hiding this comment.
These kind of api keys are used for on-premise installations, so together with a custom endpoint that could be an IP address or a FQDN. Since it's hard to reliably identify it - there is no good way of verifying the matched credentials.
There was a problem hiding this comment.
Verification logic has to exist in a detector. In docs, it is mentioned that Grafana can be hosted on a VPS or as a subdomain. Gitlab detector is the best example for this
| // Grafana uses "eyJrIjoi" as a prefix for api keys, see for example. | ||
| // https://github.com/grafana/pyroscope-dotnet/blob/0c17634653af09befa7bc07b2e1c420b5dc8578c/tracer/src/Datadog.Trace/Iast/Analyzers/HardcodedSecretsAnalyzer.cs#L173 | ||
| func (s Scanner) Keywords() []string { | ||
| return []string{"grafanaapikey", "eyJrIjoi"} |
There was a problem hiding this comment.
We can use "eyJrIjoi" exclusively since it's always part of the key. A keyword match for "grafanaapikey" won't necessarily contain eyJrIjoi in its input.
There was a problem hiding this comment.
Doh. PEBKAC.... I'll update that :P
| } | ||
|
|
||
| if verify { | ||
| res.SetVerificationError(fmt.Errorf("no grafana instance detected to verify against"), match) |
There was a problem hiding this comment.
Verification logic has to exist in a detector. In docs, it is mentioned that Grafana can be hosted on a VPS or as a subdomain. Gitlab detector is the best example for this
There was a problem hiding this comment.
Thank you for updating SATs too
| resp, err := client.Do(req) | ||
| if err == nil { | ||
| defer resp.Body.Close() | ||
| switch { | ||
| case resp.StatusCode >= 200 && resp.StatusCode < 300: | ||
| res.Verified = true | ||
| case resp.StatusCode == 401: | ||
| // determinately not verified | ||
| default: | ||
| res.SetVerificationError(fmt.Errorf("unexpected HTTP response status %d", resp.StatusCode), key) | ||
| } | ||
| } else { | ||
| res.SetVerificationError(err, key) | ||
| } |
There was a problem hiding this comment.
While we're at it, can we add indeterminate verification support here?
Here's an example
4 participants
Updated grafana and grafanaserviceaccount and added a new detector for grafana api keys.
Description:
Added one new detector for generic grafana api keys. Also updated the patterns and some of the logic for GLSA Service Account tokens and GLC tokens.
Checklist:
make test-community)?make lintthis requires golangci-lint)?