Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BlockNative detector doesn't seem to properly verify secrets #3721

Open
hasnain-db opened this issue Dec 2, 2024 · 5 comments
Open

BlockNative detector doesn't seem to properly verify secrets #3721

hasnain-db opened this issue Dec 2, 2024 · 5 comments
Assignees
@kashifkhan0771
Labels
bug

Comments

@hasnain-db
Copy link

TruffleHog Version

trufflehog 3.84.2

Trace Output

N/A - leaving this out due to sensitive content

Expected Behavior

False positive secrets are not reported as verified.

Actual Behavior

False positive secrets are reported as verified.

Steps to Reproduce

  1. Create a temp folder
  2. Create a test file with the contents below in this section
  3. Run trufflehog --filesystem .
  4. Observe it output that it found a verified secret
"11111111-1111-1111-1111-111111111111",  // Blocknative
"11111111-1111-1111-1111-111111111111",  // Blocknative

Environment

  • OS: MacOS
  • Version 3.84.2

Additional Context

The API in question seems to always return a response regardless of the value of the key - all 3 of the below commands return a response:

curl -v -H "Authorization: 11111111-1111-1111-1111-111111111111" "https://api.blocknative.com/gasprices/blockprices"
curl -v -H "Authorization: hasnain" "https://api.blocknative.com/gasprices/blockprices"
curl -v "https://api.blocknative.com/gasprices/blockprices"

I think the solution is to call some other API to verify that a token is valid.
@hasnain-db hasnain-db added the bug label Dec 2, 2024
@kashifkhan0771
Copy link
Contributor

I tested some of their other APIs locally, and you can find the documentation here. Interestingly, their APIs seem to work with any Authorization key. They always respond with a 200 OK, even when I used a single-digit key! 😄

@nabeelalam
Copy link
Contributor

The endpoints mentioned in the Blocknative documentation return a 200 OK response along with some JSON data whether or not there is an Authorization header present in the request.

This contradicts Blocknative's API specifications described in docs I linked above, according to which empty or incorrect authorization credentials (try using "hello world" as the API key) shouldn't return a success status or any meaningful data other than an error message.

@hasnain-db
Copy link
Author

I'm not a trufflehog expert, would it be possible to just not attempt to verify these so the results are a little less misleading?

(or is this something where we should file a bug report upstream?)

@kashifkhan0771
Copy link
Contributor

kashifkhan0771 commented Dec 19, 2024
edited
Loading

We can use the flag --no-verification in the command to not perform the verification(It will still show the unverified results) or --exclude-detectors to exclude any detector. About this detector behavior we can discuss internally with team how to handle this situation.

@kashifkhan0771 kashifkhan0771 self-assigned this Dec 19, 2024
@kashifkhan0771 kashifkhan0771 mentioned this issue Dec 19, 2024
Merged
2 tasks
@kashifkhan0771
Copy link
Contributor

Temporarily disabled this detector

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kashifkhan0771 kashifkhan0771

Labels
bug
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nabeelalam @kashifkhan0771 @hasnain-db