[INS-403] Support Custom endpoint config in hashicorpvaultauth Detector#4825
[INS-403] Support Custom endpoint config in hashicorpvaultauth Detector#4825MuneebUllahKhan222 wants to merge 6 commits intotrufflesecurity:mainfrom
Conversation
| if endpoint != vaultUrl { | ||
| t.Fatalf("expected endpoint %s, got %s", vaultUrl, endpoint) | ||
| } | ||
| } |
There was a problem hiding this comment.
This loop will always run only one time. Also, do you think this loop provides value? because the cmp.Diff at the end is sufficient as it does the same job.
There was a problem hiding this comment.
Forgot to remove the manual loop check. cmp.Diff is good enough
Removed URL validation checks from integration test.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Reviewed by Cursor Bugbot for commit fe49c7f. Configure here.
| for roleId := range uniqueRoleIds { | ||
| for secretId := range uniqueSecretIds { | ||
| for vaultUrl := range uniqueVaultUrls { | ||
| for _, vaultUrl := range s.Endpoints(endpoints...) { |
There was a problem hiding this comment.
Missing deduplication of endpoints causes duplicate results
Low Severity
The old code iterated directly over uniqueVaultUrls (a map that naturally deduplicates). The new code converts found URLs to a slice, passes them to s.Endpoints(endpoints...), which merges configured endpoints with found endpoints without deduplication. When a configured endpoint also appears in the scanned data, Endpoints() returns it twice, producing duplicate Result entries and redundant verification API calls. The Artifactory detector, which follows the same EndpointSetter pattern, avoids this by collecting Endpoints() output into a dedup map before iterating.
Reviewed by Cursor Bugbot for commit fe49c7f. Configure here.
3 participants
Description:
This PR enabled custom endpoint configuration for the existing hashicorpvaultauth detector.
It enables custom endpoint configuration by making the detector comply to
detectors.EndpointCustomizerinterface and updating to default client todetectors.DetectorHttpClientWithNoLocalAddressesto avoid potential security risks like ssrf attacks.This PR also updates the existing test to make sure that the test work fine with the new changes and also introduces a new integration test to emulate custom endpoint configuration.
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Changes how the
hashicorpvaultauthdetector selects verification endpoints and introduces configurable endpoints, which can affect network verification behavior; SSRF risk is mitigated by switching toDetectorHttpClientWithNoLocalAddresses. Test updates reduce regression risk but endpoint selection paths need review.Overview
Adds custom endpoint support to the
hashicorpvaultauthdetector by embeddingEndpointSetterand implementingEndpointCustomizer, allowing verification against configured endpoints in addition to (or instead of) URLs found in data.Switches the detector’s default HTTP client to
detectors.DetectorHttpClientWithNoLocalAddressesand relaxes matching so results can be produced whenrole_id/secret_idare present even if no Vault URL is embedded, relying on configured/cloud/found endpoint selection.Updates unit/integration tests to enable endpoint selection flags and adds an integration test covering
SetConfiguredEndpoints; engine tests are adjusted to treatHashiCorpVaultAuthas a detector that may have no cloud endpoint by default.Reviewed by Cursor Bugbot for commit 9def14a. Bugbot is set up for automated code reviews on this repo. Configure here.