feat: add Rancher/Cattle token detector#4874
feat: add Rancher/Cattle token detector#4874moeedrehman135 wants to merge 4 commits intotrufflesecurity:mainfrom
Conversation
|
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| var ( | ||
| tokenPattern = regexp.MustCompile( | ||
| `(?i)(?:CATTLE_TOKEN|RANCHER_TOKEN|CATTLE_BOOTSTRAP_PASSWORD|RANCHER_API_TOKEN)[^\w]{1,4}([a-z0-9]{54,64})`, | ||
| ) |
There was a problem hiding this comment.
Token regex won't match real Rancher token format
High Severity
Real Rancher API tokens use the format token-xxxxx:yyyyyyyyyy (containing hyphens and colons), as documented in Rancher's official API docs. The capture group [a-z0-9]{54,64} only allows lowercase alphanumerics, so it will never match actual CATTLE_TOKEN or RANCHER_TOKEN values. The test data uses a fabricated token (kubeadmin5f8a3b...) that doesn't resemble any real Rancher token format, masking this fundamental mismatch.
Reviewed by Cursor Bugbot for commit 86cc6fa. Configure here.
- Add regex pattern for CATTLE_TOKEN/RANCHER_API_TOKEN format - Require server context (CATTLE_SERVER/RANCHER_URL) to reduce false positives - Add HTTP verification against Rancher v3 API - Add pattern tests - Register detector in defaults.go Closes trufflesecurity#4622
moeedrehman135
force-pushed
the
feat/rancher-token-detector
branch
from
86cc6fa to
74f5a74
Compare
| "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" | ||
| ) | ||
|
|
||
| type Scanner struct{} |
There was a problem hiding this comment.
Missing multi-part credential provider causes missed detections
Medium Severity
The Scanner struct doesn't embed detectors.DefaultMultiPartCredentialProvider, even though the detector requires two distinct patterns (server context via serverPattern and secret via tokenPattern) to co-occur in the same data chunk. Without this, the Aho-Corasick span calculator uses its default 512-byte radius, so if the server URL and token are farther apart in the scanned data, the chunk delivered to FromData may lack one of the two patterns, causing valid credentials to be silently missed. All comparable multi-part detectors (e.g., mattermostpersonaltoken, formsite) embed this provider.
Reviewed by Cursor Bugbot for commit 74f5a74. Configure here.
| req.Header.Set("Authorization", "Bearer "+token) | ||
| res, err := client.Do(req) | ||
| if err == nil { | ||
| defer res.Body.Close() |
There was a problem hiding this comment.
Deferred body close accumulates in loop iterations
Medium Severity
The defer res.Body.Close() is inside a for loop, so response bodies won't be closed until FromData returns rather than at the end of each iteration. This accumulates open connections/file descriptors across iterations. A comparable detector (pivotaltracker) with nearly identical structure correctly uses res.Body.Close() without defer in its loop.
Reviewed by Cursor Bugbot for commit 7401a70. Configure here.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
There are 5 total unresolved issues (including 3 from previous reviews).
Reviewed by Cursor Bugbot for commit f031603. Configure here.
| message GitHubSSHKey { | ||
| string user = 1; | ||
| string public_key_fingerprint = 2; | ||
| } |
There was a problem hiding this comment.
Proto file contains duplicate content causing compilation failure
High Severity
The proto/detectors.proto file has been corrupted — a second complete proto file definition (with duplicate syntax, package, DecoderType enum, and all message types) is appended starting at line 1097. This will cause protoc compilation to fail with duplicate symbol errors whenever the proto is regenerated. The first copy also drops HTML = 5 from DecoderType, which is actively used in the codebase (e.g., pkg/decoders/html.go).
Reviewed by Cursor Bugbot for commit f031603. Configure here.
| BASE64 = 2; | ||
| UTF16 = 3; | ||
| ESCAPED_UNICODE = 4; | ||
| } |
There was a problem hiding this comment.
Missing HTML decoder type in proto enum
High Severity
The DecoderType enum in the primary proto definition (lines 7–13) is missing HTML = 5, which existed in the original file. DecoderType_HTML is actively used by pkg/decoders/html.go and its tests. If the proto is regenerated from this file (after fixing the duplication issue), the HTML decoder type would be lost, breaking the HTML decoder.
Reviewed by Cursor Bugbot for commit f031603. Configure here.
2 participants
Summary
Adds a detector for Rancher/Cattle API tokens as requested in #4622.
Changes
pkg/detectors/rancher/CATTLE_TOKEN,RANCHER_TOKEN,CATTLE_BOOTSTRAP_PASSWORD,RANCHER_API_TOKENpatternsCATTLE_SERVERorRANCHER_URL) nearby to reduce false positivesdefaults.goTesting
All pattern tests pass:
Closes #4622
Note
Medium Risk
Adds a new secret detector with optional live HTTP verification and wires it into the default scanner set, which can affect scan results and introduce outbound network calls when verification is enabled. Also updates the shared
detectors.proto/generated pb enum (DetectorType) to includeRancher, a broad interface change that could impact consumers if mismatched across builds.Overview
Adds a new
rancherdetector that only reports Rancher/Cattle tokens when aCATTLE_SERVER/RANCHER_URLis present, and can optionally verify candidates by callingGET /v3with a bearer token.Registers the detector in
pkg/engine/defaults/defaults.goand extendsdetectors.proto/detectors.pb.gowithDetectorType_Rancherso results are typed correctly, with accompanying pattern tests and benchmarks.Reviewed by Cursor Bugbot for commit f031603. Bugbot is set up for automated code reviews on this repo. Configure here.