Skip to content

(fix) Indeterminate verification issue in Clickup detector #4047

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nabeelalam merged 6 commits into from
Apr 17, 2025
Merged

(fix) Indeterminate verification issue in Clickup detector #4047

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
1367ed7
handle unexpected status codes and some refactoring
abmussani Apr 14, 2025
2b2ccad
reusable http client
abmussani Apr 14, 2025
4933a30
linter fixes.
abmussani Apr 15, 2025
ac0a71a
Merge branch 'main' into clickup-definitive-verification-errors
abmussani Apr 15, 2025
c9cc757
added test case for indeterminate verification errors.
abmussani Apr 17, 2025
be5fb21
added regex prefix to increase confidence.
abmussani Apr 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 43 additions & 18 deletions pkg/detectors/clickuppersonaltoken/clickuppersonaltoken.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ package clickuppersonaltoken

import (
"context"
"fmt"
"io"
"net/http"
"strings"

Expand All @@ -12,16 +14,18 @@ import (
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb"
)

type Scanner struct{}
type Scanner struct {
client *http.Client
}

// Ensure the Scanner satisfies the interface at compile time.
var _ detectors.Detector = (*Scanner)(nil)

var (
client = common.SaneHttpClient()
defaultClient = common.SaneHttpClient()

// Make sure that your group is surrounded in boundary characters such as below to reduce false positives.
keyPat = regexp.MustCompile(`\b(pk_[0-9]{7,8}_[0-9A-Z]{32})\b`)
keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"clickup"}) + `\b(pk_[0-9]{7,9}_[0-9A-Z]{32})\b`)
)

// Keywords are used for efficiently pre-filtering chunks.
Expand All @@ -34,29 +38,25 @@ func (s Scanner) Keywords() []string {
func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
dataStr := string(data)

matches := keyPat.FindAllStringSubmatch(dataStr, -1)

for _, match := range matches {
resMatch := strings.TrimSpace(match[1])
uniqueMatches := make(map[string]struct{})
for _, match := range keyPat.FindAllStringSubmatch(dataStr, -1) {
uniqueMatches[strings.TrimSpace(match[1])] = struct{}{}
}

for resMatch := range uniqueMatches {
s1 := detectors.Result{
DetectorType: detectorspb.DetectorType_ClickupPersonalToken,
Raw: []byte(resMatch),
}

if verify {
req, err := http.NewRequestWithContext(ctx, "GET", "https://api.clickup.com/api/v2/user", nil)
if err != nil {
continue
}
req.Header.Add("Authorization", resMatch)
res, err := client.Do(req)
if err == nil {
defer res.Body.Close()
if res.StatusCode >= 200 && res.StatusCode < 300 {
s1.Verified = true
}
client := s.client
if client == nil {
client = defaultClient
}
isVerified, err := verifyToken(ctx, client, resMatch)
s1.Verified = isVerified
s1.SetVerificationError(err, resMatch)
}

results = append(results, s1)
Expand All @@ -72,3 +72,28 @@ func (s Scanner) Type() detectorspb.DetectorType {
func (s Scanner) Description() string {
return "ClickUp is a project management tool. Personal tokens can be used to access and modify data within ClickUp on behalf of a user."
}

func verifyToken(ctx context.Context, client *http.Client, token string) (bool, error) {
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://api.clickup.com/api/v2/user", nil)
if err != nil {
return false, err
}
req.Header.Add("Authorization", token)
res, err := client.Do(req)
if err != nil {
return false, err
}
defer func() {
_, _ = io.Copy(io.Discard, res.Body)
_ = res.Body.Close()
}()

switch res.StatusCode {
case http.StatusOK:
return true, nil
case http.StatusUnauthorized:
return false, nil
default:
return false, fmt.Errorf("unexpected status code %d", res.StatusCode)
}
}
53 changes: 40 additions & 13 deletions pkg/detectors/clickuppersonaltoken/clickuppersonaltoken_integration_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@ import (
"testing"
"time"

"github.com/kylelemons/godebug/pretty"
"github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts"
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"

"github.com/trufflesecurity/trufflehog/v3/pkg/common"
Expand All @@ -32,11 +33,12 @@ func TestClickupPersonalToken_FromChunk(t *testing.T) {
verify bool
}
tests := []struct {
name string
s Scanner
args args
want []detectors.Result
wantErr bool
name string
s Scanner
args args
want []detectors.Result
wantErr bool
wantVerificationErr bool
}{
{
name: "found, verified",
Expand All @@ -52,7 +54,8 @@ func TestClickupPersonalToken_FromChunk(t *testing.T) {
Verified: true,
},
},
wantErr: false,
wantErr: false,
wantVerificationErr: false,
},
{
name: "found, unverified",
Expand All @@ -68,7 +71,8 @@ func TestClickupPersonalToken_FromChunk(t *testing.T) {
Verified: false,
},
},
wantErr: false,
wantErr: false,
wantVerificationErr: false,
},
{
name: "not found",
Expand All @@ -78,14 +82,31 @@ func TestClickupPersonalToken_FromChunk(t *testing.T) {
data: []byte("You cannot find the secret within"),
verify: true,
},
want: nil,
wantErr: false,
want: nil,
wantErr: false,
wantVerificationErr: false,
},
{
name: "found verifiable secret, verification failed due to unexpected API response",
s: Scanner{client: common.ConstantResponseHttpClient(404, "")},
args: args{
ctx: context.Background(),
data: []byte(fmt.Sprintf("You can find a clickuppersonaltoken secret %s within but not valid", inactiveSecret)), // the secret would satisfy the regex but not pass validation
verify: true,
},
want: []detectors.Result{
{
DetectorType: detectorspb.DetectorType_ClickupPersonalToken,
Verified: false,
},
},
wantErr: false,
wantVerificationErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
s := Scanner{}
got, err := s.FromData(tt.args.ctx, tt.args.verify, tt.args.data)
got, err := tt.s.FromData(tt.args.ctx, tt.args.verify, tt.args.data)

@nabeelalam nabeelalam Apr 17, 2025

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this commented line can be removed

if (err != nil) != tt.wantErr {
t.Errorf("ClickupPersonalToken.FromData() error = %v, wantErr %v", err, tt.wantErr)
return
Expand All @@ -94,9 +115,15 @@ func TestClickupPersonalToken_FromChunk(t *testing.T) {
if len(got[i].Raw) == 0 {
t.Fatalf("no raw secret present: \n %+v", got[i])
}

if (got[i].VerificationError() != nil) != tt.wantVerificationErr {
t.Fatalf("wantVerificationError = %v, verification error = %v", tt.wantVerificationErr, got[i].VerificationError())
}
got[i].Raw = nil
}
if diff := pretty.Compare(got, tt.want); diff != "" {

ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "verificationError")
if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" {
t.Errorf("ClickupPersonalToken.FromData() %s diff: (-got +want)\n%s", tt.name, diff)
}
})
Expand Down