-
Notifications
You must be signed in to change notification settings - Fork 2.3k
Expand file tree
/
Copy pathcloudflarecakey.go
More file actions
101 lines (79 loc) · 2.91 KB
/
cloudflarecakey.go
File metadata and controls
101 lines (79 loc) · 2.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
package cloudflarecakey
import (
"context"
"fmt"
"io"
"net/http"
regexp "github.com/wasilibs/go-re2"
"github.com/trufflesecurity/trufflehog/v3/pkg/common"
"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
"github.com/trufflesecurity/trufflehog/v3/pkg/pb/detector_typepb"
)
type Scanner struct{}
// Ensure the Scanner satisfies the interface at compile time.
var _ detectors.Detector = (*Scanner)(nil)
var (
client = common.SaneHttpClient()
// Origin CA keys (aka "Service Keys") are deprecated as of 2026-03-19:
// https://developers.cloudflare.com/changelog/post/2026-03-19-service-key-authentication-deprecated/
//
// Reference: https://developers.cloudflare.com/fundamentals/api/get-started/ca-keys/
keyPat = regexp.MustCompile(`\b(v1\.0-[A-Za-z0-9-]{171})\b`)
)
// Keywords are used for efficiently pre-filtering chunks.
// Use identifiers in the secret preferably, or the provider name.
func (s Scanner) Keywords() []string {
return []string{"cloudflare"}
}
// FromData will find and optionally verify CloudflareCaKey secrets in a given set of bytes.
func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
dataStr := string(data)
uniqueMatches := make(map[string]struct{})
for _, matches := range keyPat.FindAllStringSubmatch(dataStr, -1) {
uniqueMatches[matches[1]] = struct{}{}
}
for caKey := range uniqueMatches {
s1 := detectors.Result{
DetectorType: detector_typepb.DetectorType_CloudflareCaKey,
Raw: []byte(caKey),
}
if verify {
isVerified, verificationErr := verifyCloudFlareCAKey(ctx, client, caKey)
s1.Verified = isVerified
s1.SetVerificationError(verificationErr, caKey)
}
results = append(results, s1)
}
return results, nil
}
func (s Scanner) Type() detector_typepb.DetectorType {
return detector_typepb.DetectorType_CloudflareCaKey
}
func (s Scanner) Description() string {
return "Cloudflare is a web infrastructure and website security company. Cloudflare CA keys can be used to manage SSL/TLS certificates and other security settings."
}
func verifyCloudFlareCAKey(ctx context.Context, client *http.Client, caKey string) (bool, error) {
req, err := http.NewRequestWithContext(ctx, "GET", "https://api.cloudflare.com/client/v4/certificates?zone_id=a", nil)
if err != nil {
return false, nil
}
req.Header.Add("Content-Type", "application/json")
req.Header.Add("user-agent", "curl/7.68.0") // pretend to be from curl so we do not wait 100+ seconds -> nice try did not work
req.Header.Add("X-Auth-User-Service-Key", caKey)
resp, err := client.Do(req)
if err != nil {
return false, err
}
defer func() {
_, _ = io.Copy(io.Discard, resp.Body)
_ = resp.Body.Close()
}()
switch resp.StatusCode {
case http.StatusOK:
return true, nil
case http.StatusUnauthorized, http.StatusForbidden:
return false, nil
default:
return false, fmt.Errorf("unexpected status code: %d", resp.StatusCode)
}
}