feat: add Rancher/Cattle token detector#4874
feat: add Rancher/Cattle token detector#4874moeedrehman135 wants to merge 1 commit intotrufflesecurity:mainfrom
Conversation
|
root seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
|
|
||
| if verify { | ||
| client := common.SaneHttpClient() | ||
| req, err := http.NewRequestWithContext(ctx, "GET", "https://rancher.example.com/v3", nil) |
There was a problem hiding this comment.
Verification sends tokens to hardcoded placeholder URL
High Severity
The verification request is hardcoded to https://rancher.example.com/v3, which is a placeholder domain that will never host a real Rancher API. The serverPattern regex only checks for the presence of a server context but never extracts the actual URL value. As a result, token verification will always fail (tokens are never marked Verified), completely defeating the stated purpose of "HTTP verification against Rancher v3 API." Comparable detectors like Portainer extract the endpoint URL from the scanned data and use it for verification.
Reviewed by Cursor Bugbot for commit 86cc6fa. Configure here.
| var ( | ||
| tokenPattern = regexp.MustCompile( | ||
| `(?i)(?:CATTLE_TOKEN|RANCHER_TOKEN|CATTLE_BOOTSTRAP_PASSWORD|RANCHER_API_TOKEN)[^\w]{1,4}([a-z0-9]{54,64})`, | ||
| ) |
There was a problem hiding this comment.
Token regex won't match real Rancher token format
High Severity
Real Rancher API tokens use the format token-xxxxx:yyyyyyyyyy (containing hyphens and colons), as documented in Rancher's official API docs. The capture group [a-z0-9]{54,64} only allows lowercase alphanumerics, so it will never match actual CATTLE_TOKEN or RANCHER_TOKEN values. The test data uses a fabricated token (kubeadmin5f8a3b...) that doesn't resemble any real Rancher token format, masking this fundamental mismatch.
Reviewed by Cursor Bugbot for commit 86cc6fa. Configure here.
- Add regex pattern for CATTLE_TOKEN/RANCHER_API_TOKEN format - Require server context (CATTLE_SERVER/RANCHER_URL) to reduce false positives - Add HTTP verification against Rancher v3 API - Add pattern tests - Register detector in defaults.go Closes trufflesecurity#4622
moeedrehman135
force-pushed
the
feat/rancher-token-detector
branch
from
86cc6fa to
74f5a74
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 3 total unresolved issues (including 2 from previous reviews).
Reviewed by Cursor Bugbot for commit 74f5a74. Configure here.
| "github.com/trufflesecurity/trufflehog/v3/pkg/pb/detectorspb" | ||
| ) | ||
|
|
||
| type Scanner struct{} |
There was a problem hiding this comment.
Missing multi-part credential provider causes missed detections
Medium Severity
The Scanner struct doesn't embed detectors.DefaultMultiPartCredentialProvider, even though the detector requires two distinct patterns (server context via serverPattern and secret via tokenPattern) to co-occur in the same data chunk. Without this, the Aho-Corasick span calculator uses its default 512-byte radius, so if the server URL and token are farther apart in the scanned data, the chunk delivered to FromData may lack one of the two patterns, causing valid credentials to be silently missed. All comparable multi-part detectors (e.g., mattermostpersonaltoken, formsite) embed this provider.
Reviewed by Cursor Bugbot for commit 74f5a74. Configure here.
2 participants
Summary
Adds a detector for Rancher/Cattle API tokens as requested in #4622.
Changes
pkg/detectors/rancher/CATTLE_TOKEN,RANCHER_TOKEN,CATTLE_BOOTSTRAP_PASSWORD,RANCHER_API_TOKENpatternsCATTLE_SERVERorRANCHER_URL) nearby to reduce false positivesdefaults.goTesting
All pattern tests pass:
Closes #4622
Note
Medium Risk
Adds a new secret detector with optional outbound HTTP verification and registers a new
DetectorTypeenum value, which can affect scan behavior and proto compatibility across components.Overview
Adds a new
rancherdetector that matches Rancher/Cattle API tokens (and bootstrap password) with a required nearby server/URL context to reduce false positives, and optionally verifies candidates via an HTTP request.Registers the detector in
pkg/engine/defaults/defaults.goand introducesDetectorType_Rancher(1045) in the protobuf enum, with accompanying unit tests/benchmarks for the new pattern matching.Reviewed by Cursor Bugbot for commit 74f5a74. Bugbot is set up for automated code reviews on this repo. Configure here.