[INS-339] Add New Relic User Key detector#4794
Open
mustansir14 wants to merge 6 commits intotrufflesecurity:mainfrom
Open
[INS-339] Add New Relic User Key detector#4794mustansir14 wants to merge 6 commits intotrufflesecurity:mainfrom
mustansir14 wants to merge 6 commits intotrufflesecurity:mainfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
|
|
||
| res, err := client.Do(req) | ||
| if err != nil { | ||
| return false, nil, fmt.Errorf("error making request: %w", err) |
| type graphqlResponse struct { | ||
| Data struct { | ||
| RequestContext struct { | ||
| UserID string `json:"userId"` |
There was a problem hiding this comment.
UserID field type likely mismatches API integer response
High Severity
The graphqlResponse struct defines UserID as string, but the NerdGraph API's requestContext.userId field returns a JSON integer (number). Go's json.Decoder cannot unmarshal a JSON number into a string field and will return a decode error. This causes verifyRegion to return an error on valid 200 OK responses, so valid keys are never marked as verified — they get a verification error instead.
Additional Locations (1)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
This PR adds the New Relic User Key Detector.
Regex:
\b(NRAK-[A-Z0-9]{27})\bVerification:
For verification, we use the New relic NerdGraph API:
https://api.newrelic.com/graphql.We send a POST request with body
{ requestContext { userId } }. A response code of200means the key is valid.401means it is an invalid/rotated key and403means the region is incorrect.Note: For EU region keys, the endpoint should be
https://api.eu.newrelic.com/graphql"Corpora Test:
The detector does not appear in the list.
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Adds a new detector that performs outbound verification calls to New Relic’s NerdGraph API (US/EU), which can affect scan behavior via network timeouts/rate limits and introduces a new protobuf enum value consumed across the codebase.
Overview
Adds a new
newrelicuserkeydetector to identify New Relic User API keys via regex (NRAK-...) and optionally verify them by calling the NerdGraph GraphQL endpoint in both US and EU regions, returningregionanduser_idasExtraDatawhen validated.Wires the detector into the default detector set and extends the detector type enum (
DetectorType_NewRelicUserKey = 1044) inproto/detectors.proto(and regenerateddetectors.pb.go), with unit and integration tests plus a benchmark for the new detector.Written by Cursor Bugbot for commit b62ea01. This will update automatically on new commits. Configure here.