package sources import ( "context" "encoding/json" "fmt" <<<<<<< HEAD "net/http" "strings" ======= "io" "net/http" >>>>>>> worktree-agent-adad8c10 "time" "golang.org/x/time/rate" "github.com/salvacybersec/keyhunter/pkg/providers" "github.com/salvacybersec/keyhunter/pkg/recon" ) <<<<<<< HEAD // CircleCISource searches public CircleCI build logs for leaked API keys. // It queries the CircleCI v2 API for recent pipeline workflows. Requires a // CircleCI API token for authenticated access. ======= // CircleCISource scrapes CircleCI build logs for leaked API keys. // CircleCI exposes build logs via its API; a personal API token is required // to access build artifacts and logs. Misconfigured pipelines often leak // secrets in build output. >>>>>>> worktree-agent-adad8c10 type CircleCISource struct { Token string BaseURL string Registry *providers.Registry Limiters *recon.LimiterRegistry Client *Client } var _ recon.ReconSource = (*CircleCISource)(nil) <<<<<<< HEAD func (s *CircleCISource) Name() string { return "circleci" } func (s *CircleCISource) RateLimit() rate.Limit { return rate.Every(2 * time.Second) } func (s *CircleCISource) Burst() int { return 2 } func (s *CircleCISource) RespectsRobots() bool { return false } func (s *CircleCISource) Enabled(_ recon.Config) bool { return s.Token != "" } type circlePipelineResponse struct { Items []circlePipeline `json:"items"` } type circlePipeline struct { ID string `json:"id"` VCS circleVCSInfo `json:"vcs"` } type circleVCSInfo struct { ProviderName string `json:"provider_name"` RepoName string `json:"target_repository_url"` } func (s *CircleCISource) Sweep(ctx context.Context, _ string, out chan<- recon.Finding) error { if s.Token == "" { return nil } ======= func (s *CircleCISource) Name() string { return "circleci" } func (s *CircleCISource) RateLimit() rate.Limit { return rate.Every(3 * time.Second) } func (s *CircleCISource) Burst() int { return 2 } func (s *CircleCISource) RespectsRobots() bool { return false } // Enabled requires a CircleCI API token. func (s *CircleCISource) Enabled(_ recon.Config) bool { return s.Token != "" } // circleciPipelineResponse represents the CircleCI v2 pipeline search result. type circleciPipelineResponse struct { Items []circleciPipeline `json:"items"` } type circleciPipeline struct { ID string `json:"id"` Number int `json:"number"` } func (s *CircleCISource) Sweep(ctx context.Context, _ string, out chan<- recon.Finding) error { >>>>>>> worktree-agent-adad8c10 base := s.BaseURL if base == "" { base = "https://circleci.com/api/v2" } client := s.Client if client == nil { client = NewClient() } queries := BuildQueries(s.Registry, "circleci") <<<<<<< HEAD kwIndex := circleKeywordIndex(s.Registry) ======= if len(queries) == 0 { return nil } >>>>>>> worktree-agent-adad8c10 for _, q := range queries { if err := ctx.Err(); err != nil { return err } <<<<<<< HEAD ======= >>>>>>> worktree-agent-adad8c10 if s.Limiters != nil { if err := s.Limiters.Wait(ctx, s.Name(), s.RateLimit(), s.Burst(), false); err != nil { return err } } <<<<<<< HEAD endpoint := fmt.Sprintf("%s/pipeline?mine=false", base) req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil) if err != nil { return fmt.Errorf("circleci: build request: %w", err) ======= // Search for pipelines by project slug (query is used as slug hint). searchURL := fmt.Sprintf("%s/project/gh/%s/pipeline?limit=5", base, q) req, err := http.NewRequestWithContext(ctx, http.MethodGet, searchURL, nil) if err != nil { continue >>>>>>> worktree-agent-adad8c10 } req.Header.Set("Circle-Token", s.Token) req.Header.Set("Accept", "application/json") resp, err := client.Do(ctx, req) if err != nil { <<<<<<< HEAD if strings.Contains(err.Error(), "unauthorized") { return err } continue } var result circlePipelineResponse decErr := json.NewDecoder(resp.Body).Decode(&result) _ = resp.Body.Close() if decErr != nil { continue } provName := kwIndex[strings.ToLower(q)] for _, p := range result.Items { source := fmt.Sprintf("https://app.circleci.com/pipelines/%s", p.ID) if p.VCS.RepoName != "" { source = p.VCS.RepoName } f := recon.Finding{ ProviderName: provName, Confidence: "low", Source: source, SourceType: "recon:circleci", DetectedAt: time.Now(), } select { case out <- f: case <-ctx.Done(): return ctx.Err() ======= continue } var pipelines circleciPipelineResponse if err := json.NewDecoder(resp.Body).Decode(&pipelines); err != nil { _ = resp.Body.Close() continue } _ = resp.Body.Close() for _, p := range pipelines.Items { if err := ctx.Err(); err != nil { return err } if s.Limiters != nil { if err := s.Limiters.Wait(ctx, s.Name(), s.RateLimit(), s.Burst(), false); err != nil { return err } } // Fetch pipeline workflow logs. logURL := fmt.Sprintf("%s/pipeline/%s/workflow", base, p.ID) logReq, err := http.NewRequestWithContext(ctx, http.MethodGet, logURL, nil) if err != nil { continue } logReq.Header.Set("Circle-Token", s.Token) logReq.Header.Set("Accept", "text/plain") logResp, err := client.Do(ctx, logReq) if err != nil { continue } body, err := io.ReadAll(io.LimitReader(logResp.Body, 256*1024)) _ = logResp.Body.Close() if err != nil { continue } if ciLogKeyPattern.Match(body) { out <- recon.Finding{ ProviderName: q, Source: logURL, SourceType: "recon:circleci", Confidence: "medium", DetectedAt: time.Now(), } >>>>>>> worktree-agent-adad8c10 } } } return nil } <<<<<<< HEAD func circleKeywordIndex(reg *providers.Registry) map[string]string { m := make(map[string]string) if reg == nil { return m } for _, p := range reg.List() { for _, k := range p.Keywords { kl := strings.ToLower(strings.TrimSpace(k)) if kl != "" { if _, exists := m[kl]; !exists { m[kl] = p.Name } } } } return m } ======= >>>>>>> worktree-agent-adad8c10