package sources import ( "context" "encoding/json" "fmt" "io" "net/http" "net/url" "time" "golang.org/x/time/rate" "github.com/salvacybersec/keyhunter/pkg/providers" "github.com/salvacybersec/keyhunter/pkg/recon" ) // SentrySource searches exposed Sentry instances for API keys in error reports. // Self-hosted Sentry installations may have the API accessible without // authentication, exposing error events that commonly contain API keys in // request headers, environment variables, and stack traces. type SentrySource struct { BaseURL string Registry *providers.Registry Limiters *recon.LimiterRegistry Client *Client } var _ recon.ReconSource = (*SentrySource)(nil) func (s *SentrySource) Name() string { return "sentry" } func (s *SentrySource) RateLimit() rate.Limit { return rate.Every(2 * time.Second) } func (s *SentrySource) Burst() int { return 3 } func (s *SentrySource) RespectsRobots() bool { return false } func (s *SentrySource) Enabled(_ recon.Config) bool { return true } // sentryIssue represents a Sentry issue from the issues list API. type sentryIssue struct { ID string `json:"id"` Title string `json:"title"` } // sentryEvent represents a Sentry event from the events API. type sentryEvent struct { EventID string `json:"eventID"` Tags json.RawMessage `json:"tags"` Context json.RawMessage `json:"context"` Entries json.RawMessage `json:"entries"` } func (s *SentrySource) Sweep(ctx context.Context, query string, out chan<- recon.Finding) error { base := s.BaseURL if base == "" { base = "https://sentry.example.com" } client := s.Client if client == nil { client = NewClient() } queries := BuildQueries(s.Registry, "sentry") if len(queries) == 0 { return nil } for _, q := range queries { if err := ctx.Err(); err != nil { return err } if s.Limiters != nil { if err := s.Limiters.Wait(ctx, s.Name(), s.RateLimit(), s.Burst(), false); err != nil { return err } } // Search issues matching keyword. issuesURL := fmt.Sprintf( "%s/api/0/issues/?query=%s&limit=10", base, url.QueryEscape(q), ) req, err := http.NewRequestWithContext(ctx, http.MethodGet, issuesURL, nil) if err != nil { continue } resp, err := client.Do(ctx, req) if err != nil { continue } data, err := io.ReadAll(io.LimitReader(resp.Body, 512*1024)) _ = resp.Body.Close() if err != nil { continue } var issues []sentryIssue if err := json.Unmarshal(data, &issues); err != nil { continue } // Fetch events for each issue. for _, issue := range issues { if err := ctx.Err(); err != nil { return err } if s.Limiters != nil { if err := s.Limiters.Wait(ctx, s.Name(), s.RateLimit(), s.Burst(), false); err != nil { return err } } eventsURL := fmt.Sprintf("%s/api/0/issues/%s/events/?limit=5", base, issue.ID) evReq, err := http.NewRequestWithContext(ctx, http.MethodGet, eventsURL, nil) if err != nil { continue } evResp, err := client.Do(ctx, evReq) if err != nil { continue } evData, err := io.ReadAll(io.LimitReader(evResp.Body, 512*1024)) _ = evResp.Body.Close() if err != nil { continue } var events []sentryEvent if err := json.Unmarshal(evData, &events); err != nil { continue } for _, ev := range events { content := string(ev.Tags) + string(ev.Context) + string(ev.Entries) if ciLogKeyPattern.MatchString(content) { out <- recon.Finding{ ProviderName: q, Source: fmt.Sprintf("%s/issues/%s/events/%s", base, issue.ID, ev.EventID), SourceType: "recon:sentry", Confidence: "medium", DetectedAt: time.Now(), } } } } } return nil }