salvacybersec/keyhunter
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
af284f56f2c0cf73e104abc3952ccca6ed57f05b
keyhunter/pkg/recon/sources/notion.go
salvacybersec 7bb614678d feat(15-02): add Trello and Notion ReconSource implementations 
- TrelloSource searches public Trello boards via /1/search API
- NotionSource uses dorking to discover and scrape public Notion pages
- Both credentialless, follow established Phase 10 pattern
- Tests with httptest mocks confirm Sweep emits findings
2026-04-06 13:50:04 +03:00

139 lines
3.3 KiB
Go
Raw Blame History

package sources
import (
"context"
"encoding/json"
"fmt"
"io"
"net/http"
"net/url"
"time"
"golang.org/x/time/rate"
"github.com/salvacybersec/keyhunter/pkg/providers"
"github.com/salvacybersec/keyhunter/pkg/recon"
)
// NotionSource searches publicly shared Notion pages for leaked API keys.
// Notion pages shared with "anyone with the link" are indexable by search
// engines. This source uses a dorking approach to discover such pages and
// then scrapes their content for credentials.
type NotionSource struct {
BaseURL string
Registry *providers.Registry
Limiters *recon.LimiterRegistry
Client *Client
}
var _ recon.ReconSource = (*NotionSource)(nil)
func (s *NotionSource) Name() string { return "notion" }
func (s *NotionSource) RateLimit() rate.Limit { return rate.Every(3 * time.Second) }
func (s *NotionSource) Burst() int { return 2 }
func (s *NotionSource) RespectsRobots() bool { return true }
func (s *NotionSource) Enabled(_ recon.Config) bool { return true }
// notionSearchResponse represents dork search results pointing to Notion pages.
type notionSearchResponse struct {
Results []notionSearchResult `json:"results"`
}
type notionSearchResult struct {
URL string `json:"url"`
Title string `json:"title"`
}
func (s *NotionSource) Sweep(ctx context.Context, _ string, out chan<- recon.Finding) error {
base := s.BaseURL
if base == "" {
base = "https://search.notion.dev"
}
client := s.Client
if client == nil {
client = NewClient()
}
queries := BuildQueries(s.Registry, "notion")
if len(queries) == 0 {
return nil
}
for _, q := range queries {
if err := ctx.Err(); err != nil {
return err
}
if s.Limiters != nil {
if err := s.Limiters.Wait(ctx, s.Name(), s.RateLimit(), s.Burst(), false); err != nil {
return err
}
}
// Search for public Notion pages via dorking.
searchURL := fmt.Sprintf("%s/search?q=%s&format=json",
base, url.QueryEscape("site:notion.site OR site:notion.so "+q))
req, err := http.NewRequestWithContext(ctx, http.MethodGet, searchURL, nil)
if err != nil {
continue
}
req.Header.Set("Accept", "application/json")
resp, err := client.Do(ctx, req)
if err != nil {
continue
}
body, err := io.ReadAll(io.LimitReader(resp.Body, 256*1024))
_ = resp.Body.Close()
if err != nil {
continue
}
var results notionSearchResponse
if err := json.Unmarshal(body, &results); err != nil {
continue
}
// Fetch each discovered Notion page and scan for keys.
for _, result := range results.Results {
if err := ctx.Err(); err != nil {
return err
}
if s.Limiters != nil {
if err := s.Limiters.Wait(ctx, s.Name(), s.RateLimit(), s.Burst(), false); err != nil {
return err
}
}
pageReq, err := http.NewRequestWithContext(ctx, http.MethodGet, result.URL, nil)
if err != nil {
continue
}
pageResp, err := client.Do(ctx, pageReq)
if err != nil {
continue
}
pageBody, err := io.ReadAll(io.LimitReader(pageResp.Body, 256*1024))
_ = pageResp.Body.Close()
if err != nil {
continue
}
if ciLogKeyPattern.Match(pageBody) {
out <- recon.Finding{
ProviderName: q,
Source: result.URL,
SourceType: "recon:notion",
Confidence: "medium",
DetectedAt: time.Now(),
}
}
}
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink