Netlify Analyzer (#4106)

* initial

* added netlify analyzer

Author: kashifkhan0771

pkg/analyzer/analyzers/analyzers.go

@@ -94,6 +94,7 @@ const (
 	AnalyzerTypeLaunchDarkly
 	AnalyzerTypeFigma
 	AnalyzerTypePlaid
+	AnalyzerTypeNetlify
 	// Add new items here with AnalyzerType prefix
 )
 
@@ -133,6 +134,7 @@ var analyzerTypeStrings = map[AnalyzerType]string{
 	AnalyzerTypeLaunchDarkly:  "LaunchDarkly",
 	AnalyzerTypeFigma:         "Figma",
 	AnalyzerTypePlaid:         "Plaid",
+	AnalyzerTypeNetlify:       "Netlify",
 	// Add new mappings here
 }
 

pkg/analyzer/analyzers/netlify/models.go

@@ -0,0 +1,169 @@
+package netlify
+
+import "sync"
+
+type ResourceType string
+
+func (r ResourceType) String() string {
+	return string(r)
+}
+
+const (
+	CurrentUser         ResourceType = "User"
+	Token               ResourceType = "Token"
+	Site                ResourceType = "Site"
+	SiteFile            ResourceType = "Site File"
+	SiteEnvVar          ResourceType = "Site Env Variable"
+	SiteSnippet         ResourceType = "Site Snippet"
+	SiteDeploy          ResourceType = "Site Deploy"
+	SiteDeployedBranch  ResourceType = "Site Deployed Branch"
+	SiteBuild           ResourceType = "Site Build"
+	SiteDevServer       ResourceType = "Site Dev Server"
+	SiteBuildHook       ResourceType = "Site Build Hook"
+	SiteDevServerHook   ResourceType = "Site Dev Server Hook"
+	SiteServiceInstance ResourceType = "Site Service Instance"
+	SiteFunction        ResourceType = "Site Function"
+	SiteForm            ResourceType = "Site Form"
+	SiteSubmission      ResourceType = "Site Submission"
+	SiteTrafficSplit    ResourceType = "Site Traffic Split"
+	DNSZone             ResourceType = "DNS Zone"
+	Service             ResourceType = "Service"
+)
+
+type SecretInfo struct {
+	mu sync.RWMutex
+
+	UserInfo  User
+	Resources []NetlifyResource
+}
+
+func (s *SecretInfo) appendResource(resource NetlifyResource) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	s.Resources = append(s.Resources, resource)
+}
+
+// listResourceByType returns a list of resources matching the given type.
+func (s *SecretInfo) listResourceByType(resourceType ResourceType) []NetlifyResource {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	resources := make([]NetlifyResource, 0, len(s.Resources))
+	for _, resource := range s.Resources {
+		if resource.Type == resourceType.String() {
+			resources = append(resources, resource)
+		}
+	}
+
+	return resources
+}
+
+type User struct {
+	ID        string `json:"id"`
+	Name      string `json:"full_name"`
+	Email     string `json:"email"`
+	AccountID string `json:"account_id"`
+	LastLogin string `json:"last_login"`
+}
+
+type NetlifyResource struct {
+	ID       string
+	Name     string
+	Type     string
+	Metadata map[string]string
+	Parent   *NetlifyResource
+}
+
+type token struct {
+	ID        string `json:"id"`
+	Name      string `json:"name"`
+	Personal  bool   `json:"personal"`
+	ExpiresAt string `json:"expires_at"`
+}
+
+type site struct {
+	SiteID   string `json:"site_id"`
+	Name     string `json:"name"`
+	Url      string `json:"url"`
+	AdminUrl string `json:"admin_url"`
+	RepoUrl  string `json:"repo_url"`
+}
+
+type file struct {
+	ID       string `json:"id"`
+	Path     string `json:"path"`
+	MimeType string `json:"mime_type"`
+}
+
+type envVariable struct {
+	Key    string   `json:"key"`
+	Scopes []string `json:"scopes"`
+	Values []struct {
+		ID    string `json:"id"`
+		Value string `json:"value"`
+	} `json:"values"`
+}
+
+type snippet struct {
+	ID    string `json:"id"`
+	Title string `json:"title"`
+}
+
+type deploy struct {
+	ID      string `json:"id"`
+	Name    string `json:"name"`
+	BuildID string `json:"build_id"`
+	State   string `json:"state"`
+	Url     string `json:"url"`
+}
+
+type deployedBranch struct {
+	ID   string `json:"id"`
+	Name string `json:"name"`
+	Slug string `json:"slug"`
+}
+
+type build struct {
+	ID          string `json:"id"`
+	DeployState string `json:"deploy_state"`
+}
+
+type devServer struct {
+	ID    string `json:"id"`
+	Title string `json:"title"`
+}
+
+type buildHook struct {
+	ID     string `json:"id"`
+	Title  string `json:"title"`
+	Branch string `json:"branch"`
+}
+
+type serviceInstance struct {
+	ID          string `json:"id"`
+	ServiceName string `json:"service_name"`
+	Url         string `json:"url"`
+}
+
+type function struct {
+	ID       string `json:"id"`
+	Provider string `json:"provider"`
+}
+
+// this handle response of 3 API's
+type formSubmissionSplitInfo struct {
+	ID   string `json:"id"`
+	Name string `json:"name"`
+}
+
+type dnsZone struct {
+	ID   string `json:"id"`
+	Name string `json:"name"`
+}
+
+type service struct {
+	ID          string `json:"id"`
+	Name        string `json:"name"`
+	ServicePath string `json:"service_path"`
+}

pkg/analyzer/analyzers/netlify/netlify.go

@@ -0,0 +1,161 @@
+//go:generate generate_permissions permissions.yaml permissions.go netlify
+package netlify
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/fatih/color"
+	"github.com/jedib0t/go-pretty/v6/table"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/analyzers"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/analyzer/config"
+	"github.com/trufflesecurity/trufflehog/v3/pkg/context"
+)
+
+var _ analyzers.Analyzer = (*Analyzer)(nil)
+
+type Analyzer struct {
+	Cfg *config.Config
+}
+
+func (a Analyzer) Type() analyzers.AnalyzerType {
+	return analyzers.AnalyzerTypeNetlify
+}
+
+func (a Analyzer) Analyze(_ context.Context, credInfo map[string]string) (*analyzers.AnalyzerResult, error) {
+	key, exist := credInfo["key"]
+	if !exist {
+		return nil, fmt.Errorf("key not found in credential info")
+	}
+
+	info, err := AnalyzePermissions(a.Cfg, key)
+	if err != nil {
+		return nil, err
+	}
+
+	return secretInfoToAnalyzerResult(info), nil
+}
+
+func AnalyzeAndPrintPermissions(cfg *config.Config, key string) {
+	info, err := AnalyzePermissions(cfg, key)
+	if err != nil {
+		// just print the error in cli and continue as a partial success
+		color.Red("[x] Error : %s", err.Error())
+	}
+
+	if info == nil {
+		color.Red("[x] Error : %s", "No information found")
+		return
+	}
+
+	color.Green("[!] Valid Fastly API key\n\n")
+
+	printUserInfo(info.UserInfo)
+	printTokenInfo(info.listResourceByType(Token))
+	printResources(info.Resources)
+
+	color.Yellow("\n[i] Expires: %s", "N/A (Refer to Token Information Table)")
+}
+
+func AnalyzePermissions(cfg *config.Config, key string) (*SecretInfo, error) {
+	client := analyzers.NewAnalyzeClient(cfg)
+
+	var secretInfo = &SecretInfo{}
+
+	if err := captureUserInfo(client, key, secretInfo); err != nil {
+		return nil, err
+	}
+
+	if err := captureTokens(client, key, secretInfo); err != nil {
+		return nil, err
+	}
+
+	if err := captureResources(client, key, secretInfo); err != nil {
+		return secretInfo, err
+	}
+
+	return secretInfo, nil
+}
+
+// secretInfoToAnalyzerResult translate secret info to Analyzer Result
+func secretInfoToAnalyzerResult(info *SecretInfo) *analyzers.AnalyzerResult {
+	if info == nil {
+		return nil
+	}
+
+	result := analyzers.AnalyzerResult{
+		AnalyzerType: analyzers.AnalyzerTypeNetlify,
+		Metadata:     map[string]any{},
+		Bindings:     make([]analyzers.Binding, 0),
+	}
+
+	// extract information from resource to create bindings and append to result bindings
+	for _, resource := range info.Resources {
+		binding := analyzers.Binding{
+			Resource: analyzers.Resource{
+				Name:               resource.Name,
+				FullyQualifiedName: fmt.Sprintf("netlify/%s/%s", resource.Type, resource.ID), // e.g: netlify/site/123
+				Type:               resource.Type,
+				Metadata:           map[string]any{}, // to avoid panic
+			},
+			Permission: analyzers.Permission{
+				Value: PermissionStrings[FullAccess], // no fine grain access
+			},
+		}
+
+		if resource.Parent != nil {
+			binding.Resource.Parent = &analyzers.Resource{
+				Name:               resource.Parent.Name,
+				FullyQualifiedName: resource.Parent.ID,
+				Type:               resource.Parent.Type,
+				// not copying parent metadata
+			}
+		}
+
+		for key, value := range resource.Metadata {
+			binding.Resource.Metadata[key] = value
+		}
+
+		result.Bindings = append(result.Bindings, binding)
+	}
+
+	return &result
+}
+
+// cli print functions
+func printUserInfo(user User) {
+	color.Yellow("[i] User Information:")
+	t := table.NewWriter()
+	t.SetOutputMirror(os.Stdout)
+	t.AppendHeader(table.Row{"Name", "Email", "Account ID", "Last Login At"})
+	t.AppendRow(table.Row{color.GreenString(user.Name), color.GreenString(user.Email), color.GreenString(user.AccountID), color.GreenString(user.LastLogin)})
+
+	t.Render()
+}
+
+func printTokenInfo(tokens []NetlifyResource) {
+	color.Yellow("[i] Tokens Information:")
+	t := table.NewWriter()
+	t.SetOutputMirror(os.Stdout)
+	t.AppendHeader(table.Row{"ID", "Name", "Personal", "Expires At"})
+	for _, token := range tokens {
+		t.AppendRow(table.Row{color.GreenString(token.ID), color.GreenString(token.Name), color.GreenString(token.Metadata[tokenPersonal]), color.GreenString(token.Metadata[tokenExpiresAt])})
+	}
+	t.Render()
+}
+
+func printResources(resources []NetlifyResource) {
+	color.Yellow("[i] Resources:")
+	t := table.NewWriter()
+	t.SetOutputMirror(os.Stdout)
+	t.AppendHeader(table.Row{"Name", "Type"})
+	for _, resource := range resources {
+		// skip token type resource as we will print them separately
+		if resource.Type == Token.String() {
+			continue
+		}
+
+		t.AppendRow(table.Row{color.GreenString(resource.Name), color.GreenString(resource.Type)})
+	}
+	t.Render()
+}