trufflehog icon indicating copy to clipboard operation
trufflehog copied to clipboard

Published 20 hours ago verified publisher icon trufflesecurity

Bug in `PubNubSubscriptionKey` verification logic

Open rgmz opened this issue 2 years ago • 2 comments

Please review the Community Note before submitting

TruffleHog Version

3.60.4

Description

The PubNubSubscriptionKey, detector incorrectly flags valid keys as invalid when a non-2xx response is received.

Given the following code:

https://github.com/trufflesecurity/trufflehog/blob/eb0c0fa99fcca6dd37892a33e0f8fc7b39c65ae2/pkg/detectors/pubnubsubscriptionkey/pubnubsubscriptionkey.go#L57-L58

A valid subscription key that does not have objects enabled will return a 403 response:

GET https://ps.pndsn.com/v2/objects/sub-c-$valid/uuids
{"status":403,"error":{"message":"Objects not enabled for this subscriber key.","source":"objects"}}

Conversely, an invalid key will return a 400 response:

GET https://ps.pndsn.com/v2/objects/sub-c-$invalid/uuids
{"message": "Invalid Subscribe Key", "error": true, "service": "Access Manager", "status": 400}

rgmz avatar Oct 27 '23 17:10 rgmz

@0x1 do you think we just need to do what we're doing for the pubnubpublishkeys here?

rosecodym avatar Nov 13 '23 17:11 rosecodym

@0x1 do you think we just need to do what we're doing for the pubnubpublishkeys here?

i think we need to add logic for the case the rgmz mentioned and check for json blob on a 403. or find a different endpoint that doesn't depend on objects being enabled. i can create a ticket for this

0x1 avatar Nov 15 '23 20:11 0x1