[INS-339] Add New Relic User Key detector#4794
Open
mustansir14 wants to merge 8 commits intotrufflesecurity:mainfrom
Open
[INS-339] Add New Relic User Key detector#4794mustansir14 wants to merge 8 commits intotrufflesecurity:mainfrom
mustansir14 wants to merge 8 commits intotrufflesecurity:mainfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
|
|
||
| res, err := client.Do(req) | ||
| if err != nil { | ||
| return false, nil, fmt.Errorf("error making request: %w", err) |
| type graphqlResponse struct { | ||
| Data struct { | ||
| RequestContext struct { | ||
| UserID string `json:"userId"` |
There was a problem hiding this comment.
UserID field type likely mismatches API integer response
High Severity
The graphqlResponse struct defines UserID as string, but the NerdGraph API's requestContext.userId field returns a JSON integer (number). Go's json.Decoder cannot unmarshal a JSON number into a string field and will return a decode error. This causes verifyRegion to return an error on valid 200 OK responses, so valid keys are never marked as verified — they get a verification error instead.
Additional Locations (1)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
This PR adds the New Relic User Key Detector.
Regex:
\b(NRAK-[A-Z0-9]{27})\bVerification:
For verification, we use the New relic NerdGraph API:
https://api.newrelic.com/graphql.We send a POST request with body
{ requestContext { userId } }. A response code of200means the key is valid.401means it is an invalid/rotated key and403means the region is incorrect.Note: For EU region keys, the endpoint should be
https://api.eu.newrelic.com/graphql"Corpora Test:
The detector does not appear in the list.
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Introduces a new detector with live HTTP verification against New Relic’s US/EU NerdGraph endpoints, which could impact scan performance or verification behavior if the API/regions change.
Overview
Adds a new
newrelicuserkeydetector that matchesNRAK-...user keys and (when verification is enabled) validates them by calling New Relic’s NerdGraph API across US/EU regions, returning the detected region anduserIdas extra metadata.Registers the new detector in the default detector list and extends the
DetectorTypeenum/proto to includeNewRelicUserKey, with unit and integration tests covering matching and verification outcomes.Reviewed by Cursor Bugbot for commit deaeb41. Bugbot is set up for automated code reviews on this repo. Configure here.