diff --git a/dist/exposed_keys.js b/dist/exposed_keys.js new file mode 100644 index 0000000..0e648bb --- /dev/null +++ b/dist/exposed_keys.js @@ -0,0 +1,92 @@ +// Regex derived from TruffleHog https://github.com/trufflesecurity/trufflehog +const keyMap = { + adafruitio: '\\b(aio\\_[a-zA-Z0-9]{28})\\b', + anthropic: '\\b(sk-ant-(?:admin01|api03)-[\\w\\-]{93}AA)\\b', + apify: '\\b(apify\\_api\\_[a-zA-Z-0-9]{36})\\b', + cloudflarecakey: '\\b(v1\\.0-[A-Za-z0-9-]{171})\\b', + contentfulpersonalaccesstoken: '\\b(CFPAT-[a-zA-Z0-9_\\-]{43})\\b', + databrickstoken: '\\b([a-z0-9-]+(?:\\.[a-z0-9-]+)*\\.(cloud\\.databricks\\.com|gcp\\.databricks\\.com|azuredatabricks\\.net))\\b', + dfuse: '\\b(web\\_[0-9a-z]{32})\\b', + digitaloceanv2: '\\b((?:dop|doo|dor)_v1_[a-f0-9]{64})\\b', + discordwebhook: '(https:\\/\\/discord\\.com\\/api\\/webhooks\\/[0-9]{18,19}\\/[0-9a-zA-Z-]{68})', + documo: '\\b(ey[a-zA-Z0-9]{34}.ey[a-zA-Z0-9]{154}.[a-zA-Z0-9_-]{43})\\b', + doppler: '\\b(dp\\.pt\\.[a-zA-Z0-9]{43})\\b', + finage: '\\b(API_KEY[0-9A-Z]{32})\\b', + fleetbase: '\\b(flb_live_[0-9a-zA-Z]{20})\\b', + flexport: '\\b(shltm_[0-9a-zA-Z-_]{40})', + flutterwave: '\\b(FLWSECK-[0-9a-z]{32}-X)\\b', + frameio: '\\b(fio-u-[0-9a-zA-Z_-]{64})\\b', + ftp: '\\bftp://[\\S]{3,50}:([\\S]{3,50})@[-.%\\w\\/:]+\\b', + gcp: '\\{[^{]+auth_provider_x509_cert_url[^}]+\\}', + gcpapplicationdefaultcredentials: '\\{[^{]+client_secret[^}]+\\}', + gemini: '\\b((?:master-|account-)[0-9A-Za-z]{20})\\b', + gocardless: '\\b(live_[0-9A-Za-z\\_\\-]{40}[ "\'\\r\\n]{1})', + grafana: '\\b(glc_eyJ[A-Za-z0-9+\\/=]{60,160})', + grafanaserviceaccount: '\\b(glsa_[0-9a-zA-Z_]{41})\\b', + groq: '\\b(gsk_[a-zA-Z0-9]{52})\\b', + huggingface: '\\b(?:hf_|api_org_)[a-zA-Z0-9]{34}\\b', + intra42: '\\b(s-s4t2(?:ud|af)-[a-f0-9]{64})\\b', + jdbc: 'jdbc:[\\w]{3,10}:[^\\s"\'<>,(){}[\\]&]{10,512}', + klaviyo: '\\b(pk_[a-zA-Z0-9]{34})\\b', + launchdarkly: '\\b((?:api|sdk)-[a-z0-9]{8}-[a-z0-9]{4}-4[a-z0-9]{3}-[a-z0-9]{4}-[a-z0-9]{12})\\b', + linearapi: '\\b(lin_api_[0-9A-Za-z]{40})\\b', + locationiq: '\\b(pk\\.[a-zA-Z-0-9]{32})\\b', + mailchimp: '[0-9a-f]{32}-us[0-9]{1,2}', + microsoftteamswebhook: '(https:\\/\\/[a-zA-Z-0-9]+\\.webhook\\.office\\.com\\/webhookb2\\/[a-zA-Z0-9-@\\/]{136,}/IncomingWebhook\\/[a-zA-Z0-9]{32}\\/[a-zA-Z0-9-]{36})', + nightfall: '\\b(NF\\-[a-zA-Z0-9]{32})\\b', + notion: '\\b(secret_[A-Za-z0-9]{43})\\b', + npmtokenv2: '(npm_[0-9a-zA-Z]{36})', + nvapi: '\\b(nvapi-[a-zA-Z0-9_-]{64})\\b', + openai: '\\b(sk-[a-zA-Z0-9_-]+T3BlbkFJ[a-zA-Z0-9_-]+)\\b', + pagarme: '\\b(ak_live_[a-zA-Z0-9]{30})\\b', + paystack: '\\b(sk\\_[a-z]{1,}\\_[A-Za-z0-9]{40})\\b', + posthog: '\\b(phx_[a-zA-Z0-9_]{43})\\b', + postman: '\\b(PMAK-[a-zA-Z-0-9]{59})\\b', + prefect: '\\b(pnu_[a-zA-Z0-9]{36})\\b', + privatekey: '-----\\s*?BEGIN[ A-Z0-9_-]*?PRIVATE KEY\\s*?-----[\\s\\S]*?----\\s*?END[ A-Z0-9_-]*? PRIVATE KEY\\s*?-----', + pubnubsubscriptionkey: '\\b(sub-c-[0-9a-z]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12})\\b', + pulumi: '\\b(pul-[a-z0-9]{40})\\b', + rabbitmq: '\\b(?:amqps?):\\/\\/[\\S]{3,50}:([\\S]{3,50})@[-.%\\w\\/:]+\\b', + ramp: '\\b(ramp_id_[a-zA-Z0-9]{40})\\b', + razorpay: '\\brzp_live_[A-Za-z0-9]{14}\\b', + readme: '(rdme_[a-z0-9]{70})', + reallysimplesystems: '\\b(ey[a-zA-Z0-9-._]{153}.ey[a-zA-Z0-9-._]{916,1000})\\b', + redis: '\\bredi[s]{1,2}://[\\S]{3,50}:([\\S]{3,50})@[-.%\\w\\/:]+\\b', + replicate: '\\b(r8_[0-9A-Za-z-_]{37})\\b', + robinhoodcrypto: '\\b(rh-api-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\\b', + rubygems: '\\b(rubygems_[a-zA0-9]{48})\\b', + sendgrid: '\\bSG\\.[\\w\\-]{20,24}\\.[\\w\\-]{39,50}\\b', + sendinbluev2: '\\b(xkeysib\\-[A-Za-z0-9_-]{81})\\b', + shopify: '\\b(shppa_|shpat_)([0-9A-Fa-f]{32})\\b', + sourcegraphcody: '\\b(slk_[a-f0-9]{64})\\b', + squareapp: '(?:sandbox-)?sq0i[a-z]{2}-[0-9A-Za-z_-]{22,43}', + squareup: '\\b(sq0idp-[0-9A-Za-z]{22})\\b', + supabasetoken: '\\b(sbp_[a-z0-9]{40})\\b', + tailscale: '\\btskey-[a-z]+-[0-9A-Za-z_]+-[0-9A-Za-z_]+\\b', + terraformcloudpersonaltoken: '\\b([A-Za-z0-9]{14}.atlasv1.[A-Za-z0-9]{67})\\b', + tineswebhook: '(https://[\\w-]+\\.tines\\.com/webhook/[a-z0-9]{32}/[a-z0-9]{32})', + trufflehogenterprise: '\\bthog-key-[0-9a-f]{16}\\b', + twilio: '\\bAC[0-9a-f]{32}\\b', + ubidots: '\\b(BBFF-[0-9a-zA-Z]{30})\\b', + uri: '\\bhttps?:\\/\\/[\\w!#$%&()*+,\\-./;<=>?@[\\\\\\]^_{|}~]{0,50}:([\\w!#$%&()*+,\\-./:;<=>?[\\\\\\]^_{|}~]{3,50})@[a-zA-Z0-9.-]+(?:\\.[a-zA-Z]{2,})?(?::\\d{1,5})?[\\w/]+\\b', + voiceflow: '\\b(VF\\.(?:(?:DM|WS)\\.)?[a-fA-F0-9]{24}\\.[a-zA-Z0-9]{16})\\b', + xai: '\\b(xai-[0-9a-zA-Z_]{80})\\b', + zapierwebhook: '(https:\\/\\/hooks\\.zapier\\.com\\/hooks\\/catch\\/[A-Za-z0-9\\/]{16})', + zohocrm: '\\b(1000\\.[a-f0-9]{32}\\.[a-f0-9]{32})\\b' +}; +const scripts = Array.from(document.scripts); +let requests = $WPT_BODIES; +const combinedScripts = scripts + .filter(script => !script.src) + .map(script => script.textContent) + .concat(requests.filter(request => request.type === 'Script').map(request => request.response_body)) + .join('\n'); + + const matched_keys = []; + for (const [provider, pattern] of Object.entries(keyMap)) { + const regex = new RegExp(pattern, 'g'); + if (regex.test(combinedScripts)) { + matched_keys.push(provider); + } + } +return matched_keys;