Improved and fixed couchbase detector (#4383)

kashifkhan0771 · web-flow · commit 626887c28479 · 2025-08-12T11:51:44.000+05:00
diff --git a/pkg/detectors/couchbase/couchbase.go b/pkg/detectors/couchbase/couchbase.go
@@ -3,7 +3,6 @@ package couchbase
 import (
 	"context"
 	"fmt"
-	"strings"
 	"time"
 	"unicode"
 
@@ -23,35 +22,18 @@ type Scanner struct {
 var _ detectors.Detector = (*Scanner)(nil)
 
 var (
-
 	// Make sure that your group is surrounded in boundary characters such as below to reduce false positives.
-	connectionStringPat = regexp.MustCompile(`\bcb\.[a-z0-9]+\.cloud\.couchbase\.com\b`)
-	usernamePat         = `?()/\+=\s\n`
-	passwordPat         = `^<>;.*&|£\n\s`
-	// passwordPat         = regexp.MustCompile(`(?i)(?:pass|pwd)(?:.|[\n\r]){0,15}(\b[^<>;.*&|£\n\s]{8,100}$)`)
-	// passwordPat = regexp.MustCompile(`(?im)(?:pass|pwd)\S{0,40}?[:=\s]{1,3}[ '"=]{0,1}([^:?()/\+=\s\n]{4,40})\b`)
+	connectionStringPat = regexp.MustCompile(`\b(cb\.[a-z0-9]+\.cloud\.couchbase\.com)\b`)
+	usernamePat         = common.UsernameRegexCheck(`?()/\+=\s\n`)
+	passwordPat         = common.PasswordRegexCheck(`^<>;.*&|£\n\s`)
 )
 
-func meetsCouchbasePasswordRequirements(password string) (string, bool) {
-	var hasLower, hasUpper, hasNumber, hasSpecialChar bool
-	for _, char := range password {
-		switch {
-		case unicode.IsLower(char):
-			hasLower = true
-		case unicode.IsUpper(char):
-			hasUpper = true
-		case unicode.IsNumber(char):
-			hasNumber = true
-		case unicode.IsPunct(char) || unicode.IsSymbol(char):
-			hasSpecialChar = true
-		}
-
-		if hasLower && hasUpper && hasNumber && hasSpecialChar {
-			return password, true
-		}
-	}
+func (s Scanner) Type() detectorspb.DetectorType {
+	return detectorspb.DetectorType_Couchbase
+}
 
-	return "", false
+func (s Scanner) Description() string {
+	return "Couchbase is a distributed NoSQL cloud database. Couchbase credentials can be used to access and modify data within the Couchbase database."
 }
 
 // Keywords are used for efficiently pre-filtering chunks.
@@ -64,77 +46,37 @@ func (s Scanner) Keywords() []string {
 func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (results []detectors.Result, err error) {
 	dataStr := string(data)
 
-	connectionStringMatches := connectionStringPat.FindAllStringSubmatch(dataStr, -1)
+	var uniqueConnStrings, uniqueUsernames, uniquePasswords = make(map[string]struct{}), make(map[string]struct{}), make(map[string]struct{})
 
-	// prepend 'couchbases://' to the connection string as the connection
-	// string format is couchbases://cb.stuff.cloud.couchbase.com but the
-	// cb.stuff.cloud.couchbase.com may be separated from the couchbases:// in codebases.
-	for i, connectionStringMatch := range connectionStringMatches {
-		connectionStringMatches[i][0] = "couchbases://" + connectionStringMatch[0]
+	for _, match := range connectionStringPat.FindAllStringSubmatch(dataStr, -1) {
+		uniqueConnStrings["couchbases://"+match[1]] = struct{}{}
 	}
 
-	usernameRegexState := common.UsernameRegexCheck(usernamePat)
-	usernameMatches := usernameRegexState.Matches(data)
-
-	passwordRegexState := common.PasswordRegexCheck(passwordPat)
-	passwordMatches := passwordRegexState.Matches(data)
-
-	for _, connectionStringMatch := range connectionStringMatches {
-		resConnectionStringMatch := strings.TrimSpace(connectionStringMatch[0])
-
-		for _, resUsernameMatch := range usernameMatches {
+	for _, match := range usernamePat.Matches(data) {
+		uniqueUsernames[match] = struct{}{}
+	}
 
-			for _, resPasswordMatch := range passwordMatches {
-				_, metPasswordRequirements := meetsCouchbasePasswordRequirements(resPasswordMatch)
+	for _, match := range passwordPat.Matches(data) {
+		uniquePasswords[match] = struct{}{}
+	}
 
-				if !metPasswordRequirements {
+	for connString := range uniqueConnStrings {
+		for username := range uniqueUsernames {
+			for password := range uniquePasswords {
+				if !isValidCouchbasePassword(password) {
 					continue
 				}
 
 				s1 := detectors.Result{
 					DetectorType: detectorspb.DetectorType_Couchbase,
-					Raw:          []byte(fmt.Sprintf("%s:%s@%s", resUsernameMatch, resPasswordMatch, resConnectionStringMatch)),
+					Raw:          fmt.Appendf([]byte(""), "%s:%s@%s", username, password, connString),
 				}
 
 				if verify {
-
-					options := gocb.ClusterOptions{
-						Authenticator: gocb.PasswordAuthenticator{
-							Username: resUsernameMatch,
-							Password: resPasswordMatch,
-						},
-					}
-
-					// Sets a pre-configured profile called "wan-development" to help avoid latency issues
-					// when accessing Capella from a different Wide Area Network
-					// or Availability Zone (e.g. your laptop).
-					if err := options.ApplyProfile(gocb.ClusterConfigProfileWanDevelopment); err != nil {
-						continue
-					}
-
-					// Initialize the Connection
-					cluster, err := gocb.Connect(resConnectionStringMatch, options)
-					if err != nil {
-						continue
-					}
-
-					// We'll ping the KV nodes in our cluster.
-					pings, err := cluster.Ping(&gocb.PingOptions{
-						Timeout: time.Second * 5,
-					})
-
-					if err != nil {
-						continue
-					}
-
-					for _, ping := range pings.Services {
-						for _, pingEndpoint := range ping {
-							if pingEndpoint.State == gocb.PingStateOk {
-								s1.Verified = true
-								break
-							}
-						}
-					}
+					isVerified, verificationErr := verifyCouchBase(username, password, connString)
+					s1.Verified = isVerified
+					s1.SetVerificationError(verificationErr)
+					s1.SetPrimarySecretValue(connString)
 				}
 
 				results = append(results, s1)
@@ -144,10 +86,62 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 	return results, nil
 }
 
-func (s Scanner) Type() detectorspb.DetectorType {
-	return detectorspb.DetectorType_Couchbase
+func verifyCouchBase(username, password, connString string) (bool, error) {
+	options := gocb.ClusterOptions{
+		Authenticator: gocb.PasswordAuthenticator{
+			Username: username,
+			Password: password,
+		},
+	}
+
+	// Sets a pre-configured profile called "wan-development" to help avoid latency issues
+	// when accessing Capella from a different Wide Area Network
+	// or Availability Zone (e.g. your laptop).
+	if err := options.ApplyProfile(gocb.ClusterConfigProfileWanDevelopment); err != nil {
+		return false, err
+	}
+
+	// Initialize the Connection
+	cluster, err := gocb.Connect(connString, options)
+	if err != nil {
+		return false, err
+	}
+
+	// We'll ping the KV nodes in our cluster.
+	pings, err := cluster.Ping(&gocb.PingOptions{
+		Timeout: time.Second * 5,
+	})
+
+	if err != nil {
+		return false, err
+	}
+
+	for _, ping := range pings.Services {
+		for _, pingEndpoint := range ping {
+			if pingEndpoint.State == gocb.PingStateOk {
+				return true, nil
+			}
+		}
+	}
+
+	return false, nil
 }
 
-func (s Scanner) Description() string {
-	return "Couchbase is a distributed NoSQL cloud database. Couchbase credentials can be used to access and modify data within the Couchbase database."
+func isValidCouchbasePassword(password string) bool {
+	var hasLower, hasUpper, hasNumber, hasSpecialChar bool
+
+	for _, r := range password {
+		switch {
+		case unicode.IsLower(r):
+			hasLower = true
+		case unicode.IsUpper(r):
+			hasUpper = true
+		case unicode.IsNumber(r):
+			hasNumber = true
+		case unicode.IsPunct(r), unicode.IsSymbol(r):
+			hasSpecialChar = true
+		}
+	}
+
+	return hasLower && hasUpper && hasNumber && hasSpecialChar
 }
diff --git a/pkg/detectors/couchbase/couchbase_integration_test.go b/pkg/detectors/couchbase/couchbase_integration_test.go
@@ -9,7 +9,8 @@ import (
 	"testing"
 	"time"
 
-	"github.com/kylelemons/godebug/pretty"
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"
 
 	"github.com/trufflesecurity/trufflehog/v3/pkg/common"
@@ -97,9 +98,9 @@ func TestCouchbase_FromChunk(t *testing.T) {
 				if len(got[i].Raw) == 0 {
 					t.Fatalf("no raw secret present: \n %+v", got[i])
 				}
-				got[i].Raw = nil
 			}
-			if diff := pretty.Compare(got, tt.want); diff != "" {
+			ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "verificationError", "primarySecret")
+			if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" {
 				t.Errorf("Couchbase.FromData() %s diff: (-got +want)\n%s", tt.name, diff)
 			}
 		})
diff --git a/pkg/detectors/couchbase/couchbase_test.go b/pkg/detectors/couchbase/couchbase_test.go
@@ -10,33 +10,6 @@ import (
 	"github.com/trufflesecurity/trufflehog/v3/pkg/engine/ahocorasick"
 )
 
-var (
-	validPattern = `
-		# Configuration File: config.yaml
-		database:
-			host: $DB_HOST
-			port: $DB_PORT
-			username: $DB_USERNAME
-			password: $DB_PASS  # IMPORTANT: Do not share this password publicly
-
-		api:
-			auth_type: "Password"
-			in: "Configuration"
-			couchbase_domain: "cb.testing.cloud.couchbase.com" // couchbase://
-			couchbase_username: "usrpS@d>p"
-			couchbase_password: "passwordU+2028 rf\@V[4,L/?2}"
-			base_url: "https://$couchbase_domain/v1/user"
-
-		# Notes:
-		# - Remember to rotate the secret every 90 days.
-		# - The above credentials should only be used in a secure environment.
-	`
-	secrets = []string{
-		`usrpS@d>p:passwordU+2028@couchbases://cb.testing.cloud.couchbase.com`,
-		`$DB_USERNAME:passwordU+2028@couchbases://cb.testing.cloud.couchbase.com`,
-	}
-)
-
 func TestCouchBase_Pattern(t *testing.T) {
 	d := Scanner{}
 	ahoCorasickCore := ahocorasick.NewAhoCorasickCore([]detectors.Detector{d})
@@ -47,9 +20,31 @@ func TestCouchBase_Pattern(t *testing.T) {
 		want  []string
 	}{
 		{
-			name:  "valid pattern",
-			input: validPattern,
-			want:  secrets,
+			name: "valid pattern",
+			input: `
+				# Configuration File: config.yaml
+				database:
+					host: $DB_HOST
+					port: $DB_PORT
+					username: $DB_USERNAME
+					password: $DB_PASS  # IMPORTANT: Do not share this password publicly
+
+				api:
+					auth_type: "Password"
+					in: "Configuration"
+					couchbase_domain: "couchbases://cb.testing.cloud.couchbase.com"
+					couchbase_username: "usrpS@d>p"
+					couchbase_password: "passwordU+2028 rf\@V[4,L/?2}"
+					base_url: "https://$couchbase_domain/v1/user"
+
+				# Notes:
+				# - Remember to rotate the secret every 90 days.
+				# - The above credentials should only be used in a secure environment.
+			`,
+			want: []string{
+				"usrpS@d>p:passwordU+2028@couchbases://cb.testing.cloud.couchbase.com",
+				"$DB_USERNAME:passwordU+2028@couchbases://cb.testing.cloud.couchbase.com",
+			},
 		},
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,8 @@ import (`
`9`	`9`	`"testing"`
`10`	`10`	`"time"`
`11`	`11`
`12`		`- "github.com/kylelemons/godebug/pretty"`
	`12`	`+ "github.com/google/go-cmp/cmp"`
	`13`	`+ "github.com/google/go-cmp/cmp/cmpopts"`
`13`	`14`	`"github.com/trufflesecurity/trufflehog/v3/pkg/detectors"`
`14`	`15`
`15`	`16`	`"github.com/trufflesecurity/trufflehog/v3/pkg/common"`
`@@ -97,9 +98,9 @@ func TestCouchbase_FromChunk(t *testing.T) {`
`97`	`98`	`if len(got[i].Raw) == 0 {`
`98`	`99`	`t.Fatalf("no raw secret present: \n %+v", got[i])`
`99`	`100`	`}`
`100`		`- got[i].Raw = nil`
`101`	`101`	`}`
`102`		`- if diff := pretty.Compare(got, tt.want); diff != "" {`
	`102`	`+ ignoreOpts := cmpopts.IgnoreFields(detectors.Result{}, "Raw", "verificationError", "primarySecret")`
	`103`	`+ if diff := cmp.Diff(got, tt.want, ignoreOpts); diff != "" {`
`103`	`104`	`t.Errorf("Couchbase.FromData() %s diff: (-got +want)\n%s", tt.name, diff)`
`104`	`105`	`}`
`105`	`106`	`})`