Skip to content

Improve Bitfinex Detector - Implemented API-Based Secret Validation #4368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Aug 6, 2025
Merged

Improve Bitfinex Detector - Implemented API-Based Secret Validation #4368

merged 4 commits into from
Aug 6, 2025

Conversation

shahzadhaider1
Copy link
Contributor

Description:

This PR improves the Bitfinex detector by replacing the Go SDK usage with a custom implementation using the standard net/http package to validate detected credentials against the Bitfinex v2 API /auth/r/wallets.

Key Changes

  • Removed the dependency on the Bitfinex Go SDK for secret validation.
  • Re-implemented the validation logic using direct HTTP requests with correct headers (bfx-apikey, bfx-signature, bfx-nonce).
  • Improved handling of API responses:
    • "apikey: invalid" -> clearly invalid key
    • "digest invalid" -> signature mismatch (likely secret issue)

Testing

  • Verified the behavior using known valid and invalid credentials.
  • Successfully executed API calls with correct secrets and received 200 OK responses.
  • Confirmed meaningful error responses for invalid combinations.

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?
bitfinex-detector-tests

@shahzadhaider1 shahzadhaider1 requested review from a team as code owners August 6, 2025 09:22
@shahzadhaider1 shahzadhaider1 self-assigned this Aug 6, 2025
SyedAliHamad
SyedAliHamad reviewed Aug 6, 2025
View reviewed changes
pkg/detectors/bitfinex/bitfinex.go
detectors.DefaultMultiPartCredentialProvider
}

// Ensure the Scanner satisfies the interface at compile time.
var _ detectors.Detector = (*Scanner)(nil)

var (
client = common.SaneHttpClient()
defaultClient = common.SaneHttpClient()

// related resource https://medium.com/@Bitfinex/api-development-update-april-65fe52f84124
apiKeyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"bitfinex"}) + `\b([A-Za-z0-9_-]{43})\b`)
apiSecretPat = regexp.MustCompile(detectors.PrefixRegex([]string{"bitfinex"}) + `\b([A-Za-z0-9_-]{43})\b`)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both patterns are identical. Can we optimize this further by using a single regex pattern and scanning the data only once? We're already testing all the combinations found anyway. Since this is an improvement PR, I thought we could take a look at this as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for pointing that out. You're absolutely right, both regex patterns are currently identical, and optimizing this does make sense. This is something that I've also observed in many detectors. For example:

trufflehog/pkg/detectors/amplitudeapikey/amplitudeapikey.go

Line 28 in bd525f8

keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"amplitude"}) + `\b([0-9a-f]{32})\b`)

trufflehog/pkg/detectors/boxoauth/boxoauth.go

Line 27 in bd525f8

clientIdPat = regexp.MustCompile(detectors.PrefixRegex([]string{"id"}) + `\b([a-zA-Z0-9]{32})\b`)

Since this PR is focused specifically on improving secret validation and removing the Bitfinex Go SDK dependency as mentioned in the ticket, I’ve kept the existing detection logic unchanged to keep the scope limited and focused. But this is definitely a good follow-up improvement, and I’d be happy to open a separate PR to clean this up afterward.

kashifkhan0771
kashifkhan0771 approved these changes Aug 6, 2025
View reviewed changes
Copy link
Contributor

@kashifkhan0771 kashifkhan0771 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GW - LGTM!

go.mod
@@ -30,14 +30,12 @@ require (
github.com/aws/smithy-go v1.22.5
github.com/aymanbagabas/go-osc52 v1.2.1
github.com/bill-rich/go-syslog v0.0.0-20220413021637-49edb52a574c
github.com/bitfinexcom/bitfinex-api-go v0.0.0-20210608095005-9e0b26f200fb
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❤️ 🚀

dustin-decker
dustin-decker approved these changes Aug 6, 2025
View reviewed changes
Copy link
Contributor

@dustin-decker dustin-decker left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Love RMing dependencies. Thanks!

@dustin-decker dustin-decker merged commit 86d94c1 into trufflesecurity:main Aug 6, 2025
13 checks passed
@shahzadhaider1 shahzadhaider1 deleted the enhc/OSS-151-bitfinex-detector branch August 6, 2025 16:25
@blsaccess blsaccess mentioned this pull request Aug 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SyedAliHamad SyedAliHamad SyedAliHamad left review comments

@dustin-decker dustin-decker dustin-decker approved these changes

@kashifkhan0771 kashifkhan0771 kashifkhan0771 approved these changes

Assignees

@shahzadhaider1 shahzadhaider1

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@shahzadhaider1 @dustin-decker @SyedAliHamad @kashifkhan0771