Skip to content

[Detector]-Detector for tableau personal access token #4261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 34 commits into from
Jul 28, 2025
Merged

[Detector]-Detector for tableau personal access token #4261

merged 34 commits into from
Jul 28, 2025

Conversation

SyedAliHamad
Copy link
Contributor

@SyedAliHamad SyedAliHamad commented Jun 24, 2025
edited
Loading

Description:

This PR adds new detector for Tableau Personal Access Tokens

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

@CLAassistant
Copy link

CLAassistant commented Jun 24, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@SyedAliHamad SyedAliHamad marked this pull request as ready for review June 25, 2025 13:38
@SyedAliHamad SyedAliHamad requested review from a team as code owners June 25, 2025 13:38
shahzadhaider1
shahzadhaider1 requested changes Jun 26, 2025
View reviewed changes
Copy link
Contributor

@shahzadhaider1 shahzadhaider1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job on putting together your first detector!
Added some feedback.

@SyedAliHamad
Copy link
Contributor Author

SyedAliHamad commented Jul 4, 2025
edited
Loading

Description:
This pull request introduces a new detector for Tableau Personal Access Tokens (PATs). This detector is designed to find and verify the sensitive token name and token secret pairs that applications use for programmatic authentication with Tableau Server and Tableau Online APIs.

Detection Strategy: The detector identifies potential findings by looking for a combination of components:

Token names using flexible patterns (tableau_token_name, pat_name, personal_access_token_name, etc.)
Token secrets following Tableau's specific format (base64==:32-char-alphanumeric)
Tableau server URLs (*.online.tableau.com)

It intelligently creates findings for all possible combinations of token names and secrets found within a given data chunk, testing against discovered URLs.

Format Validation: The detector includes comprehensive secret format validation, ensuring tokens match Tableau's specific structure (base64-encoded prefix with colon separator and alphanumeric suffix) to minimize false positives.

API Verification: A robust verification function validates found credentials using Tableau's REST API authentication endpoint (/api/3.26/auth/signin). The verifier correctly distinguishes between:

Valid credential pairs (200 OK with authentication token)
Invalid credentials (401 Unauthorized)
Malformed requests (400 Bad Request)
Network/endpoint errors (gracefully handled without verification errors)

Comprehensive Testing: The detector is supported by a full test suite ensuring reliability:

Pattern Tests: Validates regex patterns and format validation logic against various credential formats
Integration Tests: Live tests confirm verification logic against real Tableau APIs using active and inactive test credentials

shahzadhaider1
shahzadhaider1 reviewed Jul 8, 2025
View reviewed changes
kashifkhan0771
kashifkhan0771 requested changes Jul 8, 2025
View reviewed changes
@SyedAliHamad SyedAliHamad force-pushed the detector/tableau-personal-access-token branch from c96fa18 to 743acc1 Compare July 11, 2025 21:57
shahzadhaider1
shahzadhaider1 reviewed Jul 18, 2025
View reviewed changes
Copy link
Contributor

@shahzadhaider1 shahzadhaider1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for addressing all the feedback. We are close.

pkg/detectors/tableau/tableau.go
Comment on lines +258 to +259
case http.StatusUnauthorized, http.StatusBadRequest, http.StatusForbidden:
return false, extraData, nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please confirm the expected behavior of this API?

Typically, when an authenticated API is accessed with incorrect credentials, it returns a 401 Unauthorized. On the other hand, if the credentials are valid but do not have the necessary permissions to access a specific resource, the response is usually 403 Forbidden, indicating that the credentials are valid, but access is denied.

In our current implementation, we're treating both 401 and 403 as unverified (i.e., returning false for the verification status). I just want to confirm if this is the correct approach or if we should be handling them differently.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great observation. You’re right that typically 403 is handled differently, but since this is just a sign-in API, I don’t believe we’d ever encounter a scenario where valid credentials result in a 403. Will have another look at the docs.

@shahzadhaider1
Copy link
Contributor

Apart from Kashif's feedback, looks good.

kashifkhan0771
kashifkhan0771 requested changes Jul 23, 2025
View reviewed changes
Copy link
Contributor

@kashifkhan0771 kashifkhan0771 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some minor comments. Rest looks good to me.

pkg/detectors/tableau/tableau_test.go
invalidTableauURL = "prod.tabeau.com"
)

func TestTableau_Pattern(t *testing.T) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent work on test coverage ❤️

@SyedAliHamad SyedAliHamad force-pushed the detector/tableau-personal-access-token branch from 60d0242 to 3123533 Compare July 28, 2025 07:02
@kashifkhan0771
Copy link
Contributor

Thank you for patiently addressing all my comments. Really appreciate it!

@amanfcp amanfcp merged commit 05e2328 into trufflesecurity:main Jul 28, 2025
13 checks passed
Jeff-Rowell pushed a commit to Jeff-Rowell/trufflehog that referenced this pull request Jul 29, 2025
@SyedAliHamad @amanfcp @Jeff-Rowell
[Detector]-Detector for tableau personal access token (trufflesecurit…
36fd8fa 
…y#4261)

* add detector for tableau personal access token

* add test for tableau detector

* removed unnecessary checks

* add cloud endpoint for tableau

* cleanup: simplify map copying with maps.Copy

* resolve comments

* added correct detector type for tableau

* updated tableau PAT key and corrected integration tests

* resolved comments

* updated test cases

* resolved comments

* fixed integration tests

* removed redundant validation

* resolved false positive issue

* updated regex for pat-name

* resolved comments

* update regex for better token name extraction

* simplify prefix regex  for tableau pat name

* merged main into origin/detector/tableau-personal-access-token

---------

Co-authored-by: Amaan Ullah <[email protected]>
@shahzadhaider1 shahzadhaider1 mentioned this pull request Jul 30, 2025
Merged
2 tasks
@blsaccess blsaccess mentioned this pull request Jul 31, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@amanfcp amanfcp amanfcp approved these changes

@kashifkhan0771 kashifkhan0771 kashifkhan0771 approved these changes

@shahzadhaider1 shahzadhaider1 shahzadhaider1 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@SyedAliHamad @CLAassistant @shahzadhaider1 @kashifkhan0771 @amanfcp