Update metabase verification to check for a valid JSON response (#2210)

* Update metabase verification to check for a valid JSON response

* added test tokens + cleanup

---------

Co-authored-by: ahmed <[email protected]>

pkg/detectors/metabase/metabase.go

@@ -2,6 +2,8 @@ package metabase
 
 import (
 	"context"
+	"encoding/json"
+	"io"
 	"net/http"
 	"regexp"
 	"strings"
@@ -57,15 +59,19 @@ func (s Scanner) FromData(ctx context.Context, verify bool, data []byte) (result
 			}
 
 			if verify {
-				req, err := http.NewRequestWithContext(ctx, "GET", resURLMatch+"/api/user/current", nil)
+				req, err := http.NewRequestWithContext(ctx, http.MethodGet, resURLMatch+"/api/user/current", nil)
 				if err != nil {
 					continue
 				}
 				req.Header.Add("X-Metabase-Session", resMatch)
 				res, err := client.Do(req)
 				if err == nil {
 					defer res.Body.Close()
-					if res.StatusCode >= 200 && res.StatusCode < 300 {
+					body, err := io.ReadAll(res.Body)
+					if err != nil {
+						continue
+					}
+					if res.StatusCode == http.StatusOK && json.Valid(body) {
 						s1.Verified = true
 					} else {
 						// This function will check false positives for common test words, but also it will make sure the key appears 'random' enough to be a real key.

pkg/detectors/metabase/metabase_test.go

@@ -19,7 +19,7 @@ import (
 func TestMetabase_FromChunk(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
 	defer cancel()
-	testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors2")
+	testSecrets, err := common.GetSecret(ctx, "trufflehog-testing", "detectors5")
 	if err != nil {
 		t.Fatalf("could not get test secrets from GCP: %s", err)
 	}