[INS-402] Add Jira Data Center PAT Detector#4872
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| var tokens []string | ||
| for _, match := range patPat.FindAllStringSubmatch(dataStr, -1) { | ||
| tokens = append(tokens, match[1]) | ||
| } |
There was a problem hiding this comment.
Tokens not deduplicated unlike comparable detectors
Low Severity
Matched tokens are collected into a plain []string slice without deduplication. Every comparable endpoint-based detector in the codebase (artifactory, artifactoryreferencetoken, jiratoken/v2) deduplicates tokens using a map[string]struct{}. When the same PAT appears near multiple jira/atlassian keywords in the input, this produces duplicate results and redundant verification HTTP requests for each repeated token–endpoint pair.
Reviewed by Cursor Bugbot for commit 6d540d2. Configure here.
|
|
||
| if verify { | ||
| isVerified, extraData, verificationErr := verifyPAT(ctx, s.getClient(), endpoint, token) | ||
| s1.Verified = isVerified |
There was a problem hiding this comment.
Had a look at Jira Analyzer and it seems it does support custom domains. Can you verify if the analyzer works for this detector too? If yes, we should add AnalysisInfo
There was a problem hiding this comment.
I checked the analyzer, and while it supports custom domains, it is only restricted to Jira Cloud. The authentication method and API it uses is not compatible with Jira On-Prem.
| ) | ||
|
|
||
| var ( | ||
| defaultClient = common.SaneHttpClient() |
There was a problem hiding this comment.
Worth switching from common.SaneHttpClient() to detectors.DetectorHttpClientWithNoLocalAddresses so RFC1918 addresses are blocked by default.
The other Jira detectors use it as well. What do you think?
There was a problem hiding this comment.
Hmm, with this my only concern is that an on-prem instance could be hosted at an internal private server. Using detectors.DetectorHttpClientWithNoLocalAddresses would cause secrets for those to not be verified.
| // Ensure the Scanner satisfies the interfaces at compile time. | ||
| var ( | ||
| _ detectors.Detector = (*Scanner)(nil) | ||
| _ detectors.EndpointCustomizer = (*Scanner)(nil) |
There was a problem hiding this comment.
Do you think this detector might be a candidate for detectors.DefaultMultiPartCredentialProvider?
There was a problem hiding this comment.
Yes, good catch. Will add
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 6b682e5. Configure here.
| ) | ||
|
|
||
| var ( | ||
| defaultClient = common.SaneHttpClient() |
There was a problem hiding this comment.
Default HTTP client bypasses detector framework safeguards
Medium Severity
common.SaneHttpClient() is used instead of the detector HTTP client framework (detectors.DetectorHttpClientWithLocalAddresses). Unlike every other endpoint-based detector in the codebase (artifactory, hashicorpvaultauth, jiratoken v1/v2), this client follows redirects (no WithNoFollowRedirects), doesn't respect engine-level OverrideDetectorTimeout(), and uses a shorter default timeout. Since this detector sends Authorization: Bearer headers to URLs extracted from scanned data, following redirects could leak credentials to unintended destinations. Even if local-address blocking is intentionally omitted for on-prem use, detectors.DetectorHttpClientWithLocalAddresses preserves that allowance while adding redirect protection and timeout override support.
Reviewed by Cursor Bugbot for commit 6b682e5. Configure here.
3 participants
Summary
Adds a new detector for Jira Data Center Personal Access Tokens (PATs).
Regex
PATs are base64-encoded strings of the form
<12-digit-id>:<20-random-bytes>(33 bytes, 44 chars, no padding). Since the first byte is always an ASCII digit, the first base64 character is always M, N, or O. The trailing boundary(?:[^A-Za-z0-9+/=]|\z)is used instead of\bto correctly handle tokens ending in+or/, while still rejecting matches that are a prefix of a longer or padded base64 string.Server URLs are captured using the same keyword prefix:
Both patterns require a
jiraoratlassiankeyword within 40 characters to reduce false positives. Extracted URLs are tried alongside any user-configured endpoints.Verification
Verifies against
GET /rest/api/2/myselfusingAuthorization: Bearer <token>. Returnsdisplay_nameandemail_addressas extra data on 200. Treats 401 as invalid and anything else as a verification error. Docs: https://developer.atlassian.com/server/jira/platform/rest/v10002/api-group-myself/#api-api-2-myself-getTests
Pattern tests cover valid tokens, URL detection near
jira/atlassiankeywords, and negative cases. Verification tests usegockto mock the/rest/api/2/myselfendpoint, covering verified, unverified (401), unexpected status, timeout, and no-verify cases.Integration tests against a live Jira Data Center instance were not possible because Jira Data Center requires a paid license — there is no free tier or open-source image that runs fully without one. Unlike detectors such as Redis or MongoDB where a fully functional Docker container can be spun up freely, the
atlassian/jira-softwareDocker image requires a valid license key to operate. Atlassian's evaluation licenses are time-limited and account-bound, making them unsuitable for automated CI.Corpora Test
The detector does not appear in the Corpora Test Results.
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Adds a new secret detector that can issue outbound verification requests to Jira instances and introduces a new protobuf enum value; risk is primarily around false positives/negatives and verification behavior against user-supplied endpoints.
Overview
Adds a new
JiraDataCenterPATdetector that identifies Jira Data Center personal access tokens using a base64-shaped regex gated by nearbyjira/atlassiankeywords, and optionally verifies tokens viaGET /rest/api/2/myselfwithAuthorization: Bearer <token>(capturingdisplay_name/email_addresson success).Registers the detector in engine defaults, updates the detector type enum (
proto/detector_type.proto+ generateddetector_type.pb.go), and extends engine tests to account for the new detector having no cloud endpoint. Includes unit tests for matching edge cases (e.g.,+//endings, padding/substring rejection), URL co-detection, and verification outcomes (200/401/unexpected status/timeout).Reviewed by Cursor Bugbot for commit 6b682e5. Bugbot is set up for automated code reviews on this repo. Configure here.