Update Cloudflare detectors for 2026+ prefixed credential formats#4830
Update Cloudflare detectors for 2026+ prefixed credential formats#4830nkcmr wants to merge 1 commit intotrufflesecurity:mainfrom
Conversation
|
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
|
Hey @nkcmr can you also attach some doc links which state the mentioned credential format changes? |
nkcmr
force-pushed
the
nick/update-cf-credential-pats
branch
from
95c4210 to
e6d8c77
Compare
|
@amanfcp Of course, here is the update to our developer docs that was just published: https://developers.cloudflare.com/fundamentals/api/get-started/token-formats/ Let me know if you meant that you want that in code comments or something. Wasn't sure. |
nkcmr
force-pushed
the
nick/update-cf-credential-pats
branch
from
e6d8c77 to
f32604a
Compare
nkcmr
changed the title
| // 2026+ formats: cfut_ (user token) and cfat_ (account token), self-identifying. | ||
| keyV2Pat = regexp.MustCompile(`\b(cf[ua]t_[a-zA-Z0-9]{40}[a-f0-9]{8})\b`) | ||
| // Cloudflare account ID pattern for cfat_ token verification. | ||
| accountIDPat = regexp.MustCompile(`\b([a-f0-9]{32})\b`) |
There was a problem hiding this comment.
Broad account ID pattern may cause excessive verification requests
Medium Severity
The accountIDPat regex \b([a-f0-9]{32})\b matches any standalone 32-character hex string in the data chunk — including MD5 hashes, dashless UUIDs, and other hex values that aren't Cloudflare account IDs. When verify=true and a cfat_ token is found, a separate HTTP verification request is issued to Cloudflare's API for each candidate account ID. In data chunks rich in hex strings (e.g., files listing checksums), this could produce a large number of unnecessary outbound API calls, slowing down scanning and risking rate-limiting by Cloudflare.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit f32604a. Configure here.
## Context/Background
Cloudflare is rolling out new prefixed credential formats in 2026.
The new formats (`cfk_`, `cfut_`, `cfat_`) are self-identifying via
prefix and do not need keyword proximity matching. Per project
convention, new token formats are added via the `Versioner` interface
with a `v1`/`v2` directory split.
Additionally, CA keys (Service Keys) are now deprecated.
## Changes in this commit
- cloudflareglobalapikey: split into `v1`/`v2` with `Versioner`
interface. v1 fixes legacy regex to `[a-f0-9]{37,45}` (lowercase
hex). v2 adds `cfk_` prefixed format detection.
- cloudflareapitoken: split into `v1`/`v2` with `Versioner`
interface. v2 adds `cfut_`/`cfat_` prefixed format detection.
`cfat_` (account tokens) route verification through the
account-scoped `/accounts/:id/tokens/verify` endpoint, extracting
account IDs from surrounding data.
- cloudflarecakey: add deprecation notice with changelog link.
- defaults.go: updated imports and registrations for versioned
scanners.
nkcmr
force-pushed
the
nick/update-cf-credential-pats
branch
from
f32604a to
4329719
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
Reviewed by Cursor Bugbot for commit 4329719. Configure here.
| DetectorType: detector_typepb.DetectorType_CloudflareApiToken, | ||
| Raw: []byte(resMatch), | ||
| }) | ||
| } |
There was a problem hiding this comment.
Account ID pairing skipped when verify is false
Medium Severity
When verify is false, cfat_ tokens produce a single result without any RawV2 (account ID pairing), but when verify is true, the same token produces N results each with a distinct RawV2 containing the account ID. This is inconsistent with cloudflareglobalapikey/v2, which pairs keys with emails regardless of the verify flag. Because RawV2 is typically used for deduplication, this means cfat_ tokens scanned without verification lose their account-scoping context entirely.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 4329719. Configure here.
3 participants
Context/Background
Cloudflare is rolling out new prefixed credential formats in 2026.
The new formats (
cfk_,cfut_,cfat_) are self-identifying viaprefix and do not need keyword proximity matching. Per project
convention, new token formats are added via the
Versionerinterfacewith a
v1/v2directory split.Additionally, CA keys (Service Keys) are now deprecated.
Changes
v1/v2withVersionerinterface. v1 fixes legacy regex to
[a-f0-9]{37,45}(lowercasehex only). v2 adds
cfk_prefixed format detection. v2 alsohandles the case where no email is found nearby (emits unverified
result rather than silently dropping the token).
v1/v2withVersionerinterface. v2 adds
cfut_/cfat_prefixed format detection.cfat_(account tokens) route verification through theaccount-scoped
/accounts/:id/tokens/verifyendpoint, extractingaccount IDs from surrounding data.
cfut_(user tokens) reuse theexisting
/user/tokens/verifyendpoint via v1's exported helper.for Service Key authentication.
versioned scanners.
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Medium risk because it changes secret-detection regexes and verification behavior (including new account-scoped verification requests), which can affect false positives/negatives and outbound verification traffic.
Overview
Updates Cloudflare detectors to support 2026+ self-identifying credential formats by splitting
cloudflareapitokenandcloudflareglobalapikeyintov1/v2scanners implementingdetectors.Versioner, and registering both versions indefaults.go.Adds new
v2matchers forcfut_/cfat_API tokens andcfk_global API keys (no keyword proximity required);cfat_verification now calls the account-scoped/accounts/:id/tokens/verifyendpoint using account IDs found in surrounding data, andcfk_detection now emits an unverified result even when no email is present.Tightens the legacy
cloudflareglobalapikeyregex to lowercase-hex only and refactors verification logic inv1detectors into exported helper functions; updates/introduces unit tests accordingly, and adds a deprecation note tocloudflarecakeycomments.Reviewed by Cursor Bugbot for commit 4329719. Bugbot is set up for automated code reviews on this repo. Configure here.