[INS-402] Add Jira Data Center PAT Detector#4872
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 6d540d2. Configure here.
| var tokens []string | ||
| for _, match := range patPat.FindAllStringSubmatch(dataStr, -1) { | ||
| tokens = append(tokens, match[1]) | ||
| } |
There was a problem hiding this comment.
Tokens not deduplicated unlike comparable detectors
Low Severity
Matched tokens are collected into a plain []string slice without deduplication. Every comparable endpoint-based detector in the codebase (artifactory, artifactoryreferencetoken, jiratoken/v2) deduplicates tokens using a map[string]struct{}. When the same PAT appears near multiple jira/atlassian keywords in the input, this produces duplicate results and redundant verification HTTP requests for each repeated token–endpoint pair.
Reviewed by Cursor Bugbot for commit 6d540d2. Configure here.
|
|
||
| if verify { | ||
| isVerified, extraData, verificationErr := verifyPAT(ctx, s.getClient(), endpoint, token) | ||
| s1.Verified = isVerified |
There was a problem hiding this comment.
Had a look at Jira Analyzer and it seems it does support custom domains. Can you verify if the analyzer works for this detector too? If yes, we should add AnalysisInfo
| ) | ||
|
|
||
| var ( | ||
| defaultClient = common.SaneHttpClient() |
There was a problem hiding this comment.
Worth switching from common.SaneHttpClient() to detectors.DetectorHttpClientWithNoLocalAddresses so RFC1918 addresses are blocked by default.
The other Jira detectors use it as well. What do you think?
| // Ensure the Scanner satisfies the interfaces at compile time. | ||
| var ( | ||
| _ detectors.Detector = (*Scanner)(nil) | ||
| _ detectors.EndpointCustomizer = (*Scanner)(nil) |
There was a problem hiding this comment.
Do you think this detector might be a candidate for detectors.DefaultMultiPartCredentialProvider?
3 participants
Summary
Adds a new detector for Jira Data Center Personal Access Tokens (PATs).
Regex
PATs are base64-encoded strings of the form
<12-digit-id>:<20-random-bytes>(33 bytes, 44 chars, no padding). Since the first byte is always an ASCII digit, the first base64 character is always M, N, or O. The trailing boundary(?:[^A-Za-z0-9+/=]|\z)is used instead of\bto correctly handle tokens ending in+or/, while still rejecting matches that are a prefix of a longer or padded base64 string.Server URLs are captured using the same keyword prefix:
Both patterns require a
jiraoratlassiankeyword within 40 characters to reduce false positives. Extracted URLs are tried alongside any user-configured endpoints.Verification
Verifies against
GET /rest/api/2/myselfusingAuthorization: Bearer <token>. Returnsdisplay_nameandemail_addressas extra data on 200. Treats 401 as invalid and anything else as a verification error. Docs: https://developer.atlassian.com/server/jira/platform/rest/v10002/api-group-myself/#api-api-2-myself-getTests
Pattern tests cover valid tokens, URL detection near
jira/atlassiankeywords, and negative cases. Verification tests usegockto mock the/rest/api/2/myselfendpoint, covering verified, unverified (401), unexpected status, timeout, and no-verify cases.Integration tests against a live Jira Data Center instance were not possible because Jira Data Center requires a paid license — there is no free tier or open-source image that runs fully without one. Unlike detectors such as Redis or MongoDB where a fully functional Docker container can be spun up freely, the
atlassian/jira-softwareDocker image requires a valid license key to operate. Atlassian's evaluation licenses are time-limited and account-bound, making them unsuitable for automated CI.Corpora Test
The detector does not appear in the Corpora Test Results.
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Adds a new secret detector with optional live HTTP verification against user-supplied Jira endpoints, which could affect scan behavior and introduce new outbound requests/timeouts.
Overview
Adds a new
JiraDataCenterPATdetector that identifies Jira Data Center personal access tokens via a keyword-prefixed base64 pattern and optionally verifies them by callingGET /rest/api/2/myselfwith a Bearer token, returning basic user metadata asExtraDataon success.Wires the detector into the default detector set and engine endpoint expectations, and extends the protobuf
DetectorTypeenum to includeJiraDataCenterPAT. Includes unit tests covering pattern matching (including URL association/edge cases) and verification outcomes (200/401/unexpected status/timeout/no-verify).Reviewed by Cursor Bugbot for commit 6d540d2. Bugbot is set up for automated code reviews on this repo. Configure here.