[INS-402] Add Jira Data Center PAT Detector#4872
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 195f1a9. Configure here.
| defaultClient = common.SaneHttpClient() | ||
|
|
||
| // Example: NTg4OTI1Mzk1OTA1OiBb9S4WPEoK6cmOe6pq6VO0lt6M | ||
| patPat = regexp.MustCompile(detectors.PrefixRegex([]string{"jira", "atlassian"}) + `\b([A-Za-z0-9+/]{44})\b`) |
There was a problem hiding this comment.
Word boundary incompatible with base64 +/ characters
Low Severity
The patPat regex uses \b word boundaries around a character class that includes + and / ([A-Za-z0-9+/]{44}). Since \b only considers [A-Za-z0-9_] as word characters, a token that starts or ends with + or / will fail to match when adjacent to typical delimiters like whitespace, end-of-line, or end-of-string. Because Jira Data Center PATs are base64-encoded, the last character has roughly a 1-in-32 chance of being + or /, causing those valid tokens to be silently missed.
Reviewed by Cursor Bugbot for commit 195f1a9. Configure here.
| case http.StatusOK: | ||
| var result map[string]any | ||
| if err := json.NewDecoder(resp.Body).Decode(&result); err != nil { | ||
| return false, nil, nil |
There was a problem hiding this comment.
Successful auth silently marked unverified on decode failure
Medium Severity
When the server responds with HTTP 200 (meaning the Bearer token was accepted and authentication succeeded), but json.NewDecoder fails to decode the body, verifyPAT returns (false, nil, nil). This is indistinguishable from a 401 Unauthorized response, silently converting a verified credential into an unverified one. A 200 status confirms the token is valid; the JSON decode failure only means extra metadata couldn't be extracted. The function could return (true, nil, nil) to reflect the successful auth, or return a non-nil error to signal inconclusive verification.
Reviewed by Cursor Bugbot for commit 195f1a9. Configure here.
1 participant
Summary
Adds a new detector for Jira Data Center Personal Access Tokens (PATs).
Regex
Jira Data Center PATs are base64-encoded strings, always 44 characters length.
Server URLs are captured using the same keyword prefix:
Both patterns require a
jiraoratlassiankeyword within 40 characters to reduce false positives. Extracted URLs are tried alongside any user-configured endpoints.Verification
Verifies against
GET /rest/api/2/myselfusingAuthorization: Bearer <token>. Returnsdisplay_nameandemail_addressas extra data on 200. Treats 401 as invalid and anything else as a verification error. Docs: https://developer.atlassian.com/server/jira/platform/rest/v10002/api-group-myself/#api-api-2-myself-getTests
Pattern tests cover valid tokens, URL detection near
jira/atlassiankeywords, and negative cases. Verification tests usegockto mock the/rest/api/2/myselfendpoint, covering verified, unverified (401), unexpected status, timeout, and no-verify cases.Integration tests against a live Jira Data Center instance were not possible because Jira Data Center requires a paid license — there is no free tier or open-source image that runs fully without one. Unlike detectors such as Redis or MongoDB where a fully functional Docker container can be spun up freely, the
atlassian/jira-softwareDocker image requires a valid license key to operate. Atlassian's evaluation licenses are time-limited and account-bound, making them unsuitable for automated CI.Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Adds a new secret detector with live HTTP verification and extends the
DetectorTypeproto enum, which can affect downstream consumers and increases scan-time network calls when verification is enabled.Overview
Adds a new
JiraDataCenterPATdetector that finds 44-char Jira Data Center personal access tokens nearjira/atlassiankeywords, optionally extracting nearby Jira base URLs to try as verification endpoints.Implements verification via
GET /rest/api/2/myselfusingAuthorization: Bearer <token>, returningdisplay_name/email_addressasExtraDataon success, and includes unit tests covering pattern matching, endpoint selection, and verification outcomes/timeouts.Registers the detector in the default detector list and introduces
DetectorType_JiraDataCenterPAT(value1045) inproto/detectors.protoand the generateddetectors.pb.go.Reviewed by Cursor Bugbot for commit 195f1a9. Bugbot is set up for automated code reviews on this repo. Configure here.