[INS-351] Added Duffel Test Token Detector#4795
[INS-351] Added Duffel Test Token Detector#4795MuneebUllahKhan222 wants to merge 3 commits intotrufflesecurity:mainfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
MuneebUllahKhan222
changed the title
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| // Format: duffel_test_ + 43 alphanumeric / dash / underscore characters | ||
| duffelTestTokenPat = regexp.MustCompile( | ||
| `\b(duffel_test_[A-Za-z0-9_-]{43})\b`, | ||
| ) |
There was a problem hiding this comment.
Regex word boundary incompatible with hyphen in character class
Low Severity
The regex \b(duffel_test_[A-Za-z0-9_-]{43})\b includes - (hyphen) in the character class, but \b only treats [A-Za-z0-9_] as word characters. If a valid token's 43rd character is a hyphen and the token appears before whitespace, end-of-string, or other non-word characters, the trailing \b won't match (non-word to non-word is not a word boundary), causing the token to go undetected.
There was a problem hiding this comment.
This is not an issue as the last character of the token will not be a -
1 participant
Description
This PR adds the Duffel Test API Token Detector for TruffleHog.
It scans for Duffel sandbox API tokens (prefix
duffel_test_) and optionally verifies them via the Duffel API.Regex:
\b(duffel_test_[A-Za-z0-9-_]{43})\bVerification
For verification, we use the Duffel Users API:
/identity/customer/users?limit=1.We send a GET request with the token in the
Authorizationheader.A response code of:
This endpoint is part of the official Duffel API and can be used safely for verification.
It is read-only, does not create or modify resources, and simply confirms whether the provided token is valid.
Corpora Test
The detector does not appear in the list.
Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Adds a new detector with optional live verification via an external Duffel API call and extends the shared
DetectorTypeprotobuf enum, which could affect consumers relying on serialized enum values.Overview
Adds a new
duffeltesttokendetector that matchesduffel_test_tokens, deduplicates findings, redacts output, and (when enabled) verifies validity by calling Duffel’s/identity/customer/users?limit=1endpoint and interpreting200/401/403responses.Extends the protobuf
DetectorTypeenum withDuffelTestToken(value1043) and includes new unit/integration tests and a benchmark covering matching and verification error handling.Written by Cursor Bugbot for commit 4fcdb2e. This will update automatically on new commits. Configure here.