Lloydcoder separate detectors#4817
Conversation
Adds high-signal detector for: • Paystack (live/test keys) • Flutterwave/Rave • Remita merchant+hash • Interswitch MAC keys • SportyBet/BetKing tokens Written by @LloydCoder (Tinlance) after shipping the same in Nuclei templates. Zero false positives expected due to keyword pre-filtering. 🇳🇬
- Split monolithic detector into 5 separate detectors (Paystack, Flutterwave, Remita, Interswitch, SportyBet) - Each detector now has dedicated verifier function - Added proto enum entries for Remita, Interswitch, Sportybet - Regenerated proto files - Registered detectors in engine defaults - All detectors follow TruffleHog standards with proper error handling
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
- Fixed Paystack regex: {50,} → {40} (real keys are 40 chars)
- Fixed Flutterwave HTTP client: use common.SaneHttpClient() with timeout
- Fixed Remita: use production API endpoint + SaneHttpClient
- Fixed Interswitch: added capture group to macKey regex + production endpoint
- Fixed SportyBet: removed generic JWT patterns, fixed Bearer prefix handling
- All detectors now use common.SaneHttpClient() instead of http.DefaultClient
- Removed overly broad keywords causing false positives
|
@Cursor-AI All 6 issues fixed! 🔧 ✅ Fixed Paystack regex: {50,} → {40} (real keys are 40 chars, not 50+) Build passes. Ready for review! |
… fix key patterns - Moved all regex patterns to package-level vars (compile once, not per call) - Fixed Paystack regex to accept any lowercase prefix (sk_*_) - Fixed Flutterwave regex to include -X suffix in FLWSECK pattern - All detectors now follow TruffleHog standard practices
|
@Cursor-AI Final fixes pushed! 🔧 ✅ Moved all regex patterns to package-level vars (compile once, not per call) Build passing. Ready for Dustin's review! |
…n logic - Created package-level HTTP clients (reuse connection pools, not per-call) - Fixed verification: check for 'invalid'/'unauthorized' instead of generic 'error' - Removed overly broad Remita regex alternative (kept only remita_api_key pattern) - All 5 detectors now follow TruffleHog HTTP client best practices
|
@Cursor-AI Final round complete! 🔧 ✅ Created package-level HTTP clients (reuse connection pools, not per-call) All 5 commits pushed. Build passing. Ready for @dustin-decker's review! |
- Fixed verification logic: body-keyword check now prevents false positives - Changed from standard 'regexp' to 'github.com/wasilibs/go-re2' (project standard) - Reordered status code checks to prevent catch-all bypass - All detectors now follow TruffleHog codebase conventions
- Fixed verification logic: body-keyword check now prevents false positives - Changed from standard 'regexp' to 'github.com/wasilibs/go-re2' (project standard) - Reordered status code checks to prevent catch-all bypass - All detectors now follow TruffleHog codebase conventions
|
@dustin-decker @shahzadhaider1 @trufflesecurity/integrations @trufflesecurity/oss @trufflesecurity/product-eng @trufflesecurity/scanning Conflicts resolved + all Cursor feedback addressed in latest commits (777f2f9 & 484f965).
Ready for code owner review & merge. Happy to make any final tweaks! Thanks for the guidance 🇳🇬🙌 |
…nterswitch=1041 Sportybet=1042
…interswitch fallback, remove dead TrimPrefix
| key := match[1] | ||
|
|
||
| s := detectors.Result{ | ||
| DetectorType: detectorspb.DetectorType_Remita, |
There was a problem hiding this comment.
Proto source IDs conflict with generated Go code
High Severity
The proto source (proto/detectors.proto) assigns Remita = 1040, Interswitch = 1041, Sportybet = 1042, but the generated Go code (detectors.pb.go) has these at IDs 1044/1045/1046 because IDs 1040–1043 are already occupied by OpenAIAdmin, GoogleGeminiAPIKey, ArtifactoryReferenceToken, and DatadogApikey. The proto source is missing those four entries entirely. The next protoc regeneration will produce conflicting IDs, break those four detectors, and change the wire format for the three new detectors.
Additional Locations (2)
…=1046), fix flutterwave regex, fix interswitch keyword typo, regenerate pb.go
|
@cursor All previous issues have been resolved in the latest commit: ✅ Proto enum IDs corrected: Remita=1044, Interswitch=1045, Sportybet=1046 Ready for review! |
|
Unable to authenticate your request. Please make sure to connect your GitHub account to Cursor. Go to Cursor |
|
@dustin-decker @shahzadhaider1 — all Cursor Bugbot issues are now resolved, build is clean, proto is properly regenerated. Ready for your review! 🇳🇬 |
|
@dustin-decker @shahzadhaider1 all Cursor Bugbot issues fully resolved across multiple review cycles. Here's the final state: |
1 participant
Summary
I've implemented the feedback from @dustin-decker and @shahzadhaider1 by splitting the monolithic Nigerian fintech detector into 5 separate, properly structured detectors with individual verifiers.
Changes
✅ Split into 5 separate detectors:
✅ Proto updates:
Remita = 1040Interswitch = 1041Sportybet = 1042✅ Engine registration:
pkg/engine/defaults/defaults.gobuildDetectorList()✅ Quality assurance:
DetectorinterfaceBranch
lloydcoder-separate-detectors- Commit:8fa8dcb1Ready for review!
Note
Medium Risk
Adds new secret detectors and updates existing detector patterns and online verification endpoints; changes could affect detection/false-positive rates and introduce additional outbound verification calls.
Overview
Adds first-class detectors for Remita, Interswitch, and Sportybet, each with keyword prefiltering, regex extraction, and HTTP-based verification plus basic pattern tests.
Updates Flutterwave and Paystack detectors to use revised key regexes/keywords and a standardized verification flow that checks specific API endpoints, drains response bodies, and records verification errors.
Registers the new detectors in
pkg/engine/defaults/defaults.goand extends theDetectorTypeproto/Go enum withRemita,Interswitch, andSportybetvalues (with regenerated protobuf output).Written by Cursor Bugbot for commit b3a92a3. This will update automatically on new commits. Configure here.