feat(detectors): add VisibleNpmRegistryAuthData detector#5052
Conversation
Adds a detector for visible npm registry auth data in .npmrc files. Detects both _authToken (npm tokens) and _auth (base64 credentials). The verifier calls GET /-/whoami endpoint to validate npm tokens (200 = verified, 401/403 = invalid). - Adds DetectorType_VisibleNpmRegistryAuthData (enum 1054) to proto - Implements Scanner with pattern matching for _authToken and _auth - Includes comprehensive tests for pattern matching and verification - Registers detector in DefaultDetectors Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
Deeraj CM seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Reviewed by Cursor Bugbot for commit 7576597. Configure here.
| GitLabOauth2 = 1050; | ||
| SpectralOps = 1051; | ||
| AWSAppSync = 1052; | ||
| VisibleNpmRegistryAuthData = 1054; |
There was a problem hiding this comment.
Skipped proto enum value 1053
Medium Severity
VisibleNpmRegistryAuthData is assigned proto enum value 1054, but the previous entry AWSAppSync is 1052, skipping value 1053. Every other value in the enum from 0 through 1052 is sequential with no gaps. This looks like an accidental off-by-one and could cause confusion or conflicts if another detector is later assigned 1053.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 7576597. Configure here.
| authLinePat = regexp.MustCompile(`(?im)(?:^|[\n\r])\s*(?:@[^:\s]+:)?(?:\/\/[^\s]+\/:)?_auth\s*=\s*([A-Za-z0-9+/=_-]{16,})`) | ||
|
|
||
| // NPM token shapes we can actively verify via whoami endpoint. | ||
| verifyableTokenPat = regexp.MustCompile(`^(?:npm_[A-Za-z0-9]{36}|[0-9A-Fa-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})$`) |
There was a problem hiding this comment.
UUID regex inconsistently allows uppercase hex digits
Low Severity
verifyableTokenPat allows uppercase hex [0-9A-Fa-f] in the first 8-char UUID group but only lowercase [0-9a-f] in the remaining four groups. A valid UUID-style npm token with uppercase hex characters after the first segment (e.g. 1234abcd-ABCD-...) won't match, causing the detector to skip verification for an otherwise verifiable token.
Reviewed by Cursor Bugbot for commit 7576597. Configure here.
2 participants
Description:
Summary
.npmrcfiles_authToken(npm tokens) and_auth(base64 credentials)GET /-/whoamiendpoint to validate npm tokens; treats200as verified,401/403as determinately invalidVisibleNpmRegistryAuthData = 1054toproto/detector_type.proto, regeneratedpb.go, and registers the scanner inpkg/engine/defaults/defaults.goSecretPartswithauth_kindandkey, includes arotation_guideinExtraData, and implementsCustomFalsePositiveCheckerTest plan
go test ./pkg/detectors/visiblenpmregistryauthdata -tags=detectors -v— all pattern + verify cases passgo build ./...succeedsgo vet ./...clean on touched packagesNotes
NPM registry auth data in
.npmrcfiles can expose publish/install privileges to private or public registries. Leaked credentials grant full access to package publishing and consumption.Detection
_authToken,_auth,registry.npmjs.org,npmrc_authTokenline: matches npm tokens and UUIDs_authline: matches base64-encoded credentials (16+ chars)Verification
GET https://registry.npmjs.org/-/whoamiwithAuthorization: Bearer <token>200→ verified401/403→ determinately unverified (no error)_authvalues (base64) are not verifiable without assuming decode structureNote
Medium Risk
Adds outbound verification calls to the npm registry when scanning with verify enabled; detection logic is isolated but overlaps conceptually with existing npm token detectors.
Overview
Adds a VisibleNpmRegistryAuthData scanner for credentials embedded in
.npmrc-style config (not barenpm_tokens alone). It matches_authTokenand_authassignment lines, deduplicates hits, tags results withauth_kind/ rotation metadata, and plugs into default detectors via proto enum 1054.When verification is on, token-shaped values (
npm_*or UUID) are checked withGET …/-/whoamiandAuthorization: Bearer; 200 marks verified, 401/403 unverified, other statuses surface a verification error._authbase64 blobs are reported but not verified.Unit tests cover regex/keyword matching and mocked whoami behavior.
Reviewed by Cursor Bugbot for commit 7576597. Bugbot is set up for automated code reviews on this repo. Configure here.