feat(detectors): add BasicAuth detector#5061
Conversation
Add detector for HTTP Basic Authentication tokens (BSCAU002). Detects Authorization: Basic <base64> patterns and decodes them to extract username:password credentials. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
feat(detectors): add BasicAuth detector
|
Deeraj CM seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 8b26b24. Configure here.
|
|
||
| // Pattern matches Authorization: Basic <base64> or similar variations | ||
| // The base64 part should contain at least one colon when decoded (username:password format) | ||
| keyPat = regexp.MustCompile(`(?i)(?:authorization|auth)[\s:=]+basic[\s]+([A-Za-z0-9+/]{20,}={0,2})`) |
There was a problem hiding this comment.
Regex minimum length rejects many valid credentials
High Severity
The {20,} minimum length in keyPat for the base64 alphabet portion is too high, causing the detector to miss many real-world credentials. Common pairs like admin:admin (15 base64 alphabet chars), user:password (18 chars), and admin:password (19 chars) all fall below the 20-char threshold and won't be detected. Only credentials with a combined username:password length of 15+ bytes produce enough base64 characters to match. The downstream validation (colon check, non-empty parts) already guards against false positives, making this high minimum unnecessary. The test cases for "no colon separator" and "empty password" also silently pass due to this same issue — their base64 strings are too short to match the regex, so the actual validation logic is never exercised.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 8b26b24. Configure here.
2 participants
Summary
Add detector for HTTP Basic Authentication credentials found in code, configuration files, and scripts.
Features
Authorization: Basic <base64>auth: Basic <base64>BASIC_AUTH,HTTP_AUTHbasic_auth,http_authTechnical Implementation
Detection Pattern
Matches common Basic Auth patterns with prefix keywords:
authorization,auth,basic_auth,http_authBasickeywordusername:passwordformatValidation
:separatorSecretParts:username: Extracted usernamepassword: Extracted passwordencoded: Original Base64 stringVerification
Basic Auth credentials cannot be verified without a target URL/endpoint. Results are marked as unverified but provide full credential details for manual verification.
Note
Low Risk
Additive detector-only change with local parsing and no network verification; main risk is false positives on generic base64 near auth keywords.
Overview
Adds a new BasicAuth secret detector and wires it into the default engine and
DetectorTypeenum (BasicAuth= 1057).The scanner matches
Authorization/authheaders (and=separators) with aBasicprefix plus a base64 payload, decodes it (std or URL base64), and only reports credentials when the decoded value is a non-emptyusername:password. Findings populateSecretParts(username,password,encoded) and are always unverified because there is no endpoint to validate against. Unit tests cover valid/invalid cases, curl snippets, and keyword pre-filtering.Note: The PR description mentions env/config patterns like
BASIC_AUTH; the implemented regex is limited to auth-header-style… basic <base64>text.Reviewed by Cursor Bugbot for commit 8b26b24. Bugbot is set up for automated code reviews on this repo. Configure here.