feat(detectors): add YahooOAuth detector#5094
Conversation
Add detector for HTTP Basic Authentication tokens (BSCAU002). Detects Authorization: Basic <base64> patterns and decodes them to extract username:password credentials. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
feat(detectors): add BasicAuth detector
Add detector for Yahoo OAuth access and refresh tokens. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
Deeraj CM seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Reviewed by Cursor Bugbot for commit d3843f2. Configure here.
| // Yahoo OAuth Refresh Token pattern | ||
| // Shorter tokens (60-100 chars) with alphanumeric, dots, underscores, hyphens, tildes | ||
| // Example: AOahQ2qfcSxRRa1r4EDFhCDdsx0y~001~Fj.vO_OAW2IXbqFqc8gK3e0wJdTsx6kulrM- | ||
| refreshTokenPat = regexp.MustCompile(`\b([A-Za-z0-9][A-Za-z0-9._~-]{59,119})\b`) |
There was a problem hiding this comment.
Refresh token regex truncates tokens ending with non-word chars
High Severity
The \b word boundary at the end of refreshTokenPat is incompatible with the character class [A-Za-z0-9._~-] which includes non-word characters (-, ., ~). In RE2, \b only considers [0-9A-Za-z_] as word characters. When a token ends with -, ., or ~ and is followed by a common delimiter like ", }, or whitespace, no word boundary exists at that position, causing the regex to backtrack and truncate the trailing non-word characters. The PR description's own example token AOahQ2qfcSxRRa1r4EDFhCDdsx0y~001~Fj.vO_OAW2IXbqFqc8gK3e0wJdTsx6kulrM- would be captured without the trailing -. The test avoids this by using a token ending in ABC.
Reviewed by Cursor Bugbot for commit d3843f2. Configure here.
| } | ||
| } | ||
| return true, nil | ||
| } |
There was a problem hiding this comment.
Body parsing in verification is unreachable dead code
Low Severity
Every code path inside the if resp.StatusCode == 200 block returns true, nil regardless of whether the body can be read or parsed, or whether it contains email or sub fields. The io.ReadAll, json.Unmarshal, and field checks are dead code that has no effect on behavior. The encoding/json and io imports exist solely for this unused logic.
Reviewed by Cursor Bugbot for commit d3843f2. Configure here.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>


Summary
Add detector for Yahoo OAuth access and refresh tokens.
Changes
YahooOAuthdetector for OAuth tokenshttps://api.login.yahoo.com/openid/v1/userinfoYahooOAuth = 1066to proto definitionsdefaults.goDetector Details
Type: Yahoo OAuth Tokens
Patterns:
Keywords: "yahoo", "oauth", "access_token", "yahoo_token", "yahoooauth"
Verification:
Use Case: Detect exposed Yahoo OAuth tokens from config files, environment variables, or code
Token Types Detected
Access Token
OfV5iMac7gx6SGNFLAmsFVMTP17EmgpfI4nFJTDaFvHur3Oxg6mVni4Lt...(very long)Refresh Token
AOahQ2qfcSxRRa1r4EDFhCDdsx0y~001~Fj.vO_OAW2IXbqFqc8gK3e0wJdTsx6kulrM-Test Results