Added detector for JFrog Artifactory Reference Tokens #4684
Conversation
| for token := range uniqueTokens { | ||
| for url := range uniqueUrls { | ||
| if invalidHosts.Exists(url) { | ||
| delete(uniqueUrls, url) |
There was a problem hiding this comment.
I don't see any value with deleting the url from uniqueUrls. Also it might lead to unexpected behaviors if we mutate the slice we're looping over.
shahzadhaider1
changed the title
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| for url := range uniqueUrls { | ||
| if invalidHosts.Exists(url) { | ||
| delete(uniqueUrls, url) | ||
| continue |
There was a problem hiding this comment.
Map mutation during iteration causes missed token-URL combinations
Medium Severity
The delete(uniqueUrls, url) call modifies the uniqueUrls map while iterating over it in a nested loop. When multiple tokens exist, the first token that encounters a URL in invalidHosts removes it from uniqueUrls, causing all subsequent tokens to skip that URL entirely. This results in missed token-URL combinations. The deletion is also unnecessary since invalidHosts.Exists(url) already handles filtering on each iteration.
2 participants
Summary
Adds a new detector for JFrog Artifactory Reference Tokens. Unlike JWT tokens (which start with
eyJ), reference tokens are base64-encoded strings with a predictable structure:When base64-encoded, this always produces a token starting with
cmVmdGtu.Detection
Regex pattern:
cmVmdGtu(8 chars): base64 encoding of "reftkn"Keyword:
cmVmdGtuVerification
Tokens are verified against the JFrog Access API:
This endpoint returns token metadata if valid. Available since Artifactory 7.53.1.
Response handling:
References
Checklist:
make test-community)?make lintthis requires golangci-lint)?