Improve Algolia detector context matching#4905
Improve Algolia detector context matching#4905heyfunwhoa wants to merge 2 commits intotrufflesecurity:mainfrom
Conversation
|
|
| "ALGOLIA_API_KEY", | ||
| "ALGOLIA_APPLICATION_ID", | ||
| "x-algolia-api-key", | ||
| "x-algolia-application-id", |
There was a problem hiding this comment.
New keywords are redundant substrings of existing keyword
Low Severity
All four new keywords (ALGOLIA_API_KEY, ALGOLIA_APPLICATION_ID, x-algolia-api-key, x-algolia-application-id) contain algolia as a substring. The Aho-Corasick pre-filter in ahocorasickcore.go already lowercases both keywords and chunk data, and performs substring matching. Since "algolia" is already a keyword, it will match any text containing the new keywords, making them entirely redundant. They don't expand detection coverage but do add unnecessary entries to the trie and keyword-to-detector map.
Reviewed by Cursor Bugbot for commit 7fd27bb. Configure here.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
Reviewed by Cursor Bugbot for commit 33bc856. Configure here.
| return []string{ | ||
| "metabase", | ||
| "X-Metabase-Session", | ||
| "X-API-Key", |
There was a problem hiding this comment.
Overly generic "X-API-Key" keyword triggers false pre-filter matches
Medium Severity
The keyword X-API-Key is an extremely common HTTP header used by many APIs (findl, interseller, langsmith, cloudsmith, etc.). Adding it to the Metabase detector's Keywords() causes the Metabase detector's FromData to be invoked on any chunk containing this generic header, even though the detector's regex (keyPat and baseURL) both require the prefix metabase to match. This results in wasted CPU running regex scans on chunks that can never produce a Metabase result. The other new Metabase keywords (X-Metabase-Session, METABASE_API_KEY) already contain metabase as a substring, making them redundant but harmless — X-API-Key is uniquely problematic because it doesn't contain metabase at all.
Reviewed by Cursor Bugbot for commit 33bc856. Configure here.


Summary
Adds common Algolia environment variable and header names to improve real-world detection coverage:
Motivation
These are standard patterns used in Algolia integrations and are commonly found in real-world codebases. This improves detection reliability without changing core logic.
Risk
Low: only expands keyword matching, no changes to verification or detection logic.
Note
Low Risk
Low risk: only broadens keyword-based prefiltering for these detectors and does not change matching regexes or verification behavior.
Overview
Improves real-world secret discovery by expanding
Keywords()prefilter terms for the Algolia Admin Key and Metabase detectors.Algolia now also prefilters on common env var and header names (e.g.,
ALGOLIA_API_KEY,ALGOLIA_APPLICATION_ID,x-algolia-api-key,x-algolia-application-id), and Metabase adds typical session/API key header/env identifiers (e.g.,X-Metabase-Session,X-API-Key,METABASE_API_KEY).Reviewed by Cursor Bugbot for commit 33bc856. Bugbot is set up for automated code reviews on this repo. Configure here.