Skip to content

Added detector for JFrog Artifactory Reference Tokens#4684

Open
shahzadhaider1 wants to merge 4 commits intotrufflesecurity:mainfrom
shahzadhaider1:INS-263-add-artifactory-reference-token-detector
Open

Added detector for JFrog Artifactory Reference Tokens#4684
shahzadhaider1 wants to merge 4 commits intotrufflesecurity:mainfrom
shahzadhaider1:INS-263-add-artifactory-reference-token-detector

Conversation

@shahzadhaider1
Copy link
Contributor

@shahzadhaider1 shahzadhaider1 commented Jan 21, 2026

Summary

Adds a new detector for JFrog Artifactory Reference Tokens. Unlike JWT tokens (which start with eyJ), reference tokens are base64-encoded strings with a predictable structure:

reftkn:01:<expiry>:<random_data>

When base64-encoded, this always produces a token starting with cmVmdGtu.

Detection

Regex pattern:

\b(cmVmdGtu[A-Za-z0-9]{56})\b
  • Fixed prefix: cmVmdGtu (8 chars): base64 encoding of "reftkn"
  • Variable suffix: 56 alphanumeric characters
  • Total length: exactly 64 characters

Keyword: cmVmdGtu

Verification

Tokens are verified against the JFrog Access API:

GET https://<host>/access/api/v1/tokens/me
Authorization: Bearer <token>

This endpoint returns token metadata if valid. Available since Artifactory 7.53.1.

Response handling:

Status Meaning Result
200 + JSON Valid token Verified
200 + HTML Invalid subdomain (redirects to login page) Skip host
403 Valid token, insufficient permissions Verified
401 Invalid or expired token Not verified
404 Endpoint not found (old Artifactory version) Verification error

References

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

@shahzadhaider1 shahzadhaider1 requested a review from a team January 21, 2026 08:03
@shahzadhaider1 shahzadhaider1 requested review from a team as code owners January 21, 2026 08:03
mustansir14
mustansir14 approved these changes Jan 21, 2026
View reviewed changes
Copy link
Contributor

@mustansir14 mustansir14 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@shahzadhaider1 shahzadhaider1 changed the title added detector for artifactory reference tokens Added detector for JFrog Artifactory Reference Tokens Jan 21, 2026
@shahzadhaider1 shahzadhaider1 linked an issue Jan 28, 2026 that may be closed by this pull request
Add support for Artifactory Reference Token #4706
Open
@shahzadhaider1 shahzadhaider1 force-pushed the INS-263-add-artifactory-reference-token-detector branch from 1ec9128 to 9ecd554 Compare February 12, 2026 07:29
cursor[bot]
cursor bot reviewed Feb 12, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

pkg/detectors/artifactoryreferencetoken/artifactoryreferencetoken.go
_ detectors.Detector = (*Scanner)(nil)
_ detectors.EndpointCustomizer = (*Scanner)(nil)

defaultClient = common.SaneHttpClient()
Copy link

@cursor cursor bot Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HTTP client lacks SSRF protection unlike sibling detector

Medium Severity

The defaultClient uses common.SaneHttpClient(), while the sibling artifactory.go detector (same URL pattern, same endpoint structure) uses detectors.DetectorHttpClientWithNoLocalAddresses. The latter provides two critical properties: it blocks connections to local/private IPs (SSRF protection) and disables automatic redirect following (WithNoFollowRedirects()). Since this detector sends Bearer tokens to URLs derived from scanned content and configured endpoints, matching the sibling detector's SSRF-safe client is important. Additionally, because SaneHttpClient() follows redirects, the comment mentioning "302" in the default case is misleading — a 302 response would never reach that code path in production.

Additional Locations (1)

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@mariduv mariduv mariduv approved these changes

@mustansir14 mustansir14 mustansir14 approved these changes

@kashifkhan0771 kashifkhan0771 kashifkhan0771 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add support for Artifactory Reference Token

4 participants

@shahzadhaider1 @mariduv @mustansir14 @kashifkhan0771