Skip to content

Add Rails Master Key detector#5071

Open
deerajcm wants to merge 2 commits into
trufflesecurity:mainfrom
deerajcm:add-rails-master-key-detector
Open

Add Rails Master Key detector#5071
deerajcm wants to merge 2 commits into
trufflesecurity:mainfrom
deerajcm:add-rails-master-key-detector

Conversation

@deerajcm

@deerajcm deerajcm commented Jun 24, 2026
edited by cursor Bot
Loading

Copy link
Copy Markdown

What

Adds detector for Rails Master Keys (symmetric encryption keys from Ruby on Rails)

Why

Rails master keys are sensitive encryption keys that should be detected in code repositories

Changes

  • Added detector pattern for 32 or 64 hexadecimal characters
  • Implements verification by validating hex decode to 16 or 32 bytes
  • Registered detector type 1063 in proto
  • Supports both Rails 5.2+ (64 hex chars) and older configs (32 hex chars)

Testing

  • Pattern matching tests pass
  • Verification with real Rails master key returns Verified=true
  • All tests passing

Note

Medium Risk
New credential and encryption-key detection increases scan sensitivity; the Rails hex regex may false-positive on unrelated 32/64-char hex, and Basic Auth findings always surface decoded passwords as unverified secrets.

Overview
Adds two new secret detectors and wires them into the default engine and DetectorType enum (BasicAuth = 1057, RailsMasterKey = 1063).

HTTP Basic Auth matches Authorization / auth headers with a Basic base64 payload, decodes it, and requires a non-empty username:password. Findings are always unverified (no endpoint to validate against) and populate SecretParts plus decoded RawV2.

Rails Master Key matches 32- or 64-character lowercase hex strings (deduped), with optional verification via hex decode length (16 or 32 bytes) and a rotation guide in ExtraData when verified.

Unit tests cover both detectors; Rails also has pattern/verification tests and a detectors-tag integration test scaffold. Note: the Rails integration test still references Scanner{client: ...} while Scanner is an empty struct and verification is local-only—those cases may not compile or match runtime behavior until aligned.

Reviewed by Cursor Bugbot for commit 6a83451. Bugbot is set up for automated code reviews on this repo. Configure here.

Deeraj CM and others added 2 commits June 24, 2026 10:12
@claude
feat(detectors): add BasicAuth detector
62f8686 
Add detector for HTTP Basic Authentication tokens (BSCAU002).
Detects Authorization: Basic <base64> patterns and decodes them
to extract username:password credentials.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@claude
Add Rails Master Key detector (SENF097)
6a83451 
Implements detection and verification for Rails master keys used to encrypt
credentials in Ruby on Rails applications (version 5.2+).

- Pattern: 32 or 64 hexadecimal characters (16 or 32 bytes)
- Verification: Validates hex decoding to correct byte lengths
- Keywords: "master", "key", "rails", "secret", "credential"

Rails master keys are symmetric encryption keys (not API keys), so verification
checks structural validity rather than calling an external API.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@deerajcm deerajcm requested a review from a team June 24, 2026 05:14
@deerajcm deerajcm requested review from a team as code owners June 24, 2026 05:14
@CLAassistant

CLAassistant commented Jun 24, 2026

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

Deeraj CM seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

cursor[bot]
cursor Bot reviewed Jun 24, 2026
View reviewed changes

@cursor cursor Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Reviewed by Cursor Bugbot for commit 6a83451. Configure here.

Comment thread pkg/detectors/railsmasterkey/railsmasterkey.go

// Rails master keys are 16 bytes (32 hex) or 32 bytes (64 hex) when decoded
return len(decoded) == 16 || len(decoded) == 32
}

@cursor cursor Bot Jun 24, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tautological verification always returns true for matches

High Severity

verifyRailsMasterKey always returns true for any regex match, making Verified meaningless. The regex ([0-9a-f]{64}|[0-9a-f]{32}) already guarantees the match is exactly 32 or 64 lowercase hex characters, so the length check, hex.DecodeString, and decoded-length check in the function are all tautologically satisfied. Every other detector in the codebase performs actual external verification (e.g., HTTP API calls). Here, any hex string (MD5 hashes, SHA-256 hashes, etc.) near keywords like "key" or "secret" will be reported as a verified Rails master key.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 6a83451. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@deerajcm @CLAassistant