mirror of
https://github.com/garrytan/gstack.git
synced 2026-06-17 15:20:11 +02:00
Garry Tan
7f9a9a9dff
openai.key (HIGH/block) used /\b(sk-(?:proj-)?[A-Za-z0-9]{32,})\b/, which stops
at the first - or _ in the body. Modern OpenAI project/service-account/admin keys
use base64url bodies containing - and _, so they never reached the 32-char run and
produced ZERO findings — a HIGH credential failing open through /spec, /ship, /cso,
and /document-*.
Replace with explicit alternation, bare vs prefixed (not a globally-optional prefix,
which would match malformed sk--... or separator-less sk-projabc...):
sk-{proj,svcacct,admin}- + [A-Za-z0-9_-]{20,} | sk-[A-Za-z0-9]{32,} (legacy)
Tests: the three previously-missed shapes now block; FP guards pin that hyphenated
prose and malformed sk- strings do NOT match (HIGH tier blocks, so calibration matters).
Reported by @jbetala7.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>