[INS-243] Fix jdbc detector detecting incomplete connection string and fixed invalid… #4636
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… parsing of sql server string
kashifkhan0771
approved these changes
Jan 1, 2026
amanfcp
approved these changes
Jan 5, 2026
nabeelalam
approved these changes
Jan 7, 2026
Contributor
nabeelalam
left a comment
nabeelalam
left a comment
There was a problem hiding this comment.
Looks good @MuneebUllahKhan222. Could you update this branch?
MuneebUllahKhan222
force-pushed
the
jdbc-detector-regex-fix
branch
from
2a1bc2f to
86c8d22
Compare
* [INS-165] Fix Jdbc tests and updated the deprecated code * Remove commented-out typo from sqlserver test
MuneebUllahKhan222
force-pushed
the
jdbc-detector-regex-fix
branch
from
86c8d22 to
daa94b1
Compare
MuneebUllahKhan222
force-pushed
the
jdbc-detector-regex-fix
branch
from
f13722a to
30b4660
Compare
camgunz
approved these changes
Jan 15, 2026
Contributor
camgunz
left a comment
camgunz
left a comment
There was a problem hiding this comment.
Just a couple non-blocking Qs; feel free to merge 👍🏻
| var ( | ||
| keyPat = regexp.MustCompile(`(?i)jdbc:[\w]{3,10}:[^\s"'<>,(){}[\]&]{10,512}`) | ||
| // Matches typical JDBC connection strings amd ingores any special character at the end | ||
| keyPat = regexp.MustCompile(`(?i)jdbc:[\w]{3,10}:[^\s"'<>,{}[\]]{10,511}[A-Za-z0-9]`) |
Contributor
There was a problem hiding this comment.
question: This changed from "{10,512}" to "{10,511}". Should it be "{9,511}"?
Contributor
Author
There was a problem hiding this comment.
No it should be {10,511} as we don't want to change the minimum number of characters that can occur.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
Earlier, we found that the JDBC detector was missing certain valid connection strings, which led to unverified secrets in scans:
Connection strings with query parameters (e.g., ?user=...&password=...) were not matched by the regex.
JDBC URLs containing parentheses (e.g.,
jdbc:mysql://testuser:testpassword@tcp(localhost:1521)/testdb) were also not matched.The
ParseSqlServermethod failed to correctly extract host and port from strings with a driver prefix like//odbc:server=localhost;port=1433;database=testdb;password=testpassword.This PR fixes these issues by:
Updating the JDBC regex to allow query parameters and parentheses inside the connection string while still preventing trailing special characters.
Enhancing
ParseSqlServerto correctly handle connection strings with optional driver prefixes like odbc: and extract host and port reliably.Checklist:
make test-community)?make lintthis requires golangci-lint)?