Skip to content

fix(detectors/azureappconfigconnectionstring): allow hyphen and colon in Id#4959

Open
ChrisJr404 wants to merge 1 commit into
trufflesecurity:mainfrom
ChrisJr404:fix-azure-appconfig-detector-id-charclass
Open

fix(detectors/azureappconfigconnectionstring): allow hyphen and colon in Id#4959
ChrisJr404 wants to merge 1 commit into
trufflesecurity:mainfrom
ChrisJr404:fix-azure-appconfig-detector-id-charclass

Conversation

@ChrisJr404
Copy link
Copy Markdown

@ChrisJr404 ChrisJr404 commented May 12, 2026
edited by cursor Bot
Loading

Summary

The AzureAppConfigConnectionString detector misses real Azure-issued connection strings because the Id capture group only allows the base64 alphabet. Azure's documented connection-string format is

Endpoint=https://<store>.azconfig.io;Id=<prefix>:<base64>;Secret=<base64>

where <prefix> is a short identifier that can contain letters, digits, and hyphens, joined to the base64 portion with a colon. See Microsoft's docs on the connection-string shape and on rotating access keys, both of which show the prefix:base64 form for Id:

The current regex is

Endpoint=(https:\/\/[a-zA-Z0-9-]+\.azconfig\.io);Id=([a-zA-Z0-9+\/=]+);Secret=([a-zA-Z0-9+\/=]+)

The colon separator alone is enough to break the match, and any hyphen inside the prefix breaks it too. Both happen on every store created in the portal or via az appconfig credential list.

Fix

Add : and - to the Id character class. The Endpoint host class already permits hyphens, the Secret is unchanged, and no other detector calls were affected.

-Endpoint=(https:\/\/[a-zA-Z0-9-]+\.azconfig\.io);Id=([a-zA-Z0-9+\/=]+);Secret=([a-zA-Z0-9+\/=]+)
+Endpoint=(https:\/\/[a-zA-Z0-9-]+\.azconfig\.io);Id=([a-zA-Z0-9+\/=:-]+);Secret=([a-zA-Z0-9+\/=]+)

Test plan

  • Added a new subtest valid pattern - id with prefix and hyphen to azureappconfigconnectionstring_test.go that feeds a real-shape Id=abcd-l0:u+DeEXamPleIdValue== connection string.
  • go test ./pkg/detectors/azureappconfigconnectionstring/... passes all four subtests.
  • Manually verified that the new subtest fails before the regex change and passes after it, so the test exercises the bug.

Closes #4955

Note

Low Risk
Low risk: a small regex broadening plus a new unit test; behavior change is limited to matching more valid Azure App Config connection strings.

Overview
Improves AzureAppConfigConnectionString detection by widening the Id capture group in connectionStringPat to accept - and : (matching Azure’s prefix:base64 Id format).

Adds a new pattern test case covering an Id with a hyphenated prefix and colon separator to prevent regressions.

Reviewed by Cursor Bugbot for commit b7793ac. Bugbot is set up for automated code reviews on this repo. Configure here.

@ChrisJr404
fix(detectors/azureappconfigconnectionstring): allow hyphen and colon…
b7793ac 
… in Id

Real Azure-issued App Configuration connection strings have an Id of
the form <prefix>:<base64>, where the prefix can contain letters,
digits, and hyphens. The existing character class [a-zA-Z0-9+/=] only
covered the base64 alphabet, so the colon separator and any hyphen
caused legitimate connection strings to be skipped by the detector.

Expand the Id character class to also accept ':' and '-'. The Endpoint
and Secret groups are unchanged. A regression test using a prefixed
hyphen+colon Id is added.

Closes trufflesecurity#4955

Signed-off-by: ChrisJr404 <chris@hacknow.com>
@ChrisJr404 ChrisJr404 requested a review from a team May 12, 2026 13:33
@ChrisJr404 ChrisJr404 requested a review from a team as a code owner May 12, 2026 13:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Azure App Configuration not detected

1 participant

@ChrisJr404