From: maximiliancw <redacted>
Date: Fri, 9 Jan 2026 16:10:15 +0000 (+0100)
Subject: Refine bearer token and JWT token detection patterns to enforce minimum character... 
X-Git-Url: http://git.99rst.org/?a=commitdiff_plain;h=f7e0b5fc74e5f14cdbad5020f969ce98c313121c;p=sgasser-llm-shield.git

Refine bearer token and JWT token detection patterns to enforce minimum character requirements;
Updated tests to reflect changes in bearer token format
---

diff --git a/src/secrets/detect.test.ts b/src/secrets/detect.test.ts
index 18ba9fc..8347123 100644
--- a/src/secrets/detect.test.ts
+++ b/src/secrets/detect.test.ts
@@ -319,7 +319,7 @@ describe("detectSecrets - Bearer Tokens", () => {
   });
 
   test("detects bearer token (lowercase)", () => {
-    const text = "bearer abcdefghijklmnopqrstuvwxyz1234567890";
+    const text = "bearer abcdefghijklmnopqrstuvwxyz1234567890ABCD";
     const result = detectSecrets(text, bearerConfig);
     expect(result.detected).toBe(true);
     expect(result.matches[0].type).toBe("BEARER_TOKEN");
diff --git a/src/secrets/detect.ts b/src/secrets/detect.ts
index 73fdc8e..59c0390 100644
--- a/src/secrets/detect.ts
+++ b/src/secrets/detect.ts
@@ -184,16 +184,16 @@ export function detectSecrets(
   }
 
   // JWT tokens: three base64url segments separated by dots
-  // Header starts with eyJ (base64 for {"...)
+  // Header starts with eyJ (base64 for {"...), minimum 20 chars per segment
   if (entitiesToDetect.has("JWT_TOKEN")) {
-    const jwtPattern = /eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]+/g;
+    const jwtPattern = /eyJ[a-zA-Z0-9_-]{20,}\.eyJ[a-zA-Z0-9_-]{20,}\.[a-zA-Z0-9_-]{20,}/g;
     detectPattern(textToScan, jwtPattern, "JWT_TOKEN", matches, redactions);
   }
 
   // Bearer tokens in Authorization-style contexts
-  // Matches "Bearer " followed by a token (at least 20 chars)
+  // Matches "Bearer " followed by a token (at least 40 chars to reduce placeholder matches)
   if (entitiesToDetect.has("BEARER_TOKEN")) {
-    const bearerPattern = /Bearer\s+[a-zA-Z0-9._-]{20,}/gi;
+    const bearerPattern = /Bearer\s+[a-zA-Z0-9._-]{40,}/gi;
     detectPattern(textToScan, bearerPattern, "BEARER_TOKEN", matches, redactions);
   }