Metabase detector produces false positives for URL slugs and descriptive strings #4633
Description
Please review the Community Note before submitting
Note: This issue description contains example false positives. When scanned with TruffleHog 3.92.4, you will see a false positive detection for a URL slug pattern.
TruffleHog Version
3.92.4
Trace Output
Not applicable - this is a false positive issue, not a crash or error. The detector is working but producing incorrect results.
Expected Behavior
The Metabase detector should not flag URL slugs, path identifiers, or descriptive strings as potential session tokens. It should only detect actual Metabase session tokens, which are typically:
- Random alphanumeric strings (not descriptive words)
- Do not start with hyphens (hyphens are common in URL slugs)
- Have mixed case and/or digits (not just lowercase letters)
- Are not part of URL paths or query parameters
Actual Behavior
The Metabase detector flags any 36-character alphanumeric string (including hyphens) near the keyword "metabase" and a URL as a potential session token, including:
- URL slugs in Metabase query URLs (e.g.,
-journal-deduplication-id-to-voucherfromquestion/12345-journal-deduplication-id-to-voucher) - Path identifiers in URLs
- Descriptive strings that happen to be 36 characters
Example False Positive:
{
"description": "Jobs to populate voucher order numbers as reference IDs in payment gateway journal entries. The CSV files used were exported from this Metabase query - https://metabase.example.com/question/12345-journal-deduplication-id-to-voucher?partition_key=202501"
}Detected: -journal-deduplication-id-to-voucher (36 chars) - This is a URL slug/identifier, not a Metabase session token.
Note: The example above uses dummy data. Real Metabase session tokens are random alphanumeric strings, not descriptive URL slugs.
Steps to Reproduce
- Create a file
test_metabase_false_positive.jsonwith the following content:
{
"description": "Jobs to populate voucher order numbers as reference IDs in payment gateway journal entries. The CSV files used were exported from this Metabase query - https://metabase.example.com/question/12345-journal-deduplication-id-to-voucher?partition_key=202501"
}- Run:
trufflehog filesystem --no-update test_metabase_false_positive.json - Observe 1 false positive detection:
-journal-deduplication-id-to-voucher
Expected Output: When scanned with TruffleHog 3.92.4, this file will trigger 1 false positive detection:
- ❌
-journal-deduplication-id-to-voucher- URL slug substring (should be filtered)
This issue description file itself will trigger the false positive detection when scanned, demonstrating the problem in real-time.
Environment
- OS: macOS
- Version: 3.92.4
Additional Context
The detector currently uses this pattern:
keyPat = regexp.MustCompile(detectors.PrefixRegex([]string{"metabase"}) + `\b([a-zA-Z0-9-]{36})\b`)This pattern is too broad and matches URL slugs, path identifiers, and descriptive strings that happen to be 36 characters and appear near "metabase" and a URL.
Proposed Solution:
Add false positive filters to exclude:
- URL slugs - Strings starting with hyphens that are part of URL paths
- Descriptive strings - Readable words (like "journal", "deduplication", "voucher") that appear in URL slugs but not in random tokens
- Slug patterns - Strings with many hyphens and only lowercase letters (descriptive slug pattern vs random token pattern)
Expected Outcome After Fix:
- ✅
-journal-deduplication-id-to-voucher→ Filtered (URL slug pattern, descriptive string) - ✅ Real Metabase session tokens with random alphanumeric strings → Still detected
Impact:
- Creates noise in scan results
- Requires manual review and filtering
- Reduces trust in the detector's accuracy
- Wastes verification API calls
References
- None