Curl Username Password
Description
General
The curl_username_password detector aims at catching curl CLI invocations that embed basic credentials via -u/--user, i.e. username:password, such as:
curl -u admin:abc123 https://192.12.8.1:9200/_cluster/health
Because curl commands are very common in codebases and docs, this detector relies on a strict matcher (CLI option parsing) plus multiple post-validation layers to reduce false positives.
Specifications
This detector focuses on a single pattern:
-
The command must be
curl -
The credentials must be provided through
-uor--user -
The option value must match:
username:[a-zA-Z0-9._%+-]{4,150}password:[a-zA-Z0-9!#$%&*+/?@=^_~.>-]{4,128}- joined as
username:password
The two captured groups are referred to as username and password.
Revoke the secret
This detector catches generic credentials used with curl, so GitGuardian cannot infer which service they authenticate to. To revoke:
- Identify the target service from the URL and context around the
curlcommand. - Rotate/revoke the impacted account credentials in that service.
- Update any scripts, CI variables, docs, or samples to use safer auth (tokens, vault-managed secrets, or interactive prompting).
Examples
Examples that WILL be caught
- text: |
curl -k -v -u 'svc_application:AreO42JJ5JY5LFDSa5OU' --upload-file abc.tar.gz https://prd-nexus/repository/application-raw/abc.tar.gz
username: svc_application
password: AreO42JJ5JY5LFDSa5OU
- text: |
curl -s -T index.html "ftp://f31-preview.eohost.com" --user "4689449_GASSANT:abc123"
username: 4689449_GASSANT
password: abc123
Examples that WILL NOT be caught
- Missing
curlkeyword or missing-u/--user
http --auth admin:abc123 GET https://example.com
- Too-short values (username/password must be at least 4 chars)
curl -u adm:abc https://example.com
- Values filtered by common/banlisted patterns (see PostValidators)
curl -u user:[password] https://example.com
curl -u default:env.pw https://example.com
Details for Curl Username Password
-
High Recall: False
-
Validity Check: False
-
Occurrences found for one million commits: 15.17
-
Prefixed: False
- type: ContentWhitelistPreValidator
case_sensitive: true
patterns:
- curl
- type: ContentWhitelistPreValidator
case_sensitive: true
patterns:
- "-u"
- "--user"
- Matcher
- type: CLIOptionMatcher
command_name: curl
short_option_flag: "-u"
long_option_flag: "--user"
option_regex: (?P<username>[a-zA-Z0-9._%+-]{4,150}):(?P<password>[a-zA-Z0-9!#$%&*+/?@=^_`~.>-]{4,128})
username:
- type: ContextWindowBanlistPostValidator
patterns: ["default", "error", "invalid"]
window_width: 40
window_type: "left"
- type: AssignmentBanlistPostValidator
patterns:
- "missing"
- type: CommonValueBanlistPostValidator
- type: CommonUsernameBanlistPostValidator
- type: ValueBanlistPostValidator
patterns:
- "^none"
- "1234"
- ^null
- ^empty
- ^user
- pass
- ^root
- ^true
- ^false
- ^and
- ^self
- ^raw
- test
- sample
- dummy
- value
- name
- email
- ^form
- ^\.?request
- ^before
- ^string
- ^await$
- ^this
- ^int
- ^replace
- ^foo
- ^change
- ^disabled
- ^required
- \.string$
- ^django\.
- ^please
- ^validated
- "%s"
- ^cleaned
- ^table\.
- ^driver\.
- ^args\.
- ^bool(ean)?
- ^url
- credentialsId
- field
- ^open
- callback
- validator
- placeholder
- anonymous
- class
- ^get
- phone
- swift
- type
- label
- attribute
- ^html
- ^attr
- text
- nombre
- ^ask
- config
- input
- ^enter
- ^login
- ^token
- ^throw
- credential
- confirmer
- ^const
- ^new
- ^uid
- model$
- ^reg
- ^search
- nsstring
- candidate$
- form$
- expression
- ^share
- presence
- mysqli_real_escape
- onchange
- account
- base64
- email$
- create
- ^nil$
- removed
- mystring
- function
- ^local
- ^[_.-]
- "[_.-]$"
- ^void
- ^from
- ^char$
- ^usr$
- ^no-reply
- ^hash$
- ^%.+%$
- ^xpathFor
password:
- type: ContextWindowBanlistPostValidator
patterns: ["error", "invalid"]
window_width: 40
window_type: "left"
- type: AssignmentBanlistPostValidator
patterns:
- "hash"
- "salt"
- "missing"
- ^(?-i:[a-zA-Z0-9]{1,3}[A-Z0-9](Pwd|PWd|PwD|pWD|pWd|pwD))$
# Do not match AWS Secret manager recognized by passwordSecretName or passwordSecretKey
- "^passwordSecret(Name|Key)$"
- type: CommonValueBanlistPostValidator
- type: CommonPasswordBanlistPostValidator
- type: ValueBanlistPostValidator
patterns:
- ^\$[a-z]{3}
# avoid false positives like --fill_me--
- ^(-{2,4})[a-zA-Z_-]+\1$
- redacted
- ^local
- ^none
- ^null
- ^empty
- ^user
- pass
- ^root
- ^true
- ^false
- ^and
- ^prompt
- ^final$
- ^self
- ^email
- ^raw
- ^temp$
- ^undefined$
- ^auth_email$
- test
- ^req$
- "1234"
- ^#
- ^vault
- ^java
- ^ansible
- ^demo
- "123213123"
- ^guest
- ^visit$
- ^Coffee123$
- ^123bla456bla$
- value
- ^form
- ^request
- ^errors
- ^before
- ^wrong pass
- ^string
- ^await$
- ^foo
- ^change
- ^disabled
- ^required
- ^postgres
- ^django\.
- ^please
- ^validated
- "%s"
- ^cleaned
- \.string$
- ^wrong
- ^args\.
- ^bool(ean)?
- \/run\/
- ^url
- credentialsId
- field
- ^open
- callback
- validator
- placeholder
- anonymous
- class
- ^get
- phone
- swift
- type
- label
- attribute
- ^html
- ^attr
- text
- nombre
- ^ask
- config
- input
- ^enter
- ^login
- ^token
- ^throw
- credential
- confirmer
- ^const
- ^new
- ^uid
- model$
- ^reg
- ^search
- nsstring
- candidate$
- form$
- expression
- ^share
- presence
- mysqli_real_escape
- onchange
- account
- base64
- email$
- create
- ^nil$
- removed
- mystring
- function
- ^-*$
- sha256
- "^[0-9]{1,3}.[0-9]{1,3}s"
- encrypted
- bcrypt
- object
- secure
- ^salt$
- ^emit$
- ^[~^]?[0-9]+\.[0-9]+\.[0-9]+$
- ^[^a-z0-9]+$
- ^%.+%$
- ^env\.[A-Za-z_]*$
- ^xpathFor
- type: EntropyPostValidator
entropy: 1
- type: DictFilterPostValidator
threshold_words_pct_matched: 1.0
