Skip to content

Updating Klaviyo PK new format#5009

Open
breetan wants to merge 1 commit into
trufflesecurity:mainfrom
breetan:main
Open

Updating Klaviyo PK new format#5009
breetan wants to merge 1 commit into
trufflesecurity:mainfrom
breetan:main

Conversation

@breetan
Copy link
Copy Markdown

@breetan breetan commented Jun 2, 2026
edited by cursor Bot
Loading

Description:

Updating the new Klaviyo Private Key format that supports both new and old pk.

Checklist:

  • Tests passing (make test-community)?
  • Lint passing (make lint this requires golangci-lint)?

Note

Low Risk
Single-regex change in the Klaviyo detector with no auth or verification logic changes; may miss old keys that used non-hex alphanumeric bodies.

Overview
Updates the Klaviyo private key detector regex so it recognizes both the legacy pk_ + 34 lowercase hex body and the newer pk_ + 6-character prefix + _ + 34 hex body.

The previous pattern accepted any 34 alphanumeric characters after pk_; the new one is stricter on the legacy path (hex only) and adds the prefixed variant. Verification and API behavior are unchanged.

Reviewed by Cursor Bugbot for commit 835a034. Bugbot is set up for automated code reviews on this repo. Configure here.

@breetan breetan requested a review from a team June 2, 2026 14:15
@breetan breetan requested a review from a team as a code owner June 2, 2026 14:15
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Jun 2, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

cursor[bot]
cursor Bot reviewed Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 835a034. Configure here.

Comment thread pkg/detectors/klaviyo/klaviyo.go
defaultClient = common.SaneHttpClient()
// Make sure that your group is surrounded in boundary characters such as below to reduce false positives.
keyPat = regexp.MustCompile(`\b(pk_[[:alnum:]]{34})\b`)
keyPat = regexp.MustCompile(`\b(pk_([0-9a-f]{34}|[A-Za-z0-9]{6}_[0-9a-f]{34}))\b`)
Copy link
Copy Markdown
Contributor

@cursor cursor Bot Jun 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regex restricts old key format to hex-only characters

High Severity

The old-format key matching changed from [[:alnum:]]{34} (any alphanumeric) to [0-9a-f]{34} (lowercase hex only). This means old keys containing characters gz or any uppercase letters will no longer be detected. The existing test's validPattern (pk_1234567890abcdefghijklmnopqrstuvwx) contains non-hex characters and would fail to match this new regex, confirming the regression.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 835a034. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@breetan @CLAassistant