Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
|
|
| Email any `json:"email"` | ||
| Name any `json:"name"` | ||
| Email string `json:"email"` | ||
| Name string `json:"name"` |
There was a problem hiding this comment.
Type narrowing may cause unmarshal failure for OpenAI
Medium Severity
Changing Email and Name from any to string in the response struct narrows the set of JSON values that json.Unmarshal can handle. The original any type was likely deliberate — if the OpenAI API ever returns a non-string, non-null value for these fields (e.g., for service accounts), the entire json.Unmarshal call will now fail. Since a parse failure returns false, extraData, err (indeterminate), a genuinely live key would no longer be reported as verified. With the old any type, the unmarshal would succeed and the key would correctly be marked as verified.
Additional Locations (1)
| ctx.Logger().Error(err, "failed to close response body") | ||
| } | ||
| return resBody | ||
| } |
There was a problem hiding this comment.
Swallowed read errors change error propagation behavior
Low Severity
CopyAndCloseResponseBody logs but silently swallows errors from io.ReadAll, returning nil or partial bytes instead. The old verifyRefreshToken code explicitly returned a descriptive error on read failure ("failed to read response body"). Now, a read failure is silently swallowed, and the subsequent json.Unmarshal on nil/partial bytes will fail with a misleading JSON parse error instead of the actual I/O error.
Additional Locations (1)
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
There are 4 total unresolved issues (including 2 from previous reviews).
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| extraData := make(map[string]string) | ||
|
|
||
| // lightweight analyze: unconditionally preserve the response body | ||
| resBody := lwa.CopyAndCloseResponseBody(ctx, res) |
There was a problem hiding this comment.
ElevenLabs detectors missing response body preservation in extraData
High Severity
Both ElevenLabs v1 and v2 call lwa.CopyAndCloseResponseBody and comment says "unconditionally preserve the response body," but neither stores the result in extraData[lwa.KeyResponse]. Every other detector (OpenAI, both DigitalOcean functions) includes the line extraData[lwa.KeyResponse] = string(resBody) after reading the body. Without it, the lightweight analysis response data is silently lost.
Additional Locations (1)
| var errorResponse ErrorRes | ||
| if err = json.Unmarshal(resBody, &errorResponse); err != nil { | ||
| ctx.Logger().Error(err, "failed to parse response") | ||
| return false, extraData, err |
There was a problem hiding this comment.
ElevenLabs 400/401 parse failure changes verification outcome
Medium Severity
When a 400/401 response body fails to parse as JSON, the new code returns an error (return false, extraData, err), making the result "indeterminate." Previously, all 400/401 responses cleanly returned "not verified" (false, nil, nil). Per the PR discussion guidance to preserve existing detector behavior, a JSON parse failure here changes the outcome from definitive "not verified" to ambiguous "indeterminate."
Additional Locations (1)
4 participants
This draft PR is a PoC for what "lightweight analysis" could look like.
Note
Medium Risk
Updates secret verification logic for several detectors to capture/parse HTTP responses and attach additional metadata, which could affect verification outcomes and increase stored sensitive data in
ExtraData. Changes are localized but touch multiple detectors’ network/JSON handling paths.Overview
Adds a new
lightweight_analyzehelper (CopyAndCloseResponseBody,AugmentExtraData, andlwa.*keys) to standardize capturing HTTP verification response bodies and annotating common identity fields.Updates the OpenAI, DigitalOceanV2, and ElevenLabs (v1/v2) detectors to use the logger-aware context, always copy/close response bodies, store the raw response in
ExtraData, and parse responses into typed structs to populate standardizedlwa.id/lwa.name/lwa.emailmetadata (plus existing OpenAI fields).Adjusts verification semantics for ElevenLabs to treat
missing_permissionsresponses as verified (but without metadata), and tweaks DigitalOcean refresh-token verification to return the new access token alongside extra metadata.Written by Cursor Bugbot for commit dcf72ee. This will update automatically on new commits. Configure here.