Stripe Payment Intent Detector

[shahzadhaider1]

Description:

This PR introduces support for detecting Stripe PaymentIntent client secrets with comprehensive key-based verification.

Summary of Changes:

• Added a new detector for identifying Stripe PaymentIntent client secrets (pi_*_secret_* format).
• Implemented pattern matching logic to accurately detect client secrets and associated Stripe keys.
• Added support for detecting live Stripe keys (secret keys: sk_live_/rk_live_ and publishable keys: pk_live_*).
• Implemented comprehensive verification logic that creates individual results for each client secret + key combination.
• Enhanced result structure to store client secrets in Raw field and client secret + key combinations in RawV2 field.

Key Implementation Details:

• Multiple Result Generation: Creates one result for each client secret paired with each detected key (N client secrets × M keys = N×M results).
• Conditional Processing: Only generates results when both client secrets AND keys are present in the data.
• Live Keys Only: Focuses on live Stripe keys for security purposes (test keys are ignored).
• Verification Logic: Each client secret + key combination is individually verified via Stripe API.

Verification Status:

• Verification of client secrets is fully implemented and optimized.
• When live Stripe keys are detected alongside client secrets, the detector attempts to verify each combination using the Stripe API.
• Each client secret is tested against all available keys (both secret and publishable) to determine valid combinations.
• Results are marked as verified only when the specific client secret + key combination is valid.
• If no keys are found, no results are generated (preventing noise from standalone client secrets).

Result Structure:

• Raw: Contains the client secret only
• RawV2: Contains the client secret + key combination
• Verified: Boolean indicating if this specific combination was verified via Stripe API

Testing:

• Comprehensive unit tests covering multiple scenarios:
  • Single client secret with single key
  • Multiple client secrets with multiple keys
  • Mixed valid/invalid combinations
  • Edge cases (no keys, no client secrets, invalid patterns)
• Integration tests with real Stripe API verification
• Pattern matching tests ensuring only live keys are detected

Example Scenarios:

• 2 client secrets + 3 keys = 6 individual results
• Only valid combinations will be marked as verified
• No results generated if keys are missing entirely

Checklist:

• Tests passing (make test-community)?
• Lint passing (make lint this requires golangci-lint)?

[CLAassistant]

All committers have signed the CLA.

[nabeelalam]

@shahzadhaider1 the keywords pi_ and _secret_, seem like they might occur quite frequently across many files and could result in a high number of false positives. The existing stripe detector only uses k_live_, I'm wondering if that would help make it more specific.

[rgmz]

The existing stripe detector only uses k_live_, I'm wondering if that would help make it more specific.

pi_ or _secret_ are the only ones relevant to this specific detector. 🤷‍♂️

[shahzadhaider1]

As Richard also mentioned, pi_ and _secret_ keywords are relevant to this detector, so it wouldn't make sense to get rid of these keywords. Please let us know what do you think?

[nabeelalam]

@rgmz @shahzadhaider1 since both substrings pi_ and _secret_ are part of the secret, I would suggest using only _secret_, since including both will theoretically yield more false matches, and pi_ looks like it may be more common out of the two, e.g. it would match inputs with that contain api_.

[shahzadhaider1]

Alright. We have only _secret_ keyword now

[kashifkhan0771]

If we pass verification as false, will the result only include client secrets without the secret key or publishable key? If so, the result would be largely meaningless in my opinion, since a client secret without either of those isn't useful on its own. We should create result only if we find either secret key or publishable key along with client secret. Than if verification fails we can mark it as unverified.

[shahzadhaider1]

If we pass verification as false, will the result only include client secrets without the secret key or publishable key?

The result will always include only client secrets as the requirement for this detector is to detect client secrets in the Stripe Payment Intent objects. For detecting Stripe secret keys, we have another detector in place.

We should create result only if we find either secret key or publishable key along with client secret. Than if verification fails we can mark it as unverified.

I understand that client secret without a key is not very useful but since the requirement is to detect the client secrets and doing this will mean that if a data source contains only client secrets and no keys, we will never be able to detect the client secrets. Are you sure we want that?

[kashifkhan0771]

I don't want to be a blocker here. Just leaving my thoughts as a comment. If others feel the same as you do, feel free to move forward with this.

[shahzadhaider1]

Thank you for your feedback. I really appreciate it.
Let's see what other teammates suggest.

[nabeelalam]

I agree with @kashifkhan0771 that a client secret on its own does not seem to be meaningful unless a secret or publishable key is also detected, as you cannot use it or verify it.

[shahzadhaider1]

@kashifkhan0771 @nabeelalam I have updated the implementation based on your suggestion. I have also updated the PR description with latest implementation details. Please re-review and let me know what you think.

[kashifkhan0771]

LGTM!

[kashifkhan0771]

Few non-blocking comments. The code looks clean to me!

[abmussani]

Since the response contains the valid client_secret of a requested payment intent. Verification should be based on comparison of what is detected and what client_secret is in response. Does it make sense ?

[shahzadhaider1]

Done - the implementation now reads the response body and verifies the detected client secret by comparing it with the value returned from the API, rather than relying solely on the API status code.

[abmussani]

can we copy input variables values here directly? this is to improve the code readability.

[shahzadhaider1]

done - I have removed all variables and used strings here directly.

[nabeelalam]

Thanks for making all the updates @shahzadhaider1 !