Fix corrupted regex patterns in secret key detection

[francose]

Several regex patterns in keys_extractor() have been non-functional since the initial commit. The curly brace quantifiers got mangled during copy-paste (likely from a rendered source like a PDF or webpage) — {32} became f32g, escaped dots \. became n., and escaped dollar signs \$ became n$.

This means Google YouTube OAuth IDs, Amazon MWS tokens, and PayPal/Braintree access tokens were never being detected by the key extractor, regardless of how many scans were run.

What was broken:

• [0-9]+-[0-9A-Za-z_]f32gn.appsn.googleusercontentn.com — matches nothing
• access_tokenn$productionn$[0-9a-z]f16gn$[0-9a-f]f32g — matches nothing
• amznn.mwsn.[0-9a-f]f8g-[0-9a-f]f4g-... — matches nothing

What it should be:

• [0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com
• amzn\.mws\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}
• access_token\$production\$[0-9a-z]{16}\$[0-9a-f]{32}

Also fixed the label swap — "PayPal" was labeled on what is actually the Amazon MWS pattern (amzn.mws.UUID) and vice versa. Corrected "PayPal" to "PayPal Braintree" and "Amazon MWS" to match the actual token format. Fixed "Slack Webook" typo.

All patterns are now raw strings to prevent future escape issues.

Tested against known token formats — all six previously-broken patterns now correctly match real secrets.

[CLAassistant]

All committers have signed the CLA.

[Copilot]

Pull request overview

This PR updates keys_extractor() secret-detection regex patterns that were previously corrupted (e.g., mangled quantifiers and escaped characters), aiming to restore detection for several token formats (Google OAuth-related values, Amazon MWS tokens, and PayPal/Braintree access tokens) and correct a Slack webhook label typo.

Changes:

• Replaced corrupted Google OAuth/YouTube OAuth regex patterns with corrected patterns, using raw string literals for safer escaping.
• Fixed Amazon MWS and PayPal/Braintree token regex patterns and adjusted labels to match the actual formats.
• Corrected the "Slack Webook" label typo to "Slack Webhook".

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[francose]

Acknowledged — these patterns were completely non-functional before (corrupted quantifiers like f32g instead of {32}). This PR makes them syntactically correct. The remove_url_from_keys() stripping issue is pre-existing and orthogonal — will open a follow-up for that.

[francose]

Same as above — corrected the regex syntax. The dot/underscore stripping by the sanitizer is a separate pre-existing issue. Also converted this to a raw string for consistency in the follow-up commit.

[francose]

Converted to raw string in the follow-up commit for consistency. The slash stripping is part of the same sanitizer issue — will address in a separate PR.

[francose]

Re: Copilot's review about remove_url_from_keys() stripping ., _, / before keys_extractor() runs —

Valid point. The sanitizer does strip characters that some of these patterns depend on (dots in ya29., amzn.mws., googleusercontent.com, slashes in webhooks, underscores in access_token).

However, this is a pre-existing issue that's separate from the regex corruption. Before this fix, these patterns used mangled quantifiers like f32g instead of {32} and n. instead of \. — they matched literally nothing regardless of preprocessing. This PR makes the regex syntax correct so the patterns are at least valid.

The sanitizer stripping issue existed before and should be addressed separately — either by running keys_extractor() on the raw content (after URL/email removal but before special char stripping), or by splitting the special_chars list into "safe to strip for credential detection" vs "not safe."

Happy to open a follow-up issue for that if maintainers agree on the approach.

Also converting the Slack Webhook pattern to a raw string for consistency as suggested.