fix(privacy): redact env secret assignments
This commit is contained in:
parent
4bd346b0fb
commit
bf7c850012
2 changed files with 7 additions and 1 deletions
|
|
@ -5,7 +5,8 @@ import { filterSafeSentryIntegrations, redactSentryEvent } from '../sentryConfig
|
|||
describe('sentryConfig privacy helpers', () => {
|
||||
it('redacts high-risk event data recursively', () => {
|
||||
const event = redactSentryEvent({
|
||||
message: 'token sk-secretsecretsecret at /Users/alice/work/private-repo',
|
||||
message:
|
||||
'token sk-secretsecretsecret ANTHROPIC_AUTH_TOKEN=lmstudio at /Users/alice/work/private-repo',
|
||||
user: {
|
||||
email: 'dev@example.com',
|
||||
},
|
||||
|
|
@ -17,6 +18,7 @@ describe('sentryConfig privacy helpers', () => {
|
|||
|
||||
const serialized = JSON.stringify(event);
|
||||
expect(serialized).not.toContain('sk-secretsecretsecret');
|
||||
expect(serialized).not.toContain('lmstudio');
|
||||
expect(serialized).not.toContain('/Users/alice');
|
||||
expect(serialized).not.toContain('private-repo');
|
||||
expect(serialized).not.toContain('dev@example.com');
|
||||
|
|
|
|||
|
|
@ -34,6 +34,10 @@ const SENSITIVE_STRING_PATTERNS: Array<[RegExp, string]> = [
|
|||
[/\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi, REDACTED],
|
||||
[/\b[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}\b/gi, REDACTED],
|
||||
[/\b(?:sk|pk|rk|ghp|gho|github_pat|xoxb|xoxp|ya29)[A-Za-z0-9_\-]{12,}\b/g, REDACTED],
|
||||
[
|
||||
/\b[A-Z0-9_]*(?:API_KEY|AUTH_TOKEN|TOKEN|SECRET|PASSWORD|AUTHORIZATION)[A-Z0-9_]*\s*=\s*("[^"]*"|'[^']*'|\S+)/gi,
|
||||
REDACTED,
|
||||
],
|
||||
[/\/Users\/[^/\s"'`]+(?:\/[^\s"'`]+)*/g, '/Users/[redacted]/[redacted-path]'],
|
||||
[/\/home\/[^/\s"'`]+(?:\/[^\s"'`]+)*/g, '/home/[redacted]/[redacted-path]'],
|
||||
[/([A-Za-z]:\\Users\\)[^\\\s"'`]+(?:\\[^\\\s"'`]+)*/g, '$1[redacted]\\[redacted-path]'],
|
||||
|
|
|
|||
Loading…
Reference in a new issue