fix(privacy): redact env secret assignments

This commit is contained in:
777genius 2026-05-22 00:22:23 +03:00
parent 4bd346b0fb
commit bf7c850012
2 changed files with 7 additions and 1 deletions

View file

@ -5,7 +5,8 @@ import { filterSafeSentryIntegrations, redactSentryEvent } from '../sentryConfig
describe('sentryConfig privacy helpers', () => {
it('redacts high-risk event data recursively', () => {
const event = redactSentryEvent({
message: 'token sk-secretsecretsecret at /Users/alice/work/private-repo',
message:
'token sk-secretsecretsecret ANTHROPIC_AUTH_TOKEN=lmstudio at /Users/alice/work/private-repo',
user: {
email: 'dev@example.com',
},
@ -17,6 +18,7 @@ describe('sentryConfig privacy helpers', () => {
const serialized = JSON.stringify(event);
expect(serialized).not.toContain('sk-secretsecretsecret');
expect(serialized).not.toContain('lmstudio');
expect(serialized).not.toContain('/Users/alice');
expect(serialized).not.toContain('private-repo');
expect(serialized).not.toContain('dev@example.com');

View file

@ -34,6 +34,10 @@ const SENSITIVE_STRING_PATTERNS: Array<[RegExp, string]> = [
[/\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi, REDACTED],
[/\b[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}\b/gi, REDACTED],
[/\b(?:sk|pk|rk|ghp|gho|github_pat|xoxb|xoxp|ya29)[A-Za-z0-9_\-]{12,}\b/g, REDACTED],
[
/\b[A-Z0-9_]*(?:API_KEY|AUTH_TOKEN|TOKEN|SECRET|PASSWORD|AUTHORIZATION)[A-Z0-9_]*\s*=\s*("[^"]*"|'[^']*'|\S+)/gi,
REDACTED,
],
[/\/Users\/[^/\s"'`]+(?:\/[^\s"'`]+)*/g, '/Users/[redacted]/[redacted-path]'],
[/\/home\/[^/\s"'`]+(?:\/[^\s"'`]+)*/g, '/home/[redacted]/[redacted-path]'],
[/([A-Za-z]:\\Users\\)[^\\\s"'`]+(?:\\[^\\\s"'`]+)*/g, '$1[redacted]\\[redacted-path]'],