fix(tess): harden redacted stream boundaries
This commit is contained in:
@@ -11,4 +11,15 @@ describe('redactSensitiveContent', (): void => {
|
||||
expect(result.content).not.toContain('+1 555 555 1212');
|
||||
expect(result.classifications).toEqual(['secret', 'pii']);
|
||||
});
|
||||
|
||||
it('redacts common provider credential formats', (): void => {
|
||||
const result = redactSensitiveContent(
|
||||
'Authorization: Bearer canary.bearer.token jwt eyJcanary.eyJpayload.eyJsignature aws AKIACANARY1234567890',
|
||||
);
|
||||
|
||||
expect(result.content).not.toContain('canary.bearer.token');
|
||||
expect(result.content).not.toContain('eyJcanary.eyJpayload.eyJsignature');
|
||||
expect(result.content).not.toContain('AKIACANARY1234567890');
|
||||
expect(result.classifications).toEqual(['secret']);
|
||||
});
|
||||
});
|
||||
|
||||
@@ -8,6 +8,11 @@ export interface RedactionResult {
|
||||
const SECRET_PATTERNS: RegExp[] = [
|
||||
/\b(?:sk|ghp|gitea)_[A-Za-z0-9_-]{8,}\b/g,
|
||||
/\b(?:api[_-]?key|token|password|secret)\s*[:=]\s*[^\s,;]+/gi,
|
||||
/\b(?:authorization\s*:\s*)?bearer\s+[A-Za-z0-9._~+/-]+=*/gi,
|
||||
/\beyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g,
|
||||
/\b(?:AKIA|ASIA)[A-Z0-9]{16}\b/g,
|
||||
/-----BEGIN(?: [A-Z]+)* PRIVATE KEY-----[\s\S]*?-----END(?: [A-Z]+)* PRIVATE KEY-----/g,
|
||||
/https?:\/\/[^\s?#]+[^\s]*[?&](?:token|key|secret|signature|sig)=[^\s&#]+/gi,
|
||||
];
|
||||
const PII_PATTERNS: RegExp[] = [
|
||||
/\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi,
|
||||
|
||||
Reference in New Issue
Block a user