theirongolddev/session-viewer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix sensitive redactor keyword matching for case-insensitive patterns

Browse Source 
The keyword pre-filter used case-sensitive string matching for all patterns,
but several regex patterns use the /i flag (e.g. generic_api_key). This meant
inputs like 'ApiKey = "secret"' would skip the keyword check for 'api_key'
and miss the redaction entirely.

Changes:
- Add caseInsensitive parameter to hasKeyword() that lowercases both content
  and keywords before comparison
- Detect /i flag on pattern regex and pass it through automatically
- Narrow IP address keywords from ["."] to ["0.", "1.", ..., "9."] to reduce
  false-positive regex invocations on content containing periods
- Fix email regex character class [A-Z|a-z] → [A-Za-z] (the pipe was literal)
- Add clarifying comment on url_with_creds pattern
- Add test cases for mixed-case and UPPER_CASE key assignments
- Relax SECRET_KEY test assertion to accept either redaction label

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Taylor Eernisse
2026-01-30 01:09:11 -05:00
parent eb8001dbf1
commit 0e5a36f0d1
2 changed files with 37 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
src/shared/sensitive-redactor.ts
View File

@@ -316,7 +316,7 @@ export const SENSITIVE_PATTERNS: SensitivePattern[] = [
keywords: ["postgres", "mysql", "mongodb", "redis", "amqp", "mssql"], keywords: ["postgres", "mysql", "mongodb", "redis", "amqp", "mssql"],
}, },
// #30 URLs with credentials // #30 URLs with credentials (user:pass@host pattern)
{ {
id: "url_with_creds", id: "url_with_creds",
label: "[URL_WITH_CREDS]", label: "[URL_WITH_CREDS]",
@@ -328,7 +328,7 @@ export const SENSITIVE_PATTERNS: SensitivePattern[] = [
{ {
id: "email", id: "email",
label: "[EMAIL]", label: "[EMAIL]",
regex: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g, regex: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g,
keywords: ["@"], keywords: ["@"],
falsePositiveCheck: isAllowlistedEmail, falsePositiveCheck: isAllowlistedEmail,
}, },
@@ -339,7 +339,7 @@ export const SENSITIVE_PATTERNS: SensitivePattern[] = [
label: "[IP_ADDR]", label: "[IP_ADDR]",
regex: regex:
/\b(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\b/g, /\b(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\b/g,
keywords: ["."], keywords: ["0.", "1.", "2.", "3.", "4.", "5.", "6.", "7.", "8.", "9."],
falsePositiveCheck: isAllowlistedIp, falsePositiveCheck: isAllowlistedIp,
}, },
@@ -366,10 +366,22 @@ export const SENSITIVE_PATTERNS: SensitivePattern[] = [
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
/** /**
* Check if any keyword from the pattern appears in the content (case-sensitive * Check if any keyword from the pattern appears in the content.
* for most patterns, lowered for a cheap pre-check). * Case-sensitive by default; pass caseInsensitive=true for patterns
* with case-insensitive regexes.
*/ */
function hasKeyword(content: string, keywords: string[]): boolean { function hasKeyword(
content: string,
keywords: string[],
caseInsensitive = false
): boolean {
if (caseInsensitive) {
const lower = content.toLowerCase();
for (const kw of keywords) {
if (lower.includes(kw.toLowerCase())) return true;
}
return false;
}
for (const kw of keywords) { for (const kw of keywords) {
if (content.includes(kw)) return true; if (content.includes(kw)) return true;
} }
@@ -390,8 +402,10 @@ export function redactSensitiveContent(input: string): RedactionResult {
const matchedCategories = new Set<string>(); const matchedCategories = new Set<string>();
for (const pattern of SENSITIVE_PATTERNS) { for (const pattern of SENSITIVE_PATTERNS) {
// Keyword pre-filter: skip expensive regex if no keyword found // Keyword pre-filter: skip expensive regex if no keyword found.
if (!hasKeyword(result, pattern.keywords)) { // Use case-insensitive matching when the regex has the /i flag.
const isCaseInsensitive = pattern.regex.flags.includes("i");
if (!hasKeyword(result, pattern.keywords, isCaseInsensitive)) {
continue; continue;
} }

16
tests/unit/sensitive-redactor.test.ts
View File

@@ -251,6 +251,18 @@ describe("sensitive-redactor", () => {
const result = redactSensitiveContent(input); const result = redactSensitiveContent(input);
expect(result.redactionCount).toBeGreaterThan(0); expect(result.redactionCount).toBeGreaterThan(0);
}); });
it("redacts mixed-case key assignments (case-insensitive keyword matching)", () => {
const input = 'ApiKey = "abcdefghijklmnopqrst"';
const result = redactSensitiveContent(input);
expect(result.redactionCount).toBeGreaterThan(0);
});
it("redacts UPPER_CASE key assignments via generic pattern", () => {
const input = 'AUTH_TOKEN: SuperSecretVal1234';
const result = redactSensitiveContent(input);
expect(result.redactionCount).toBeGreaterThan(0);
});
}); });
// --- Tier 2: PII/System Info --- // --- Tier 2: PII/System Info ---
@@ -387,7 +399,9 @@ describe("sensitive-redactor", () => {
it("redacts SECRET_KEY assignments", () => { it("redacts SECRET_KEY assignments", () => {
const input = "SECRET_KEY=abcdefghij1234567890"; const input = "SECRET_KEY=abcdefghij1234567890";
const result = redactSensitiveContent(input); const result = redactSensitiveContent(input);
expect(result.sanitized).toContain("[ENV_SECRET]"); // May be matched by generic_api_key or env_var_secret depending on order
expect(result.redactionCount).toBeGreaterThan(0);
expect(result.sanitized).not.toContain("abcdefghij1234567890");
}); });
it("redacts DATABASE_PASSWORD assignments", () => { it("redacts DATABASE_PASSWORD assignments", () => {