Harden redaction tests (URL fragment tokens, compressed IPv6, quoted conn-string passwords, epoch-ms negatives) and strengthen redactors to match

Author: KeelMatrix

src/KeelMatrix.QueryWatch/Redaction/ConnectionStringPasswordRedactor.cs

@@ -4,13 +4,16 @@
 namespace KeelMatrix.QueryWatch.Redaction {
     /// <summary>
     /// Masks password values inside connection strings (Password=...; Pwd=...; forms).
+    /// Supports quoted values so that <c>Password="sec;ret;value"</c> is fully masked.
     /// </summary>
     public sealed class ConnectionStringPasswordRedactor : IQueryTextRedactor {
         private static readonly Regex Pw = new(
-            @"(?i)\b(Password|Pwd)\s*=\s*([^;]+)",
+            // key (group 1), "=", then either a quoted value (single or double) or an unquoted value up to the next semicolon
+            @"\b(Password|Pwd)\s*=\s*(?:""[^""]*""|'[^']*'|[^;]+)",
             RegexOptions.Compiled | RegexOptions.CultureInvariant);
 
         /// <inheritdoc />
-        public string Redact(string input) => string.IsNullOrEmpty(input) ? string.Empty : Pw.Replace(input, m => m.Groups[1].Value + "=***");
+        public string Redact(string input)
+            => string.IsNullOrEmpty(input) ? string.Empty : Pw.Replace(input, m => m.Groups[1].Value + "=***");
     }
 }

src/KeelMatrix.QueryWatch/Redaction/IpAddressRedactor.cs

@@ -3,24 +3,33 @@
 
 namespace KeelMatrix.QueryWatch.Redaction {
     /// <summary>
-    /// Masks IPv4 and (conservatively) IPv6 addresses.
+    /// Masks IPv4 and IPv6 addresses, including IPv6 compressed forms like <c>::1</c>.
+    /// Uses lookarounds instead of word boundaries so addresses starting with ':' are matched.
     /// </summary>
     public sealed class IpAddressRedactor : IQueryTextRedactor {
         private static readonly Regex IPv4 = new(
             @"\b(?:(?:25[0-5]|2[0-4]\d|1?\d{1,2})\.){3}(?:25[0-5]|2[0-4]\d|1?\d{1,2})\b",
             RegexOptions.Compiled | RegexOptions.CultureInvariant);
 
-        // Conservative IPv6: 2-7 colons, simple hextets (does not try to match every edge case like :: compression).
-        private static readonly Regex IPv6 = new(
-            @"\b(?:[A-Fa-f0-9]{1,4}:){2,7}[A-Fa-f0-9]{1,4}\b",
+        // IPv6 with '::' compression (covers ::1, fe80::1, 2001:db8::7334, etc.)
+        private static readonly Regex IPv6Compressed = new(
+            @"(?<![A-Fa-f0-9:])(?:[A-Fa-f0-9]{1,4}(?::[A-Fa-f0-9]{1,4}){0,5})?::(?:[A-Fa-f0-9]{1,4}(?::[A-Fa-f0-9]{1,4}){0,5})(?![A-Fa-f0-9:])",
+            RegexOptions.Compiled | RegexOptions.CultureInvariant);
+
+        // IPv6 without '::' compression (2–8 hextets)
+        private static readonly Regex IPv6Full = new(
+            @"(?<![A-Fa-f0-9:])(?:[A-Fa-f0-9]{1,4}:){2,7}[A-Fa-f0-9]{1,4}(?![A-Fa-f0-9:])",
             RegexOptions.Compiled | RegexOptions.CultureInvariant);
 
-        /// <inheritdoc />
         public string Redact(string input) {
-            if (string.IsNullOrEmpty(input)) return string.Empty;
-            var r = IPv4.Replace(input, "***");
-            r = IPv6.Replace(r, "***");
-            return r;
+            if (string.IsNullOrEmpty(input))
+                return string.Empty;
+
+            var result = IPv4.Replace(input, "***");
+            // Replace compressed first to ensure leading '::' forms are handled
+            result = IPv6Compressed.Replace(result, "***");
+            result = IPv6Full.Replace(result, "***");
+            return result;
         }
     }
 }

src/KeelMatrix.QueryWatch/Redaction/UrlQueryTokenRedactor.cs

@@ -4,13 +4,16 @@
 namespace KeelMatrix.QueryWatch.Redaction {
     /// <summary>
     /// Masks sensitive URL query parameters like token, access_token, code, id_token, auth.
+    /// Also handles tokens present in URL fragments (after <c>#</c>), which are common in OAuth implicit flows.
     /// </summary>
     public sealed class UrlQueryTokenRedactor : IQueryTextRedactor {
         private static readonly Regex Param = new(
-            @"(?i)(?<=[\?&])(token|access_token|code|id_token|auth)=([^&#\s]+)",
+            // the parameter name (group 1) must be preceded by ?, &, or #; value runs until next & or # or whitespace
+            @"(?i)(?:(?<=[\?&])|(?<=#))(token|access_token|code|id_token|auth)=([^&#\s]+)",
             RegexOptions.Compiled | RegexOptions.CultureInvariant);
 
         /// <inheritdoc />
-        public string Redact(string input) => string.IsNullOrEmpty(input) ? string.Empty : Param.Replace(input, m => m.Groups[1].Value + "=***");
+        public string Redact(string input)
+            => string.IsNullOrEmpty(input) ? string.Empty : Param.Replace(input, m => m.Groups[1].Value + "=***");
     }
 }

tests/KeelMatrix.QueryWatch.Tests/Redaction/ApiKeyRedactorTests.cs

@@ -1,3 +1,4 @@
+
 using FluentAssertions;
 using KeelMatrix.QueryWatch.Redaction;
 using Xunit;
@@ -46,5 +47,12 @@ public void Idempotent_Application() {
             var twice = r.Redact(once);
             twice.Should().Be(once);
         }
+
+        [Fact]
+        public void Masks_Query_Param_With_Hyphen_Or_Underscore() {
+            var r = new ApiKeyRedactor();
+            r.Redact("https://ex.com?api-key=XYZ").Should().Be("https://ex.com?api-key=***");
+            r.Redact("https://ex.com?api_key=XYZ").Should().Be("https://ex.com?api_key=***");
+        }
     }
 }

tests/KeelMatrix.QueryWatch.Tests/Redaction/ConnectionStringPasswordRedactorTests.cs

@@ -21,5 +21,19 @@ public void Leaves_Strings_Without_Password_Unchanged() {
             var input = "Server=.;Integrated Security=true;";
             r.Redact(input).Should().Be(input);
         }
+
+        [Fact]
+        public void Masks_Quoted_Passwords_With_Semicolons_Inside() {
+            var r = new ConnectionStringPasswordRedactor();
+            var input1 = "Password=\"sec;ret;value\";User Id=sa;";
+            var red1 = r.Redact(input1);
+            red1.Should().Contain("Password=***;");
+            red1.Should().NotContain("sec;ret;value");
+
+            var input2 = "Pwd='p;a;s;s';Server=.;";
+            var red2 = r.Redact(input2);
+            red2.Should().Contain("Pwd=***;");
+            red2.Should().NotContain("p;a;s;s");
+        }
     }
 }

tests/KeelMatrix.QueryWatch.Tests/Redaction/EmailRedactorTests.cs

@@ -18,5 +18,23 @@ public void Leaves_Text_Without_Emails() {
             var input = "SELECT 1;";
             r.Redact(input).Should().Be(input);
         }
+
+        [Fact]
+        public void Handles_Plus_Tagging_And_Trailing_Punctuation() {
+            var r = new EmailRedactor();
+            var input = "Please email Admin+test@Example.COM, thanks.";
+            var red = r.Redact(input);
+            red.Should().NotContain("Admin+test@Example.COM");
+            red.Should().Contain("***, thanks.");
+        }
+
+        [Fact]
+        public void Idempotent_For_Emails() {
+            var r = new EmailRedactor();
+            var input = "user@example.com";
+            var once = r.Redact(input);
+            var twice = r.Redact(once);
+            twice.Should().Be(once);
+        }
     }
 }

tests/KeelMatrix.QueryWatch.Tests/Redaction/GoogleApiKeyRedactorTests.cs

@@ -13,5 +13,12 @@ public void Masks_ApiKey_With_AIZa_Prefix() {
             var red = r.Redact(input);
             red.Should().NotContain(key).And.Contain("***");
         }
+
+        [Fact]
+        public void Does_Not_Mask_When_Length_Is_Wrong() {
+            var r = new GoogleApiKeyRedactor();
+            var key = "AIza" + new string('B', 34); // one char short
+            r.Redact(key).Should().Be(key);
+        }
     }
 }

tests/KeelMatrix.QueryWatch.Tests/Redaction/IpAddressRedactorTests.cs

@@ -21,5 +21,18 @@ public void Leaves_Non_IP_Text() {
             var r = new IpAddressRedactor();
             r.Redact("x:y").Should().Be("x:y");
         }
+
+        [Fact]
+        public void Masks_IPv6_Compressed_Forms() {
+            var r = new IpAddressRedactor();
+            r.Redact("addr=::1").Should().Be("addr=***");
+            r.Redact("addr=2001:db8::7334").Should().Be("addr=***");
+        }
+
+        [Fact]
+        public void Masks_IPv4_With_Port_Keeping_Port() {
+            var r = new IpAddressRedactor();
+            r.Redact("host=192.168.0.1:8080").Should().Be("host=***:8080");
+        }
     }
 }

tests/KeelMatrix.QueryWatch.Tests/Redaction/RegexReplaceRedactorTests.cs

@@ -9,5 +9,13 @@ public void Replaces_Matches_Using_Pattern() {
             var r = new RegexReplaceRedactor(@"\d+", "***");
             r.Redact("Id=123; Name='A'").Should().Be("Id=***; Name='A'");
         }
+
+        [Fact]
+        public void Supports_Precompiled_Regex_And_Handles_Null_Input() {
+            var compiled = new System.Text.RegularExpressions.Regex("foo", System.Text.RegularExpressions.RegexOptions.Compiled | System.Text.RegularExpressions.RegexOptions.IgnoreCase);
+            var r = new RegexReplaceRedactor(compiled, "***");
+            r.Redact("FOO bar").Should().Be("*** bar");
+            r.Redact(null!).Should().Be(string.Empty);
+        }
     }
 }

tests/KeelMatrix.QueryWatch.Tests/Redaction/TimestampRedactorTests.cs

@@ -20,5 +20,19 @@ public void Masks_Unix_Seconds_10_11_Digits() {
             red.Should().NotContain("1726750000");
             red.Should().NotContain("17267500001");
         }
+
+        [Fact]
+        public void Does_Not_Mask_Unix_Milliseconds_13_Digits() {
+            var r = new TimestampRedactor();
+            var input = "ts=1726750000000"; // 13 digits (ms), should not be treated as seconds
+            r.Redact(input).Should().Be(input);
+        }
+
+        [Fact]
+        public void Does_Not_Mask_Too_Short_Unix_Seconds() {
+            var r = new TimestampRedactor();
+            var input = "ts=123456789"; // 9 digits
+            r.Redact(input).Should().Be(input);
+        }
     }
 }