Change criteria for partial redaction

grafana · Dec 31, 2024 · c27fb75 · c27fb75
1 parent d8070a9
commit c27fb75
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 9 deletions.
diff --git a/docs/sources/reference/components/loki/loki.secretfilter.md b/docs/sources/reference/components/loki/loki.secretfilter.md
@@ -78,7 +78,7 @@ A secret will not be redacted if it matches any of the regular expressions. The
 
 The `partial_mask` argument is the number of characters to show from the beginning of the secret before the redact string is added.
 If set to `0`, the entire secret is redacted.
-Secrets shorter than `partial_mask + 3` are redacted entirely.
+If a secret is not at least 3 characters long and twice as long as the `partial_mask`, the entire secret is redacted.
 
 ## Blocks
 

diff --git a/internal/component/loki/secretfilter/secretfilter.go b/internal/component/loki/secretfilter/secretfilter.go
@@ -244,7 +244,7 @@ func (c *Component) redactLine(line string, secret string, ruleName string) stri
 	}
 	if partialMask > 0 {
 		// Don't apply partial masking if the secret is too short
-		if len(secret) > partialMask*2 {
+		if len(secret) >= 3 && len(secret) >= partialMask*2 {
 			redactWith = secret[:partialMask] + redactWith
 		}
 	}

diff --git a/internal/component/loki/secretfilter/secretfilter_test.go b/internal/component/loki/secretfilter/secretfilter_test.go
@@ -390,29 +390,30 @@ func TestPartialMasking(t *testing.T) {
 	// Start testing with common cases
 	component := &Component{}
 	component.args = Arguments{PartialMask: 4}
+
 	// Too short to be partially masked
-	redacted := component.redactLine("This is a short secret abc123 in a log line", "abc123", "test-rule")
-	require.Equal(t, "This is a short secret <REDACTED-SECRET:test-rule> in a log line", redacted)
+	redacted := component.redactLine("This is a very short secret ab in a log line", "ab", "test-rule")
+	require.Equal(t, "This is a very short secret <REDACTED-SECRET:test-rule> in a log line", redacted)
 
 	// Too short to be partially masked
-	redacted = component.redactLine("This is a longer secret abcd1234 in a log line", "abcd1234", "test-rule")
-	require.Equal(t, "This is a longer secret <REDACTED-SECRET:test-rule> in a log line", redacted)
+	redacted = component.redactLine("This is a short secret abc123 in a log line", "abc123", "test-rule")
+	require.Equal(t, "This is a short secret <REDACTED-SECRET:test-rule> in a log line", redacted)
 
 	// Will be partially masked
-	redacted = component.redactLine("This is a long enough secret abcd12345 in a log line", "abcd12345", "test-rule")
+	redacted = component.redactLine("This is a long enough secret abcd1234 in a log line", "abcd1234", "test-rule")
 	require.Equal(t, "This is a long enough secret abcd<REDACTED-SECRET:test-rule> in a log line", redacted)
 
 	// Will be partially masked
 	redacted = component.redactLine("This is the longest secret abcdef12345678 in a log line", "abcdef12345678", "test-rule")
 	require.Equal(t, "This is the longest secret abcd<REDACTED-SECRET:test-rule> in a log line", redacted)
 
 	// Test with different secret lengths and partial masking values
-	for _, partialMasking := range []int{1, 3, 4, 5, 9} {
+	for _, partialMasking := range []int{1, 2, 3, 4, 5, 9} {
 		for secretLength := range 30 {
 			if secretLength < 2 {
 				continue
 			}
-			expected := secretLength > partialMasking*2
+			expected := secretLength >= 3 && secretLength >= partialMasking*2
 			checkPartialMasking(t, partialMasking, secretLength, expected)
 		}
 	}