SNOW-1631790-Transport-Layer: Masking Tokens for '%' signs and parame…

…ters describing token prefixing it fixed.
snowflakedb · Dec 5, 2024 · 6c27246 · 6c27246
1 parent 3271d0a
commit 6c27246
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 1 deletion.
diff --git a/lib/secret_detector.js b/lib/secret_detector.js
@@ -64,7 +64,9 @@ function SecretDetector(customPatterns, mock) {
     'gim');
   const PRIVATE_KEY_DATA_PATTERN = new RegExp(String.raw`"privateKeyData": "([a-z0-9/+=\\n]{10,})"`,
     'gim');
-  const CONNECTION_TOKEN_PATTERN = new RegExp(String.raw`(token|assertion content)([\'\"\s:=]+)([a-z0-9=/_\-\+]{8,})`,
+  // Colon in the group ([a-z0-9=/:_%-+]{8,}) was added to detect tokens that contain additional details before the actual token.
+  // Such as version or hint (token=ver:1-hint:1233-realToken...).
+  const CONNECTION_TOKEN_PATTERN = new RegExp(String.raw`(token|assertion content)([\'\"\s:=]+)([a-z0-9=/:_\%\-\+]{8,})`,
     'gi');
   const PASSWORD_PATTERN = new RegExp(
     String.raw`(password|pwd)([\'\"\s:=]+)([a-z0-9!\"#\$%&\\\'\(\)\*\+\,-\./:;<=>\?\@\[\]\^_` +

diff --git a/test/unit/secret_detector_test.js b/test/unit/secret_detector_test.js
@@ -329,4 +329,63 @@ describe('Secret Detector', function () {
     assert.strictEqual(result.maskedtxt, 'otac=****');
     assert.strictEqual(result.errstr, null);
   });
+
+  it('test - url token masking', async function () {
+    const TEST_TOKEN_VALUE = 'ETMsDgAAAZNi6aPlABRBRVMvQ0JDL1BLQ1M1UGFkZGluZwEAABAAEExQLlI3h9PIi9TcCRVdwlEAAABQLsgIQdJ0%2B8eQhDMjViFuY5v03Daxt235tNHYVLNoIqM70yLw4zyVdPlkEi208dS88lSqRvPdgQ/RACU7u%2Bn9gWLiTZ79dkZwl4zQactAKJgAFCUrvbxA2tnUP%2BsX6nPBNBzVWnK5';
+    const TEST_TOKEN_VERSION_PREFIX = 'ver:1';
+    const TEST_TOKEN_HINT_PREFIX = 'hint:1036';
+    const TEST_TOKEN_PREFIX = TEST_TOKEN_VERSION_PREFIX + '-' + TEST_TOKEN_HINT_PREFIX + '-';
+
+    const tokenWithVersionAndHint = 'token=' + TEST_TOKEN_PREFIX + TEST_TOKEN_VALUE;
+    let result = SecretDetector.maskSecrets(tokenWithVersionAndHint);
+    assert.strictEqual(result.masked, true);
+    assert.strictEqual(result.maskedtxt, 'token=' + '****');
+    assert.strictEqual(result.errstr, null);
+
+    const tokenWithVersionAndHintAndManyEqualsSigns = 'token=====' + TEST_TOKEN_PREFIX + TEST_TOKEN_VALUE;
+    result = SecretDetector.maskSecrets(tokenWithVersionAndHintAndManyEqualsSigns);
+    assert.strictEqual(result.masked, true);
+    assert.strictEqual(result.maskedtxt, 'token=====' + '****');
+    assert.strictEqual(result.errstr, null);
+
+    const tokenWithVersionAndHintAndColon = 'token:' + TEST_TOKEN_PREFIX + TEST_TOKEN_VALUE;
+    result = SecretDetector.maskSecrets(tokenWithVersionAndHintAndColon);
+    assert.strictEqual(result.masked, true);
+    assert.strictEqual(result.maskedtxt, 'token:' + '****');
+    assert.strictEqual(result.errstr, null);
+
+
+    const TEST_NEXT_PARAMETER_NOT_TO_BE_MASKED = 'jobID=123fdas4-2133212-12';
+    const tokenWithVersionAndHintAndAnotherParameterToIgnore = 'token=' + TEST_TOKEN_PREFIX + TEST_TOKEN_VALUE + '&' + TEST_NEXT_PARAMETER_NOT_TO_BE_MASKED;
+    result = SecretDetector.maskSecrets(tokenWithVersionAndHintAndAnotherParameterToIgnore);
+    assert.strictEqual(result.masked, true);
+    assert.strictEqual(result.maskedtxt, 'token=' + '****' + '&' + TEST_NEXT_PARAMETER_NOT_TO_BE_MASKED);
+    assert.strictEqual(result.errstr, null);
+
+
+    const tokenWithVersionAndHintAndManySpaces = 'token    =    ' + TEST_TOKEN_PREFIX + TEST_TOKEN_VALUE;
+    result = SecretDetector.maskSecrets(tokenWithVersionAndHintAndManySpaces);
+    assert.strictEqual(result.masked, true);
+    assert.strictEqual(result.maskedtxt, 'token    =    ' + '****');
+    assert.strictEqual(result.errstr, null);
+
+
+    const tokenWithVersion = 'token=' + TEST_TOKEN_VERSION_PREFIX + '-' + TEST_TOKEN_VALUE;
+    result = SecretDetector.maskSecrets(tokenWithVersion);
+    assert.strictEqual(result.masked, true);
+    assert.strictEqual(result.maskedtxt, 'token=' + '****');
+    assert.strictEqual(result.errstr, null);
+
+    const tokenWithHint = 'token=' + TEST_TOKEN_HINT_PREFIX + '-' + TEST_TOKEN_VALUE;
+    result = SecretDetector.maskSecrets(tokenWithHint);
+    assert.strictEqual(result.masked, true);
+    assert.strictEqual(result.maskedtxt, 'token=' + '****');
+    assert.strictEqual(result.errstr, null);
+
+    const longToken = 'token=' + TEST_TOKEN_VALUE;
+    result = SecretDetector.maskSecrets(longToken);
+    assert.strictEqual(result.masked, true);
+    assert.strictEqual(result.maskedtxt, 'token=****');
+    assert.strictEqual(result.errstr, null);
+  });
 });