From 6c272461c33ce2f37306e575a1b32149bf65be50 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Filip=20Paw=C5=82owski?= Date: Tue, 26 Nov 2024 16:35:51 +0100 Subject: [PATCH] SNOW-1631790-Transport-Layer: Masking Tokens for '%' signs and parameters describing token prefixing it fixed. --- lib/secret_detector.js | 4 ++- test/unit/secret_detector_test.js | 59 +++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 1 deletion(-) diff --git a/lib/secret_detector.js b/lib/secret_detector.js index 3ccbc8791..700b576c8 100644 --- a/lib/secret_detector.js +++ b/lib/secret_detector.js @@ -64,7 +64,9 @@ function SecretDetector(customPatterns, mock) { 'gim'); const PRIVATE_KEY_DATA_PATTERN = new RegExp(String.raw`"privateKeyData": "([a-z0-9/+=\\n]{10,})"`, 'gim'); - const CONNECTION_TOKEN_PATTERN = new RegExp(String.raw`(token|assertion content)([\'\"\s:=]+)([a-z0-9=/_\-\+]{8,})`, + // Colon in the group ([a-z0-9=/:_%-+]{8,}) was added to detect tokens that contain additional details before the actual token. + // Such as version or hint (token=ver:1-hint:1233-realToken...). + const CONNECTION_TOKEN_PATTERN = new RegExp(String.raw`(token|assertion content)([\'\"\s:=]+)([a-z0-9=/:_\%\-\+]{8,})`, 'gi'); const PASSWORD_PATTERN = new RegExp( String.raw`(password|pwd)([\'\"\s:=]+)([a-z0-9!\"#\$%&\\\'\(\)\*\+\,-\./:;<=>\?\@\[\]\^_` + diff --git a/test/unit/secret_detector_test.js b/test/unit/secret_detector_test.js index 36803878d..ee6a188c3 100644 --- a/test/unit/secret_detector_test.js +++ b/test/unit/secret_detector_test.js @@ -329,4 +329,63 @@ describe('Secret Detector', function () { assert.strictEqual(result.maskedtxt, 'otac=****'); assert.strictEqual(result.errstr, null); }); + + it('test - url token masking', async function () { + const TEST_TOKEN_VALUE = 'ETMsDgAAAZNi6aPlABRBRVMvQ0JDL1BLQ1M1UGFkZGluZwEAABAAEExQLlI3h9PIi9TcCRVdwlEAAABQLsgIQdJ0%2B8eQhDMjViFuY5v03Daxt235tNHYVLNoIqM70yLw4zyVdPlkEi208dS88lSqRvPdgQ/RACU7u%2Bn9gWLiTZ79dkZwl4zQactAKJgAFCUrvbxA2tnUP%2BsX6nPBNBzVWnK5'; + const TEST_TOKEN_VERSION_PREFIX = 'ver:1'; + const TEST_TOKEN_HINT_PREFIX = 'hint:1036'; + const TEST_TOKEN_PREFIX = TEST_TOKEN_VERSION_PREFIX + '-' + TEST_TOKEN_HINT_PREFIX + '-'; + + const tokenWithVersionAndHint = 'token=' + TEST_TOKEN_PREFIX + TEST_TOKEN_VALUE; + let result = SecretDetector.maskSecrets(tokenWithVersionAndHint); + assert.strictEqual(result.masked, true); + assert.strictEqual(result.maskedtxt, 'token=' + '****'); + assert.strictEqual(result.errstr, null); + + const tokenWithVersionAndHintAndManyEqualsSigns = 'token=====' + TEST_TOKEN_PREFIX + TEST_TOKEN_VALUE; + result = SecretDetector.maskSecrets(tokenWithVersionAndHintAndManyEqualsSigns); + assert.strictEqual(result.masked, true); + assert.strictEqual(result.maskedtxt, 'token=====' + '****'); + assert.strictEqual(result.errstr, null); + + const tokenWithVersionAndHintAndColon = 'token:' + TEST_TOKEN_PREFIX + TEST_TOKEN_VALUE; + result = SecretDetector.maskSecrets(tokenWithVersionAndHintAndColon); + assert.strictEqual(result.masked, true); + assert.strictEqual(result.maskedtxt, 'token:' + '****'); + assert.strictEqual(result.errstr, null); + + + const TEST_NEXT_PARAMETER_NOT_TO_BE_MASKED = 'jobID=123fdas4-2133212-12'; + const tokenWithVersionAndHintAndAnotherParameterToIgnore = 'token=' + TEST_TOKEN_PREFIX + TEST_TOKEN_VALUE + '&' + TEST_NEXT_PARAMETER_NOT_TO_BE_MASKED; + result = SecretDetector.maskSecrets(tokenWithVersionAndHintAndAnotherParameterToIgnore); + assert.strictEqual(result.masked, true); + assert.strictEqual(result.maskedtxt, 'token=' + '****' + '&' + TEST_NEXT_PARAMETER_NOT_TO_BE_MASKED); + assert.strictEqual(result.errstr, null); + + + const tokenWithVersionAndHintAndManySpaces = 'token = ' + TEST_TOKEN_PREFIX + TEST_TOKEN_VALUE; + result = SecretDetector.maskSecrets(tokenWithVersionAndHintAndManySpaces); + assert.strictEqual(result.masked, true); + assert.strictEqual(result.maskedtxt, 'token = ' + '****'); + assert.strictEqual(result.errstr, null); + + + const tokenWithVersion = 'token=' + TEST_TOKEN_VERSION_PREFIX + '-' + TEST_TOKEN_VALUE; + result = SecretDetector.maskSecrets(tokenWithVersion); + assert.strictEqual(result.masked, true); + assert.strictEqual(result.maskedtxt, 'token=' + '****'); + assert.strictEqual(result.errstr, null); + + const tokenWithHint = 'token=' + TEST_TOKEN_HINT_PREFIX + '-' + TEST_TOKEN_VALUE; + result = SecretDetector.maskSecrets(tokenWithHint); + assert.strictEqual(result.masked, true); + assert.strictEqual(result.maskedtxt, 'token=' + '****'); + assert.strictEqual(result.errstr, null); + + const longToken = 'token=' + TEST_TOKEN_VALUE; + result = SecretDetector.maskSecrets(longToken); + assert.strictEqual(result.masked, true); + assert.strictEqual(result.maskedtxt, 'token=****'); + assert.strictEqual(result.errstr, null); + }); });