Skip to content

Commit

Permalink
feature: capture and mask explicit password mentions
Browse files Browse the repository at this point in the history
feature: capture passwords in uris
  • Loading branch information
mvelten committed Oct 17, 2023
1 parent aed8135 commit 4b8b17a
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 5 deletions.
12 changes: 9 additions & 3 deletions src/lib/dataGuard.ts
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,15 @@ const sensitiveContentRegExp = {
ssn: /\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b/g,
url: /\b(?:https?|ftp):\/\/[a-z0-9-+&@#/%?=~_|!:,.;]*[a-z0-9-+&@#/%=~_|]\b/gi,
ipv4: /\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b/g,
email: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g,
password: /(?=\S*\d)(?=\S*[A-Za-z])[\w!@#$%^&*()_+=\-,.]{6,}/gm,
passwordFollowingText: /(?<=password:\s*)\S+/gi,
email: /(?<=^|[\s'"-#+.><])[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g,
password: /\b(?=\S*\d)(?=\S*[A-Za-z])[\w!@#$%^&*()_+=\-,.]{6,}\b/gm,
passwordInUri: /(?<=:\/\/[^:]+:)[^@]+?(?=@)/,
// passwordMention: /(?<=.*(password|passwd|pwd)[:\s*]?)[^\s:]+/gi,
passwordMention: /(?<=.*(password|passwd|pwd)(?:\s*:\s*|\s+))\S+/gi,

// passwordMentionWithColon: /(?<=.*(password|passwd|pwd):\s*)[^\s:]+/gi,
// passwordMentionWithoutColon: /(?<=.*(password|passwd|pwd)\s+)[^\s:]+/gi,

uuid: /\b[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[89ab][0-9a-f]{3}-[0-9a-f]{12}\b/gi
} as const;

Expand Down
17 changes: 15 additions & 2 deletions tests/masking.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ describe('Test all possible masking', () => {
'a dude once exposed his super secret A1vbcvc.De#3435?r password to the world but luckily we could help'
)
).toBe(
'a dude once exposed his super secret A1***********35?r password to the world but luckily we could help'
'a dude once exposed his super secret A1***********35?r password ** the world but luckily we could help'
);
});

Expand Down Expand Up @@ -180,7 +180,7 @@ describe('Test all possible masking', () => {
and my email john.doe@acme.com on the website, a friend recommended ... it can be found under https://www.acme.com/scam?user=john.doe&password=A1vbcvc.De#3435?r`;
const result = maskString(fullText);
expect(result).toBe(
`I once entered my credit card number 12***************21 and my password A1***********35?r
`I once entered my credit card number 12***************21 and my password A1*************?r
and my email jo*************om on the website, a friend recommended ... it can be found under ht**************************************************************?r`
);
});
Expand Down Expand Up @@ -364,4 +364,17 @@ describe('Test all possible masking', () => {
const maskedErrorX = maskData(sensitiveError);
expect(maskedErrorX.message).toBe('Sensitive message containing user password: Su****************d!');
});

it('should mask any explicit password mentions', () => {
expect(maskString('here is my password: test01!')).toBe('here is my password: te***1!');
expect(maskString('here is my SecretPassword: test')).toBe('here is my SecretPassword: ****');
expect(maskString('here is my passwd test')).toBe('here is my passwd ****');
expect(maskString('here is my pwd test01!')).toBe('here is my pwd te***1!');
});

it('should capture any password in an uri-based string fragment', () => {
expect(
maskString('connection to postgres://dbuser:MySuperSecretPassword@myhost.com successfully established')
).toBe('connection to postgres://dbuser:My*****************rd@myhost.com successfully established');
});
});

0 comments on commit 4b8b17a

Please # to comment.