|
| 1 | +package sanitize |
| 2 | + |
| 3 | +import ( |
| 4 | + "encoding/json" |
| 5 | + "regexp" |
| 6 | + "strings" |
| 7 | +) |
| 8 | + |
| 9 | +// SecretPatterns contains regex patterns for detecting potential secrets |
| 10 | +var SecretPatterns = []*regexp.Regexp{ |
| 11 | + regexp.MustCompile(`(?i)(token|key|secret|password|auth)[=:]\s*[^\s]{8,}`), |
| 12 | + regexp.MustCompile(`ghp_[a-zA-Z0-9]{36,}`), // GitHub PATs |
| 13 | + regexp.MustCompile(`github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}`), // GitHub fine-grained PATs |
| 14 | + regexp.MustCompile(`(?i)bearer\s+[a-zA-Z0-9\-._~+/]+=*`), // Bearer tokens |
| 15 | + regexp.MustCompile(`(?i)authorization:\s*[a-zA-Z0-9\-._~+/]+=*`), // Auth headers |
| 16 | + regexp.MustCompile(`[a-f0-9]{32,}`), // Long hex strings (API keys) |
| 17 | + regexp.MustCompile(`(?i)(apikey|api_key|access_key)[=:]\s*[^\s]{8,}`), // API keys |
| 18 | + regexp.MustCompile(`(?i)(client_secret|client_id)[=:]\s*[^\s]{8,}`), // OAuth secrets |
| 19 | + regexp.MustCompile(`[a-zA-Z0-9_-]{20,}\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+`), // JWT tokens |
| 20 | + // JSON-specific patterns for field:value pairs |
| 21 | + regexp.MustCompile(`(?i)"(token|password|passwd|pwd|apikey|api_key|api-key|secret|client_secret|api_secret|authorization|auth|key|private_key|public_key|credentials|credential|access_token|refresh_token|bearer_token)"\s*:\s*"[^"]{1,}"`), |
| 22 | +} |
| 23 | + |
| 24 | +// SanitizeString replaces potential secrets in a string with [REDACTED] |
| 25 | +func SanitizeString(message string) string { |
| 26 | + result := message |
| 27 | + for _, pattern := range SecretPatterns { |
| 28 | + result = pattern.ReplaceAllStringFunc(result, func(match string) string { |
| 29 | + // Keep the prefix (key name) but redact the value |
| 30 | + if strings.Contains(match, "=") || strings.Contains(match, ":") { |
| 31 | + parts := regexp.MustCompile(`[=:]\s*`).Split(match, 2) |
| 32 | + if len(parts) == 2 { |
| 33 | + return parts[0] + "=[REDACTED]" |
| 34 | + } |
| 35 | + } |
| 36 | + // For tokens without key=value format, redact entirely |
| 37 | + return "[REDACTED]" |
| 38 | + }) |
| 39 | + } |
| 40 | + return result |
| 41 | +} |
| 42 | + |
| 43 | +// SanitizeJSON sanitizes a JSON payload by applying regex patterns to the entire string |
| 44 | +// It takes raw bytes, applies regex sanitization in one pass, and returns sanitized bytes |
| 45 | +func SanitizeJSON(payloadBytes []byte) json.RawMessage { |
| 46 | + // Apply regex sanitization to the entire string in one pass |
| 47 | + sanitized := SanitizeString(string(payloadBytes)) |
| 48 | + |
| 49 | + // Validate that the result is valid JSON for RawMessage |
| 50 | + // If not valid, wrap it in a JSON object |
| 51 | + if !json.Valid([]byte(sanitized)) { |
| 52 | + // Create a valid JSON object with the invalid content as a string |
| 53 | + wrapped := map[string]string{ |
| 54 | + "_error": "invalid JSON", |
| 55 | + "_raw": sanitized, |
| 56 | + } |
| 57 | + wrappedBytes, _ := json.Marshal(wrapped) |
| 58 | + return json.RawMessage(wrappedBytes) |
| 59 | + } |
| 60 | + |
| 61 | + // Marshal and unmarshal to ensure single-line JSON (removes newlines/whitespace) |
| 62 | + var tmp interface{} |
| 63 | + if err := json.Unmarshal([]byte(sanitized), &tmp); err != nil { |
| 64 | + // Should not happen since we validated above, but handle gracefully |
| 65 | + wrapped := map[string]string{ |
| 66 | + "_error": "failed to parse JSON", |
| 67 | + "_raw": sanitized, |
| 68 | + } |
| 69 | + wrappedBytes, _ := json.Marshal(wrapped) |
| 70 | + return json.RawMessage(wrappedBytes) |
| 71 | + } |
| 72 | + compactBytes, _ := json.Marshal(tmp) |
| 73 | + return json.RawMessage(compactBytes) |
| 74 | +} |
0 commit comments