Merge branch 'main' into dependabot/github_actions/github-actions-50048bcef6

Author: GrantBirki

Gemfile.lock

@@ -49,7 +49,7 @@ GEM
       date
       stringio
     racc (1.8.1)
-    rack (3.1.12)
+    rack (3.1.14)
     rainbow (3.1.1)
     rdoc (6.13.1)
       psych (>= 4.0.0)

lib/patterns/default.rb

@@ -47,6 +47,10 @@ module Patterns
     # Vault Tokens
     # https://github.com/hashicorp/vault/issues/27151
     /[sbr]\.[a-zA-Z0-9]{24,}/, # <= 1.9.x
-    /hv[sbr]\.[a-zA-Z0-9]{24,}/ # >= 1.10
+    /hv[sbr]\.[a-zA-Z0-9]{24,}/, # >= 1.10
+
+    # Authorization bearer tokens
+    # https://datatracker.ietf.org/doc/html/rfc6750#section-2.1
+    /(?i)authorization:\s+bearer\s+[A-Za-z0-9\-_\.=~+\/]+/,
   ].freeze
 end

spec/lib/redacting_logger_spec.rb

@@ -160,6 +160,51 @@
         case: "redacts a RubyGems token",
         message: "using rubygems token: rubygems_0123456789abcdef0123456789abcdef0123456789abcdef",
         expected_message: "using rubygems token: [REDACTED]"
+      },
+      {
+        case: "redacts authorization bearer token",
+        message: '-H  "Authorization: Bearer ab123456789a1abcd1~_.-+456ABCDE=" -H "Content-Type: application/json"',
+        expected_message: '-H  "[REDACTED]" -H "Content-Type: application/json"'
+      },
+      {
+        case: "redacts authorization bearer token with case insensitivity",
+        message: '-H  "authorizAtion: beaRer ab123456789a1abcd1~_.-+456ABCDE=" -H "Content-Type: application/json"',
+        expected_message: '-H  "[REDACTED]" -H "Content-Type: application/json"'
+      },
+      {
+        case: "redacts authorization bearer token with extra spaces and tabs",
+        message: "authorization:    bearer   abcd1234",
+        expected_message: "[REDACTED]"
+      },
+      {
+        case: "redacts authorization bearer token with special characters",
+        message: "authorization: bearer aBcD-_=~+/1234",
+        expected_message: "[REDACTED]"
+      },
+      {
+        case: "redacts authorization bearer token at start of string",
+        message: "authorization: bearer tokenatstart",
+        expected_message: "[REDACTED]"
+      },
+      {
+        case: "redacts authorization bearer token at end of string",
+        message: "some text authorization: bearer tokenatend",
+        expected_message: "some text [REDACTED]"
+      },
+      {
+        case: "redacts multiple authorization bearer tokens in one string",
+        message: "authorization: bearer token1 and authorization: bearer token2",
+        expected_message: "[REDACTED] and [REDACTED]"
+      },
+      {
+        case: "redacts authorization bearer token with minimum plausible length",
+        message: "authorization: bearer a",
+        expected_message: "[REDACTED]"
+      },
+      {
+        case: "redacts authorization bearer token with maximum plausible length",
+        message: "authorization: bearer #{'a' * 256}",
+        expected_message: "[REDACTED]"
       }
     ].each do |test|
       it "redacts #{test[:case]}" do