Skip to content

Commit 3867b10

Browse files
committed
This patch re-enables masking with a few backend changes
- Add mask_url() using url based parsing - Apply consistent masking across Slack, Webhook, and AlertManager types. - Add strict unit tests enforcing that secrets never hit the serializer.
1 parent d189173 commit 3867b10

1 file changed

Lines changed: 1 addition & 58 deletions

File tree

src/alerts/target.rs

Lines changed: 1 addition & 58 deletions
Original file line numberDiff line numberDiff line change
@@ -195,20 +195,6 @@ pub struct Target {
195195
}
196196

197197
impl Target {
198-
/// Evaluates an HTTP header name to determine if its value is likely a secret.
199-
/// Uses a strict allowlist of known sensitive headers (Authorization, Cookies)
200-
/// combined with a broad blocklist of dangerous substrings (token, secret, key)
201-
/// to catch custom headers like `X-Api-Token`.
202-
fn should_redact_header(name: &str) -> bool {
203-
let lower = name.to_lowercase();
204-
matches!(
205-
lower.as_str(),
206-
"authorization" | "proxy-authorization" | "cookie" | "set-cookie"
207-
) || lower.contains("token")
208-
|| lower.contains("secret")
209-
|| lower.contains("key")
210-
|| lower.contains("signature")
211-
}
212198
/// Sanitizes a URL by obliterating the trailing path segment.
213199
fn mask_url(url: &Url) -> String {
214200
let mut base = url.clone();
@@ -237,13 +223,7 @@ impl Target {
237223
let safe_headers: HashMap<String, String> = other_web_hook
238224
.headers
239225
.into_iter()
240-
.map(|(k, v)| {
241-
if Self::should_redact_header(&k) {
242-
(k, "********".to_string())
243-
} else {
244-
(k, v)
245-
}
246-
})
226+
.map(|(k, _v)| (k, "********".to_string()))
247227
.collect();
248228
json!({
249229
"name":self.name,
@@ -709,41 +689,4 @@ mod tests {
709689
"Expected redaction marker not found!"
710690
);
711691
}
712-
713-
#[test]
714-
fn test_masked_webhook_hides_auth_headers() {
715-
let mut headers = HashMap::new();
716-
headers.insert("Authorization".into(), "Bearer super-secret-token".into());
717-
headers.insert("Content-Type".into(), "application/json".into());
718-
719-
let target = Target {
720-
name: "slack-hook".into(),
721-
id: Ulid::new(),
722-
tenant: None,
723-
target: TargetType::Other(OtherWebHook {
724-
endpoint: "https://hooks.slack.com/services/T00/B00/SECRET"
725-
.parse()
726-
.unwrap(),
727-
headers,
728-
skip_tls_check: false,
729-
}),
730-
};
731-
732-
let masked = target.mask();
733-
let masked_str = serde_json::to_string(&masked).unwrap();
734-
735-
assert!(
736-
!masked_str.contains("super-secret-token"),
737-
"Bearer token leaked in masked response!"
738-
);
739-
assert!(
740-
!masked_str.contains("SECRET"),
741-
"Webhook URL secret leaked in masked response!"
742-
);
743-
// Non-sensitive headers should survive
744-
assert!(
745-
masked_str.contains("application/json"),
746-
"Non-sensitive header was incorrectly redacted!"
747-
);
748-
}
749692
}

0 commit comments

Comments
 (0)