fix(fs-watcher): redact PEM private-key blocks and standalone JWTs in previews (#448) (#450)

rohitg00 · web-flow · commit 00df540c8735 · 2026-05-17T12:41:14.000+01:00
PR #332 covered KEY=value and Bearer-prefixed tokens. This extends the filesystem watcher's preview pipeline to also collapse multi-line and inline PEM private-key blocks (RSA / DSA / EC / OPENSSH / ENCRYPTED / generic) into a single REDACTED line bracketed by the BEGIN/END markers, and to redact standalone JWT-looking strings outside Bearer context. JWT redaction requires a three-segment dot pattern AND total length >= 100 chars to avoid matching incidental base64-shaped words. Closes #448
diff --git a/integrations/filesystem-watcher/watcher.mjs b/integrations/filesystem-watcher/watcher.mjs
@@ -29,6 +29,10 @@ const DEFAULT_IGNORE = [
 const MAX_PREVIEW_BYTES = 4096;
 const DEBOUNCE_MS = 500;
 const REDACTED = "[REDACTED]";
+const PEM_BEGIN_RE = /-----BEGIN [A-Z ]*PRIVATE KEY-----/;
+const PEM_END_RE = /-----END [A-Z ]*PRIVATE KEY-----/;
+const JWT_RE = /\beyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g;
+const JWT_MIN_LEN = 100;
 
 function isDotEnvPath(path) {
   const name = basename(path).toLowerCase();
@@ -53,19 +57,63 @@ function isSensitiveKey(key) {
   ].some((needle) => normalized.includes(needle));
 }
 
+function redactJwtTokens(line) {
+  return line.replace(JWT_RE, (match) => (match.length >= JWT_MIN_LEN ? REDACTED : match));
+}
+
 function redactSensitiveLine(line) {
+  if (PEM_BEGIN_RE.test(line) || PEM_END_RE.test(line)) {
+    return line;
+  }
   const assignment = line.match(
     /^(\s*(?:export\s+)?["']?([A-Za-z_][A-Za-z0-9_.-]*)["']?\s*([=:])\s*)(.*)$/,
   );
   if (assignment && isSensitiveKey(assignment[2])) {
     const bearer = assignment[3] === ":" ? assignment[4].match(/^(Bearer\s+).+/i) : null;
     return `${assignment[1]}${bearer ? bearer[1] : ""}${REDACTED}`;
   }
-  return line.replace(/\b(Bearer\s+)[A-Za-z0-9._~+/=-]{8,}\b/gi, `$1${REDACTED}`);
+  const bearerRedacted = line.replace(
+    /\b(Bearer\s+)[A-Za-z0-9._~+/=-]{8,}\b/gi,
+    `$1${REDACTED}`,
+  );
+  return redactJwtTokens(bearerRedacted);
+}
+
+function redactPemBlocks(preview) {
+  const lines = preview.split("\n");
+  const out = [];
+  let inBlock = false;
+  for (const line of lines) {
+    if (!inBlock) {
+      const beginMatch = line.match(PEM_BEGIN_RE);
+      if (!beginMatch) {
+        out.push(line);
+        continue;
+      }
+      const beginIdx = beginMatch.index;
+      const endMatch = line.match(PEM_END_RE);
+      if (endMatch && endMatch.index > beginIdx) {
+        const before = line.slice(0, beginIdx);
+        const after = line.slice(endMatch.index + endMatch[0].length);
+        out.push(`${before}${beginMatch[0]}${REDACTED}${endMatch[0]}${after}`);
+      } else {
+        out.push(`${line.slice(0, beginIdx)}${beginMatch[0]}`);
+        out.push(REDACTED);
+        inBlock = true;
+      }
+    } else {
+      const endMatch = line.match(PEM_END_RE);
+      if (endMatch) {
+        out.push(`${endMatch[0]}${line.slice(endMatch.index + endMatch[0].length)}`);
+        inBlock = false;
+      }
+    }
+  }
+  return out.join("\n");
 }
 
 function redactSensitivePreview(preview) {
-  return preview.split("\n").map(redactSensitiveLine).join("\n");
+  return redactPemBlocks(preview).split("\n").map(redactSensitiveLine).join("\n");
 }
 
 export class FilesystemWatcher {
diff --git a/test/fs-watcher.test.ts b/test/fs-watcher.test.ts
@@ -212,6 +212,122 @@ describe("FilesystemWatcher", () => {
     expect(content).not.toContain("plaintext-token-value");
   });
 
+  it("collapses multi-line PEM private-key blocks while keeping BEGIN/END markers", async () => {
+    const dashes = "-".repeat(5);
+    const rsaBegin = `${dashes}BEGIN RSA PRIVATE KEY${dashes}`;
+    const rsaEnd = `${dashes}END RSA PRIVATE KEY${dashes}`;
+    const sshBegin = `${dashes}BEGIN OPENSSH PRIVATE KEY${dashes}`;
+    const sshEnd = `${dashes}END OPENSSH PRIVATE KEY${dashes}`;
+    writeFileSync(
+      join(root, "id_rsa.txt"),
+      [
+        rsaBegin,
+        "MIIEowIBAAKCAQEAuRFakeRsaBodyLine1ShouldNeverLeakToObservationPipeline",
+        "MoreFakeBase64BodyForRsaKeyMaterialThatMustStayRedacted",
+        "YetAnotherSecretLineOfBase64KeyContentNoOneShouldRead",
+        rsaEnd,
+        "",
+        sshBegin,
+        "b3BlbnNzaC1mYWtlLWtleS1ib2R5LWxpbmUtb25l",
+        "b3BlbnNzaC1mYWtlLWtleS1ib2R5LWxpbmUtdHdv",
+        sshEnd,
+        "",
+      ].join("\n"),
+    );
+    const w = new FilesystemWatcher({
+      roots: [root],
+      baseUrl: "http://localhost:3111",
+      logger: { info: vi.fn(), warn: vi.fn(), error: vi.fn() },
+    });
+
+    await w.flush(root, "id_rsa.txt");
+
+    expect(captured).toHaveLength(1);
+    const content = (captured[0].body as { data: { content: string } }).data.content;
+    expect(content).toContain(rsaBegin);
+    expect(content).toContain(rsaEnd);
+    expect(content).toContain(sshBegin);
+    expect(content).toContain(sshEnd);
+    expect(content).toContain("[REDACTED]");
+    expect(content).not.toContain("MIIEowIBAAKCAQEAuRFakeRsaBodyLine1");
+    expect(content).not.toContain("MoreFakeBase64BodyForRsaKeyMaterial");
+    expect(content).not.toContain("YetAnotherSecretLineOfBase64KeyContent");
+    expect(content).not.toContain("b3BlbnNzaC1mYWtlLWtleS1ib2R5LWxpbmUtb25l");
+    expect(content).not.toContain("b3BlbnNzaC1mYWtlLWtleS1ib2R5LWxpbmUtdHdv");
+  });
+
+  it("redacts inline PEM blocks embedded in single-line JSON values", async () => {
+    const dashes = "-".repeat(5);
+    const pemBegin = `${dashes}BEGIN PRIVATE KEY${dashes}`;
+    const pemEnd = `${dashes}END PRIVATE KEY${dashes}`;
+    const inlinePem = `${pemBegin}\\nMIIEvgIBADANBgkqhkiG9w0FakeServiceAccountBody\\n${pemEnd}`;
+    writeFileSync(
+      join(root, "service-account.json"),
+      `{\n  "type": "service_account",\n  "private_key": "${inlinePem}",\n  "client_email": "demo@example.com"\n}\n`,
+    );
+    const w = new FilesystemWatcher({
+      roots: [root],
+      baseUrl: "http://localhost:3111",
+      logger: { info: vi.fn(), warn: vi.fn(), error: vi.fn() },
+    });
+
+    await w.flush(root, "service-account.json");
+
+    expect(captured).toHaveLength(1);
+    const content = (captured[0].body as { data: { content: string } }).data.content;
+    expect(content).toContain(pemBegin);
+    expect(content).toContain(pemEnd);
+    expect(content).toContain("[REDACTED]");
+    expect(content).not.toContain("MIIEvgIBADANBgkqhkiG9w0FakeServiceAccountBody");
+    expect(content).toContain('"client_email": "demo@example.com"');
+  });
+
+  it("redacts standalone JWT-looking strings outside Bearer context", async () => {
+    const jwt =
+      "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c";
+    writeFileSync(
+      join(root, "notes.txt"),
+      ["session token below:", jwt, "end of token"].join("\n"),
+    );
+    const w = new FilesystemWatcher({
+      roots: [root],
+      baseUrl: "http://localhost:3111",
+      logger: { info: vi.fn(), warn: vi.fn(), error: vi.fn() },
+    });
+
+    await w.flush(root, "notes.txt");
+
+    expect(captured).toHaveLength(1);
+    const content = (captured[0].body as { data: { content: string } }).data.content;
+    expect(content).toContain("[REDACTED]");
+    expect(content).not.toContain(jwt);
+    expect(content).toContain("end of token");
+  });
+
+  it("does not redact base64-looking words that are not three-segment JWTs of sufficient length", async () => {
+    const notJwt = "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+    const shortThreeSegment = "eyJabc.def.ghi";
+    expect(notJwt.length).toBe(62);
+    expect(shortThreeSegment.length).toBeLessThan(100);
+    writeFileSync(
+      join(root, "fixture.txt"),
+      ["random base64-ish word:", notJwt, "tiny segmented thing:", shortThreeSegment].join("\n"),
+    );
+    const w = new FilesystemWatcher({
+      roots: [root],
+      baseUrl: "http://localhost:3111",
+      logger: { info: vi.fn(), warn: vi.fn(), error: vi.fn() },
+    });
+
+    await w.flush(root, "fixture.txt");
+
+    expect(captured).toHaveLength(1);
+    const content = (captured[0].body as { data: { content: string } }).data.content;
+    expect(content).toContain(notJwt);
+    expect(content).toContain(shortThreeSegment);
+    expect(content).not.toContain("[REDACTED]");
+  });
+
   it("debounces rapid writes to a single observation", async () => {
     const w = new FilesystemWatcher({
       roots: [root],
