npm - @anomira/node-sdk - Versions diffs - 0.1.4 → 0.1.6 - Mend

@anomira/node-sdk 0.1.4 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -195,18 +195,124 @@ async function checkGeoVelocity(userId, ip, tsMs, lookupUrl) {
 // src/sensitive.ts
 var PATTERNS = [
+  // ── Cryptographic keys and certificates ───────────────────────────────────
   {
-    // "password: abc123", "pwd=secret", or standalone "password123"
-    type: "password",
-    label: "Password / Secret",
-    regex: /\bpassword\w*|\b(?:passwd|pwd|pass|secret|credentials?)\s*[:=]\s*\S+/i
+    type: "private_key",
+    label: "Private Key",
+    regex: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/
   },
   {
-    // Nigerian BVN / NIN — exactly 11 digits, not a phone number (phones start with 0)
-    type: "bvn",
-    label: "BVN / NIN",
-    regex: /\b[1-9]\d{10}\b/
+    type: "certificate",
+    label: "Certificate / Public Key",
+    regex: /-----BEGIN CERTIFICATE-----/
+  },
+  // ── Cloud provider credentials ────────────────────────────────────────────
+  {
+    // AWS access key ID — highly specific, almost no false positives
+    type: "aws_key",
+    label: "AWS Access Key",
+    regex: /\bAKIA[0-9A-Z]{16}\b/
+  },
+  {
+    // AWS secret access key — 40-char base64 string after keyword
+    type: "aws_secret",
+    label: "AWS Secret Key",
+    regex: /\b(?:aws[_-]?secret|AWS_SECRET_ACCESS_KEY)\s*[:=]\s*[A-Za-z0-9+/]{40}\b/i
+  },
+  {
+    // Google API key
+    type: "google_key",
+    label: "Google API Key",
+    regex: /\bAIza[0-9A-Za-z\-_]{35}\b/
+  },
+  {
+    // Google OAuth client secret
+    type: "google_oauth",
+    label: "Google OAuth Secret",
+    regex: /\bGOCSP[A-Za-z0-9\-_]{28}\b/
+  },
+  {
+    // Firebase server key
+    type: "firebase_key",
+    label: "Firebase Server Key",
+    regex: /\bAAAA[A-Za-z0-9_-]{7}:[A-Za-z0-9_-]{140}\b/
+  },
+  {
+    // Azure storage/connection string
+    type: "azure_key",
+    label: "Azure Key",
+    regex: /\bDefaultEndpointsProtocol=https;AccountName=[^;]+;AccountKey=[A-Za-z0-9+/=]{88}/
+  },
+  // ── Source control & CI tokens ────────────────────────────────────────────
+  {
+    // GitHub personal access tokens (classic and fine-grained)
+    type: "github_token",
+    label: "GitHub Token",
+    regex: /\b(?:ghp|gho|ghu|ghs|ghr|github_pat)_[A-Za-z0-9_]{36,255}\b/
+  },
+  {
+    // GitLab personal/project/group tokens
+    type: "gitlab_token",
+    label: "GitLab Token",
+    regex: /\bglpat-[A-Za-z0-9\-_]{20}\b/
+  },
+  {
+    // NPM access tokens
+    type: "npm_token",
+    label: "NPM Token",
+    regex: /\bnpm_[A-Za-z0-9]{36}\b/
+  },
+  // ── Payment providers ─────────────────────────────────────────────────────
+  {
+    // Stripe — secret, restricted, webhook keys
+    type: "stripe_key",
+    label: "Stripe Key",
+    regex: /\b(?:sk|rk|whsec)_(?:live|test)_[A-Za-z0-9]{24,}\b/
+  },
+  {
+    // Paystack secret/public keys
+    type: "paystack_key",
+    label: "Paystack Key",
+    regex: /\b(?:sk|pk)_(?:live|test)_[A-Za-z0-9]{40,}\b/
   },
+  {
+    // Card PANs: Visa (4), Mastercard (51-55), Amex (34/37), Discover (6011/65)
+    type: "card_pan",
+    label: "Card PAN",
+    regex: /\b(?:4[0-9]{15}|5[1-5][0-9]{14}|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12})\b/
+  },
+  // ── Communication & messaging ─────────────────────────────────────────────
+  {
+    // Slack bot/user/app tokens
+    type: "slack_token",
+    label: "Slack Token",
+    regex: /\bxox[baprs]-[0-9A-Za-z]{10,48}\b/
+  },
+  {
+    // Slack webhook URL
+    type: "slack_webhook",
+    label: "Slack Webhook URL",
+    regex: /https:\/\/hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[A-Za-z0-9]+/
+  },
+  {
+    // Twilio account SID and auth token
+    type: "twilio",
+    label: "Twilio Credential",
+    regex: /\bAC[a-z0-9]{32}\b|\bSK[a-z0-9]{32}\b/
+  },
+  {
+    // SendGrid / Brevo / Mailgun API keys
+    type: "email_provider_key",
+    label: "Email Provider API Key",
+    regex: /\bSG\.[A-Za-z0-9._-]{66}\b|\bkey-[0-9a-zA-Z]{32}\b/
+  },
+  // ── Database connection strings with embedded credentials ─────────────────
+  {
+    type: "db_connection",
+    label: "Database Connection String",
+    regex: /(?:postgresql|postgres|mysql|mongodb(?:\+srv)?|redis|amqp(?:s)?):\/\/[^:]+:[^@\s]{3,}@/i
+  },
+  // ── Auth tokens ───────────────────────────────────────────────────────────
   {
     // JWT — three base64url segments separated by dots
     type: "jwt",
@@ -214,36 +320,52 @@ var PATTERNS = [
     regex: /eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/
   },
   {
-    // API keys: sk_live_*, pk_live_*, or key/token/bearer label with long value
+    // Generic API key / token — only flag QUOTED literals, not variable/env references.
+    // Skips: api_key = process.env.KEY, token = myVar
+    // Matches: api_key = "sk-abc123...", bearer: "eyJhb..."
     type: "api_key",
     label: "API Key / Token",
-    regex: /\b(?:sk|pk|rk)[-_](?:live|test|prod|secret)[-_][A-Za-z0-9]{16,}|\b(?:token|bearer|access_token|api_key)\s*[:=]\s*[A-Za-z0-9_./-]{20,}/i
+    regex: /\b(?:api[_-]?key|access[_-]?token|auth[_-]?token|bearer|client[_-]?secret)\s*[:=]\s*["'][A-Za-z0-9_.\/+\-]{20,}["']/i
   },
+  // ── Password fields ───────────────────────────────────────────────────────
   {
-    // Card PANs: Visa (4), Mastercard (51-55), Amex (34/37), Discover (6011/65)
-    type: "card_pan",
-    label: "Card PAN",
-    regex: /\b(?:4[0-9]{15}|5[1-5][0-9]{14}|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12})\b/
+    // Only flag QUOTED string literals after a password/secret keyword.
+    // Skips: process.env.*, variable references, undefined/null, template literals.
+    // Matches: password: "hunter2", secret: 'abc123def', pass="hardcoded!"
+    type: "password",
+    label: "Hardcoded Password",
+    regex: /\b(?:password|passwd|pwd|pass|secret|credentials?)\s*[:=]\s*["'][^"'$\s]{6,}["']/i
+  },
+  // ── Nigeria-specific PII ──────────────────────────────────────────────────
+  {
+    // BVN / NIN: 11 digits, first digit 1-9 (not a phone starting with 0)
+    // Require a non-digit boundary on both sides to reduce false positives
+    type: "bvn",
+    label: "BVN / NIN",
+    regex: /(?<!\d)[1-9]\d{10}(?!\d)/
   },
   {
     // Nigerian phone numbers: 080x, 081x, 070x, 090x, 091x — or with +234 prefix
     type: "ng_phone",
-    label: "Phone Number",
+    label: "Nigerian Phone Number",
     regex: /\b(?:\+?234|0)(?:7[0-9]|8[0-1]|9[0-1])\d{8}\b/
   },
+  // ── PII in credential context ─────────────────────────────────────────────
   {
-    // Email address appearing alongside other content — possible credential combo
-    // e.g. "john@test.com password123"
+    // Email only flagged when adjacent to a password/credential keyword
+    // Prevents false positives on normal email references in code
     type: "email_credential",
-    label: "Email in Log",
-    regex: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/
+    label: "Email + Password Combo",
+    regex: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}\s+(?:password|passwd|pwd|secret|pass)\s*[:=]?\s*\S+/i
   }
 ];
 function scanForLeaks(message) {
+  const seen = /* @__PURE__ */ new Set();
   const found = [];
   for (const p of PATTERNS) {
     p.regex.lastIndex = 0;
-    if (p.regex.test(message)) {
+    if (p.regex.test(message) && !seen.has(p.type)) {
+      seen.add(p.type);
       found.push({ type: p.type, label: p.label });
     }
   }