@hackylabs/deep-redact 2.0.2 → 2.2.0

package/README.md

@@ -3,13 +3,15 @@
 [![npm version](https://badge.fury.io/js/@hackylabs%2Fdeep-redact.svg)](https://badge.fury.io/js/@hackylabs%2Fdeep-redact)
 [![GitHub license](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/hackylabs/deep-redact/blob/main/LICENSE)
 
-Faster than Fast Redact <sup>1</sup> as well as being safer and more configurable than many other redaction libraries,
+Faster than Fast Redact <sup>1</sup> as well as being safer and more configurable than many other redaction solutions,
 Deep Redact is a zero-dependency tool that redacts sensitive information from strings and objects. It is designed to be
 used in a production environment where sensitive information needs to be redacted from logs, error messages, files,
-and other outputs.
+and other outputs. Supporting both strings and objects or a mix of both, Deep Redact can be used to redact sensitive
+information from more data structures than any other redaction library. Even partially redacting sensitive information
+from strings is supported, by way of custom regex patterns and replacers.
 
 Circular references and other unsupported values are handled gracefully, and the library is designed to be as fast as
-possible while still being configurable.
+possible while still being easy to use and configure.
 
 Supporting both CommonJS and ESM, with named and default exports, Deep Redact is designed to be versatile and easy to
 use in any modern JavaScript or TypeScript project in Node or the browser.
@@ -31,9 +33,8 @@ library outside of your global logging/error-reporting libraries.</h4>
 // ./src/example.ts
 import {DeepRedact} from '@hackylabs/deep-redact'; // If you're using CommonJS, import with require('@hackylabs/deep-redact') instead. Both CommonJS and ESM support named and default imports.
 
-const redaction = new DeepRedact({
+const objRedaction = new DeepRedact({
   blacklistedKeys: ['sensitive', 'password', /name/i],
-  serialise: false,
 })
 
 const obj = {
@@ -46,7 +47,8 @@ const obj = {
   }
 }
 
-redaction.redact(obj)
+// Recursively redact sensitive information from an object
+objRedaction.redact(obj)
 // {
 //  keepThis: 'This is fine',
 //  sensitive: '[REDACTED]',
@@ -56,6 +58,19 @@ redaction.redact(obj)
 //    firstName: '[REDACTED]'
 //  }
 // }
+
+const strRedaction = new DeepRedact({
+  partialStringTests: [
+    {
+      pattern: /<(email|password)>([^<]+)<\/\1>/gi,
+      replacer: (value: string, pattern: RegExp) => value.replace(pattern, '<$1>[REDACTED]</$1>'),
+    },
+  ],
+})
+
+// Partially redact sensitive information from a string
+strRedaction.redact('<email>someone@somewhere.com</email><keepThis>This is fine</keepThis><password>secret</password>')
+// '<email>[REDACTED]</email><keepThis>This is fine</keepThis><password>[REDACTED]</password>'
 ```
 
 ## Configuration
@@ -65,7 +80,8 @@ redaction.redact(obj)
 | key | description | type | options | default | required |
 | --- | --- | --- | --- | --- | --- |
 | blacklistedKeys | Deeply compare names of these keys against the keys in your object. | array | Array<string￨RegExp￨BlacklistKeyConfig> | [] | N |
-| stringTests | Array of regular expressions to perform against string values, whether that value is a flat string or nested within an object. | array | RegExp[] | [] | N |
+| stringTests | Array of regular expressions to perform against string values, whether that value is a flat string or nested within an object. Will redact whole string values. If you want to redact only part of the string, use `partialStringTests` instead. If a replacer function is provided in the config for the associated test, it will be used to redact the value. | array | Array<RegExp￨StringTestConfig> | [] | N |
+| partialStringTests | Array of regular expressions to perform against string values, whether that value is a flat string or nested within an object. Will redact only the matched part of the string using the replacer function provided in the config for the associated test. | array | StringTestConfig[] | [] | N |
 | fuzzyKeyMatch | Loosely compare key names by checking if the key name of your unredacted object is included anywhere within the name of your blacklisted key. For example, is "pass" (your key) included in "password" (from config). | boolean |  | false | N |
 | caseSensitiveKeyMatch | Loosely compare key names by normalising the strings. This involves removing non-word characters and transforms the string to lowercase. This means you never have to worry having to list duplicate keys in different formats such as snake_case, camelCase, PascalCase or any other case. | boolean |  | true | N |
 | remove | Determines whether or not to remove the key from the object when it is redacted. | boolean |  | false | N |
@@ -86,6 +102,13 @@ redaction.redact(obj)
 | remove | boolean | Main options `remove` | N |
 | retainStructure | boolean | Main options `retainStructure` | N |
 
+### StringTestConfig
+
+| key | description | type | required |
+| --- | --- | --- | --- |
+| pattern | A regular expression to perform against a string value, whether that value is a flat string or nested within an object. | RegExp | Y |
+| replacer | A function that will be called with the value of the string that matched the pattern and the pattern itself. This function should return the new (redacted) value to replace the original value. | function | Y |
+
 ### Benchmark
 Comparisons are made against JSON.stringify, Regex.replace, Fast Redact &
 (one of my other creations, [@hackylabs/obglob](https://npmjs.com/package/@hackylabs/obglob)) as well as different
@@ -111,21 +134,23 @@ Redact and Obglob are slower and rely on dependencies.
 
 | scenario | ops / sec | op duration (ms) | margin of error | sample count |
 | --- | --- | --- | --- | --- |
-| JSON.stringify, large object | 161827.79 | 0.0061794083 | 0.00002 | 80914 |
-| DeepRedact, remove item, single object | 26010.46 | 0.0384460656 | 0.00016 | 13006 |
-| DeepRedact, custom replacer function, single object | 22412.54 | 0.0446178767 | 0.00031 | 11207 |
-| DeepRedact, replace string by length, single object | 22323.79 | 0.044795253 | 0.00024 | 11162 |
-| DeepRedact, default config, large object | 21932.77 | 0.0455938725 | 0.00025 | 10967 |
-| Regex replace, large object | 21919.75 | 0.0456209497 | 0.00027 | 10960 |
-| DeepRedact, retain structure, single object | 18417.65 | 0.0542957469 | 0.00024 | 9212 |
-| DeepRedact, fuzzy matching, single object | 17428.25 | 0.0573781129 | 0.00028 | 8715 |
-| DeepRedact, config per key, single object | 16975.98 | 0.0589067685 | 0.00033 | 8488 |
-| DeepRedact, default config, 1000 large objects | 7787.76 | 0.1284065968 | 0.00319 | 3894 |
-| fast redact, large object | 5847.55 | 0.1710116908 | 0.00143 | 2924 |
-| DeepRedact, case insensitive matching, single object | 5136.64 | 0.1946798809 | 0.00152 | 2569 |
-| ObGlob, large object | 5083.79 | 0.1967037628 | 0.01079 | 2542 |
-| DeepRedact, fuzzy and case insensitive matching, single object | 4819.04 | 0.2075101033 | 0.00142 | 2410 |
-| JSON.stringify, 1000 large objects | 226.71 | 4.4109355351 | 0.04147 | 114 |
-| ObGlob, 1000 large objects | 164.41 | 6.0825151928 | 0.15338 | 83 |
-| fast redact, 1000 large objects | 121.82 | 8.2088192787 | 0.09619 | 61 |
-| Regex replace, 1000 large objects | 94.57 | 10.5740055833 | 0.30159 | 48 |
+| DeepRedact, partial redaction | 178183.03 | 0.0056122067 | 0.00003 | 89092 |
+| JSON.stringify, large object | 161672.63 | 0.0061853388 | 0.00004 | 80837 |
+| DeepRedact, remove item, single object | 25085.95 | 0.039862959 | 0.00033 | 12543 |
+| DeepRedact, default config, large object | 23164.57 | 0.0431693713 | 0.00023 | 11583 |
+| Regex replace, large object | 22828.32 | 0.043805244 | 0.00031 | 11415 |
+| DeepRedact, custom replacer function, single object | 22520.52 | 0.0444039553 | 0.00039 | 11261 |
+| DeepRedact, replace string by length, single object | 22470.94 | 0.0445019191 | 0.00025 | 11236 |
+| DeepRedact, retain structure, single object | 18315.67 | 0.0545980591 | 0.00026 | 9158 |
+| DeepRedact, fuzzy matching, single object | 18077.45 | 0.0553175285 | 0.00035 | 9039 |
+| DeepRedact, config per key, single object | 16055.96 | 0.0622821745 | 0.00031 | 8028 |
+| DeepRedact, default config, 1000 large objects | 8077.4 | 0.1238022 | 0.00187 | 4039 |
+| fast redact, large object | 5918.61 | 0.1689584628 | 0.00151 | 2960 |
+| ObGlob, large object | 5193.29 | 0.1925563273 | 0.00972 | 2597 |
+| DeepRedact, case insensitive matching, single object | 3477.6 | 0.2875549482 | 0.00324 | 1739 |
+| DeepRedact, fuzzy and case insensitive matching, single object | 3437.73 | 0.2908896131 | 0.00239 | 1719 |
+| ObGlob, 1000 large objects | 237.69 | 4.2072005126 | 0.05005 | 119 |
+| JSON.stringify, 1000 large objects | 230.33 | 4.3416907672 | 0.04373 | 116 |
+| DeepRedact, partial redaction large string | 127.18 | 7.8628400156 | 0.4176 | 64 |
+| fast redact, 1000 large objects | 119.33 | 8.3803393 | 0.31943 | 60 |
+| Regex replace, 1000 large objects | 97.12 | 10.2963537755 | 0.29341 | 49 |

package/dist/cjs/index.js

@@ -53,7 +53,7 @@ class DeepRedact {
                 return {
                     __unsupported: {
                         type: 'bigint',
-                        value: value.toString(),
+                        value: value.toString(10),
                         radix: 10,
                     },
                 };
@@ -77,6 +77,24 @@ class DeepRedact {
                     },
                 };
             }
+            if (value instanceof Set) {
+                return {
+                    __unsupported: {
+                        type: 'set',
+                        values: Array.from(value),
+                    },
+                };
+            }
+            if (value instanceof Map) {
+                return {
+                    __unsupported: {
+                        type: 'map',
+                        entries: Object.fromEntries(value.entries()),
+                    },
+                };
+            }
+            if (value instanceof URL)
+                return value.toString();
             if (value instanceof Date)
                 return value.toISOString();
             return value;
@@ -130,7 +148,10 @@ class DeepRedact {
          */
         this.maybeSerialise = (value) => {
             this.circularReference = null;
-            return this.config.serialise ? JSON.stringify(value) : value;
+            const result = this.redactorUtils.partialStringRedact(value);
+            if (!this.config.serialise)
+                return result;
+            return typeof result === 'string' ? result : JSON.stringify(result);
         };
         /**
          * Redact the provided value. The value will be stripped of any circular references and other unsupported data types, before being redacted according to the configuration and finally serialised if required.

package/dist/cjs/utils/redactorUtils.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const defaultConfig = {
     stringTests: [],
     blacklistedKeys: [],
+    partialStringTests: [],
     blacklistedKeysTransformed: [],
     fuzzyKeyMatch: false,
     caseSensitiveKeyMatch: true,
@@ -14,7 +15,7 @@ const defaultConfig = {
 };
 class RedactorUtils {
     constructor(customConfig) {
-        var _a, _b, _c;
+        var _a, _b, _c, _d;
         /**
          * The configuration for the redaction.
          * @private
@@ -80,11 +81,32 @@ class RedactorUtils {
          * @param shouldRedact
          */
         this.redactString = (value, replacement, remove, shouldRedact) => {
-            if (!value)
+            if (!value || typeof value !== 'string')
                 return value;
             const { stringTests } = this.config;
-            if (!shouldRedact && !(stringTests === null || stringTests === void 0 ? void 0 : stringTests.some((pattern) => pattern.test(value))))
+            if (!shouldRedact) {
+                const result = stringTests === null || stringTests === void 0 ? void 0 : stringTests.map((test) => {
+                    if (test instanceof RegExp) {
+                        if (!test.test(value))
+                            return value;
+                        if (remove)
+                            return undefined;
+                        if (typeof replacement === 'function')
+                            return replacement(value);
+                        if (this.config.replaceStringByLength)
+                            return replacement.repeat(value.length);
+                        return replacement;
+                    }
+                    if (remove && test.pattern.test(value))
+                        return undefined;
+                    return test.replacer(value, test.pattern);
+                }).filter(Boolean)[0];
+                if (result)
+                    return result;
+                if (remove)
+                    return undefined;
                 return value;
+            }
             if (remove)
                 return undefined;
             if (typeof replacement === 'function')
@@ -139,6 +161,28 @@ class RedactorUtils {
                 return [prop, this.recurse(val, key !== null && key !== void 0 ? key : prop, shouldRedact)];
             }).filter(([prop]) => prop !== undefined));
         };
+        this.partialStringRedact = (value) => {
+            const { partialStringTests } = this.config;
+            if (partialStringTests.length === 0)
+                return value;
+            let result;
+            if (typeof value === 'string') {
+                result = value;
+            }
+            else {
+                try {
+                    result = JSON.stringify(value);
+                }
+                catch (error) {
+                    // It should never reach this point, but if it does, it will throw an error that must not contain sensitive data.
+                    throw new Error('Failed to stringify value for partialStringRedact. Did you replace the rewriteUnsupported method with something that returns non-serialisable data?');
+                }
+            }
+            partialStringTests.forEach((test) => {
+                result = test.replacer(result, test.pattern);
+            });
+            return typeof value === 'string' ? result : JSON.parse(result);
+        };
         /**
          * Redact a value. If the value is an object or array, the redaction will be performed recursively, otherwise the value will be redacted if it is a supported type using the `replace` method.
          * @private
@@ -164,7 +208,7 @@ class RedactorUtils {
                 return this.redactArray(value);
             return this.redactObject(value, key, parentShouldRedact);
         };
-        this.config = Object.assign(Object.assign(Object.assign({}, defaultConfig), customConfig), { blacklistedKeys: (_a = customConfig.blacklistedKeys) !== null && _a !== void 0 ? _a : [], blacklistedKeysTransformed: (_c = (_b = customConfig.blacklistedKeys) === null || _b === void 0 ? void 0 : _b.map((key) => {
+        this.config = Object.assign(Object.assign(Object.assign({}, defaultConfig), customConfig), { partialStringTests: (_a = customConfig.partialStringTests) !== null && _a !== void 0 ? _a : [], blacklistedKeys: (_b = customConfig.blacklistedKeys) !== null && _b !== void 0 ? _b : [], blacklistedKeysTransformed: (_d = (_c = customConfig.blacklistedKeys) === null || _c === void 0 ? void 0 : _c.map((key) => {
                 var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k;
                 const isObject = !(typeof key === 'string' || key instanceof RegExp);
                 const setKey = isObject ? key.key : key;
@@ -187,7 +231,7 @@ class RedactorUtils {
                     };
                 }
                 return fallback;
-            })) !== null && _c !== void 0 ? _c : [] });
+            })) !== null && _d !== void 0 ? _d : [] });
     }
 }
 /**
@@ -196,7 +240,7 @@ class RedactorUtils {
  * @param str The string to normalise.
  * @returns {string} The normalised string.
  */
-RedactorUtils.normaliseString = (str) => str.toLowerCase().replace(/\W/g, '');
+RedactorUtils.normaliseString = (str) => str.toLowerCase().replaceAll(/\W/g, '');
 /**
  * Determine if a key matches a given blacklistedKeyConfig. This will check the key against the blacklisted keys,
  * using the configuration option for the given key falling back to the default configuration.

package/dist/esm/index.mjs

@@ -48,7 +48,7 @@ class DeepRedact {
             return {
                 __unsupported: {
                     type: 'bigint',
-                    value: value.toString(),
+                    value: value.toString(10),
                     radix: 10,
                 },
             };
@@ -72,6 +72,24 @@ class DeepRedact {
                 },
             };
         }
+        if (value instanceof Set) {
+            return {
+                __unsupported: {
+                    type: 'set',
+                    values: Array.from(value),
+                },
+            };
+        }
+        if (value instanceof Map) {
+            return {
+                __unsupported: {
+                    type: 'map',
+                    entries: Object.fromEntries(value.entries()),
+                },
+            };
+        }
+        if (value instanceof URL)
+            return value.toString();
         if (value instanceof Date)
             return value.toISOString();
         return value;
@@ -123,7 +141,10 @@ class DeepRedact {
      */
     maybeSerialise = (value) => {
         this.circularReference = null;
-        return this.config.serialise ? JSON.stringify(value) : value;
+        const result = this.redactorUtils.partialStringRedact(value);
+        if (!this.config.serialise)
+            return result;
+        return typeof result === 'string' ? result : JSON.stringify(result);
     };
     /**
      * Redact the provided value. The value will be stripped of any circular references and other unsupported data types, before being redacted according to the configuration and finally serialised if required.

package/dist/esm/utils/redactorUtils.mjs

@@ -1,6 +1,7 @@
 const defaultConfig = {
     stringTests: [],
     blacklistedKeys: [],
+    partialStringTests: [],
     blacklistedKeysTransformed: [],
     fuzzyKeyMatch: false,
     caseSensitiveKeyMatch: true,
@@ -20,6 +21,7 @@ class RedactorUtils {
         this.config = {
             ...defaultConfig,
             ...customConfig,
+            partialStringTests: customConfig.partialStringTests ?? [],
             blacklistedKeys: customConfig.blacklistedKeys ?? [],
             blacklistedKeysTransformed: customConfig.blacklistedKeys?.map((key) => {
                 const isObject = !(typeof key === 'string' || key instanceof RegExp);
@@ -52,7 +54,7 @@ class RedactorUtils {
      * @param str The string to normalise.
      * @returns {string} The normalised string.
      */
-    static normaliseString = (str) => str.toLowerCase().replace(/\W/g, '');
+    static normaliseString = (str) => str.toLowerCase().replaceAll(/\W/g, '');
     /**
      * Determine if a key matches a given blacklistedKeyConfig. This will check the key against the blacklisted keys,
      * using the configuration option for the given key falling back to the default configuration.
@@ -131,11 +133,32 @@ class RedactorUtils {
      * @param shouldRedact
      */
     redactString = (value, replacement, remove, shouldRedact) => {
-        if (!value)
+        if (!value || typeof value !== 'string')
             return value;
         const { stringTests } = this.config;
-        if (!shouldRedact && !stringTests?.some((pattern) => pattern.test(value)))
+        if (!shouldRedact) {
+            const result = stringTests?.map((test) => {
+                if (test instanceof RegExp) {
+                    if (!test.test(value))
+                        return value;
+                    if (remove)
+                        return undefined;
+                    if (typeof replacement === 'function')
+                        return replacement(value);
+                    if (this.config.replaceStringByLength)
+                        return replacement.repeat(value.length);
+                    return replacement;
+                }
+                if (remove && test.pattern.test(value))
+                    return undefined;
+                return test.replacer(value, test.pattern);
+            }).filter(Boolean)[0];
+            if (result)
+                return result;
+            if (remove)
+                return undefined;
             return value;
+        }
         if (remove)
             return undefined;
         if (typeof replacement === 'function')
@@ -190,6 +213,28 @@ class RedactorUtils {
             return [prop, this.recurse(val, key ?? prop, shouldRedact)];
         }).filter(([prop]) => prop !== undefined));
     };
+    partialStringRedact = (value) => {
+        const { partialStringTests } = this.config;
+        if (partialStringTests.length === 0)
+            return value;
+        let result;
+        if (typeof value === 'string') {
+            result = value;
+        }
+        else {
+            try {
+                result = JSON.stringify(value);
+            }
+            catch (error) {
+                // It should never reach this point, but if it does, it will throw an error that must not contain sensitive data.
+                throw new Error('Failed to stringify value for partialStringRedact. Did you replace the rewriteUnsupported method with something that returns non-serialisable data?');
+            }
+        }
+        partialStringTests.forEach((test) => {
+            result = test.replacer(result, test.pattern);
+        });
+        return typeof value === 'string' ? result : JSON.parse(result);
+    };
     /**
      * Redact a value. If the value is an object or array, the redaction will be performed recursively, otherwise the value will be redacted if it is a supported type using the `replace` method.
      * @private

package/dist/types/types.d.ts

@@ -42,6 +42,10 @@ export interface BlacklistKeyConfig {
      */
     key: string | RegExp;
 }
+export interface ComplexStringTest {
+    pattern: RegExp;
+    replacer: (value: string, pattern: RegExp) => string;
+}
 export interface BaseDeepRedactConfig {
     /**
      * Keys that should be redacted. Can be a string, or an object with additional configuration options.
@@ -58,7 +62,8 @@ export interface BaseDeepRedactConfig {
      *   /^[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}$/,  // redact any string that looks like an IP address.
      * ]
      */
-    stringTests?: RegExp[];
+    stringTests?: Array<RegExp | ComplexStringTest>;
+    partialStringTests?: Array<ComplexStringTest>;
     /**
      * Perform a fuzzy match on the key. This will match any key that contains the string, rather than a case-sensitive match.
      * @default false
@@ -119,8 +124,20 @@ export interface BaseDeepRedactConfig {
     serialize?: boolean;
 }
 export type DeepRedactConfig = Partial<Omit<BaseDeepRedactConfig, 'blacklistedKeysTransformed' | 'blacklistedKeys' | 'stringTests'>> & ({
+    partialStringTests: BaseDeepRedactConfig['partialStringTests'];
     blacklistedKeys: BaseDeepRedactConfig['blacklistedKeys'];
     stringTests: BaseDeepRedactConfig['stringTests'];
+} | {
+    partialStringTests: BaseDeepRedactConfig['partialStringTests'];
+    blacklistedKeys: BaseDeepRedactConfig['blacklistedKeys'];
+} | {
+    blacklistedKeys: BaseDeepRedactConfig['blacklistedKeys'];
+    stringTests: BaseDeepRedactConfig['stringTests'];
+} | {
+    partialStringTests: BaseDeepRedactConfig['partialStringTests'];
+    stringTests: BaseDeepRedactConfig['stringTests'];
+} | {
+    partialStringTests: BaseDeepRedactConfig['partialStringTests'];
 } | {
     blacklistedKeys: BaseDeepRedactConfig['blacklistedKeys'];
 } | {

package/dist/types/utils/redactorUtils.d.ts

@@ -77,6 +77,7 @@ declare class RedactorUtils {
      * @param {boolean} parentShouldRedact Whether the item should be redacted based on the key within the parent object.
      */
     private redactObject;
+    partialStringRedact: (value: unknown) => unknown;
     /**
      * Redact a value. If the value is an object or array, the redaction will be performed recursively, otherwise the value will be redacted if it is a supported type using the `replace` method.
      * @private

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hackylabs/deep-redact",
-  "version": "2.0.2",
+  "version": "2.2.0",
   "description": "A fast, safe and configurable zero-dependency library for redacting strings or deeply redacting arrays and objects.",
   "private": false,
   "license": "MIT",
@@ -25,6 +25,10 @@
     "dist"
   ],
   "keywords": [
+    "json",
+    "xml",
+    "document",
+    "fast",
     "redact",
     "redaction",
     "redactor",