@mnemonik/shared 5.135.4 → 5.137.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/secretPatterns.d.ts
CHANGED
|
@@ -25,12 +25,5 @@
|
|
|
25
25
|
*/
|
|
26
26
|
export declare const SECRET_REDACTION_PLACEHOLDER = "[REDACTED]";
|
|
27
27
|
export declare const SECRET_PATTERNS: ReadonlyArray<RegExp>;
|
|
28
|
-
/**
|
|
29
|
-
* Replace recognized secret shapes in `text` with the redaction
|
|
30
|
-
* placeholder. Returns the input unchanged when no patterns match.
|
|
31
|
-
*
|
|
32
|
-
* Idempotent: scrubbing already-scrubbed text returns the same text
|
|
33
|
-
* (the placeholder itself doesn't match any pattern).
|
|
34
|
-
*/
|
|
35
28
|
export declare function scrubSecrets(text: string): string;
|
|
36
29
|
//# sourceMappingURL=secretPatterns.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"secretPatterns.d.ts","sourceRoot":"","sources":["../src/secretPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,eAAO,MAAM,4BAA4B,eAAe,CAAC;
|
|
1
|
+
{"version":3,"file":"secretPatterns.d.ts","sourceRoot":"","sources":["../src/secretPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,eAAO,MAAM,4BAA4B,eAAe,CAAC;AAGzD,eAAO,MAAM,eAAe,EAAE,aAAa,CAAC,MAAM,CAYjD,CAAC;AAkBF,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CASjD"}
|
package/dist/secretPatterns.js
CHANGED
|
@@ -24,6 +24,7 @@
|
|
|
24
24
|
* while catching the common credential leak vectors.
|
|
25
25
|
*/
|
|
26
26
|
export const SECRET_REDACTION_PLACEHOLDER = '[REDACTED]';
|
|
27
|
+
// Shared by the scanner daemon and server-side scrub paths.
|
|
27
28
|
export const SECRET_PATTERNS = [
|
|
28
29
|
/(?:api[_-]?key|secret|token|password|credential|auth)\s*[:=]\s*\S+/gi,
|
|
29
30
|
// Stripe-shape: (sk|pk)_(live|test)_<24+ alphanumerics>. Catches modern
|
|
@@ -44,12 +45,20 @@ export const SECRET_PATTERNS = [
|
|
|
44
45
|
* Idempotent: scrubbing already-scrubbed text returns the same text
|
|
45
46
|
* (the placeholder itself doesn't match any pattern).
|
|
46
47
|
*/
|
|
48
|
+
/**
|
|
49
|
+
* A key=value match whose value side is a code REFERENCE to an env read
|
|
50
|
+
* (`process.env.X`, `process.env['X']`, `import.meta.env.X`) contains no
|
|
51
|
+
* literal secret — redacting it destroys information (it blinded the
|
|
52
|
+
* doc-truth env_vars authority to every secret-named variable) without
|
|
53
|
+
* protecting anything.
|
|
54
|
+
*/
|
|
55
|
+
const ENV_READ_VALUE_RE = /[:=]\s*(?:await\s+)?(?:process\.env[.[]|import\.meta\.env[.[])/;
|
|
47
56
|
export function scrubSecrets(text) {
|
|
48
57
|
if (!text)
|
|
49
58
|
return text;
|
|
50
59
|
let result = text;
|
|
51
60
|
for (const pattern of SECRET_PATTERNS) {
|
|
52
|
-
result = result.replace(pattern, SECRET_REDACTION_PLACEHOLDER);
|
|
61
|
+
result = result.replace(pattern, (match) => ENV_READ_VALUE_RE.test(match) ? match : SECRET_REDACTION_PLACEHOLDER);
|
|
53
62
|
}
|
|
54
63
|
return result;
|
|
55
64
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"secretPatterns.js","sourceRoot":"","sources":["../src/secretPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,MAAM,CAAC,MAAM,4BAA4B,GAAG,YAAY,CAAC;AAEzD,MAAM,CAAC,MAAM,eAAe,GAA0B;IACpD,sEAAsE;IACtE,wEAAwE;IACxE,oEAAoE;IACpE,qEAAqE;IACrE,kEAAkE;IAClE,2CAA2C;IAC3C,2CAA2C;IAC3C,gCAAgC;IAChC,sBAAsB;IACtB,0BAA0B;IAC1B,yDAAyD;CAC1D,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,IAAI,MAAM,GAAG,IAAI,CAAC;IAClB,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;QACtC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"secretPatterns.js","sourceRoot":"","sources":["../src/secretPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,MAAM,CAAC,MAAM,4BAA4B,GAAG,YAAY,CAAC;AAEzD,4DAA4D;AAC5D,MAAM,CAAC,MAAM,eAAe,GAA0B;IACpD,sEAAsE;IACtE,wEAAwE;IACxE,oEAAoE;IACpE,qEAAqE;IACrE,kEAAkE;IAClE,2CAA2C;IAC3C,2CAA2C;IAC3C,gCAAgC;IAChC,sBAAsB;IACtB,0BAA0B;IAC1B,yDAAyD;CAC1D,CAAC;AAEF;;;;;;GAMG;AACH;;;;;;GAMG;AACH,MAAM,iBAAiB,GAAG,gEAAgE,CAAC;AAE3F,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,IAAI,MAAM,GAAG,IAAI,CAAC;IAClB,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;QACtC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE,CACzC,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,4BAA4B,CACrE,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}
|
package/package.json
CHANGED
package/src/secretPatterns.ts
CHANGED
|
@@ -26,6 +26,7 @@
|
|
|
26
26
|
|
|
27
27
|
export const SECRET_REDACTION_PLACEHOLDER = '[REDACTED]';
|
|
28
28
|
|
|
29
|
+
// Shared by the scanner daemon and server-side scrub paths.
|
|
29
30
|
export const SECRET_PATTERNS: ReadonlyArray<RegExp> = [
|
|
30
31
|
/(?:api[_-]?key|secret|token|password|credential|auth)\s*[:=]\s*\S+/gi,
|
|
31
32
|
// Stripe-shape: (sk|pk)_(live|test)_<24+ alphanumerics>. Catches modern
|
|
@@ -47,11 +48,22 @@ export const SECRET_PATTERNS: ReadonlyArray<RegExp> = [
|
|
|
47
48
|
* Idempotent: scrubbing already-scrubbed text returns the same text
|
|
48
49
|
* (the placeholder itself doesn't match any pattern).
|
|
49
50
|
*/
|
|
51
|
+
/**
|
|
52
|
+
* A key=value match whose value side is a code REFERENCE to an env read
|
|
53
|
+
* (`process.env.X`, `process.env['X']`, `import.meta.env.X`) contains no
|
|
54
|
+
* literal secret — redacting it destroys information (it blinded the
|
|
55
|
+
* doc-truth env_vars authority to every secret-named variable) without
|
|
56
|
+
* protecting anything.
|
|
57
|
+
*/
|
|
58
|
+
const ENV_READ_VALUE_RE = /[:=]\s*(?:await\s+)?(?:process\.env[.[]|import\.meta\.env[.[])/;
|
|
59
|
+
|
|
50
60
|
export function scrubSecrets(text: string): string {
|
|
51
61
|
if (!text) return text;
|
|
52
62
|
let result = text;
|
|
53
63
|
for (const pattern of SECRET_PATTERNS) {
|
|
54
|
-
result = result.replace(pattern,
|
|
64
|
+
result = result.replace(pattern, (match) =>
|
|
65
|
+
ENV_READ_VALUE_RE.test(match) ? match : SECRET_REDACTION_PLACEHOLDER
|
|
66
|
+
);
|
|
55
67
|
}
|
|
56
68
|
return result;
|
|
57
69
|
}
|