@zapier/secret-scrubber 1.0.6 → 1.0.8

package/CHANGELOG.md

@@ -1,8 +1,20 @@
+## 1.0.8
+
+_released `2023-10-25`_
+
+- fix issue where the order of replacements in `scrub` matters in the sense that we can end up with partially scrubbed sensitive data. Now, we sort the sensitive bank values by larger keys first ([!11](https://gitlab.com/zapier/team-developer-platform/secret-scrubber-js/-/merge_requests/11))
+
+## 1.0.7
+
+_released `2022-04-28`_
+
+- add simple checks when checking if input is a url ([!7](https://gitlab.com/zapier/team-developer-platform/secret-scrubber-js/-/merge_requests/7))
+
 ## 1.0.6
 
 _released `2022-04-06`_
 
-- tweak `findSensitiveValues` to no longer return _any_ url with a querystring. It's always tried to extract secrets from a url, but now doesn't fall back to censoring the whole url.
+- tweak `findSensitiveValues` to no longer return _any_ url with a querystring. It's always tried to extract secrets from a url, but now doesn't fall back to censoring the whole url ([!6](https://gitlab.com/zapier/team-developer-platform/secret-scrubber-js/-/merge_requests/6))
 
 Calling `findSensitiveValues` with a structure containing urls:
 
@@ -16,13 +28,13 @@ Calling `findSensitiveValues` with a structure containing urls:
 
 _released `2021-10-25`_
 
-- Reduce `scrub` memory usage
+- Reduce `scrub` memory usage ([!5](https://gitlab.com/zapier/team-developer-platform/secret-scrubber-js/-/merge_requests/5))
 
 ## 1.0.4
 
 _released `2021-10-04`_
 
-- add `api-key` to sensitive substrings [!4](https://gitlab.com/zapier/team-developer-platform/secret-scrubber-js/-/merge_requests/4)
+- add `api-key` to sensitive substrings ([!4](https://gitlab.com/zapier/team-developer-platform/secret-scrubber-js/-/merge_requests/4))
 
 ## 1.0.3
 

package/lib/convenience.js

@@ -23,6 +23,14 @@ exports.SENSITIVE_SUBSTRINGS = [
  * * has potentially secret information, such as a password or querystring
  */
 const isUrlWithSecrets = (val) => {
+    // creating a URL object is a little expensive; perform a couple of quick checks first
+    if (typeof val !== 'string') {
+        return false;
+    }
+    // if this doesn't start with http(s), it's probably not a url we care about
+    if (!val.startsWith('http')) {
+        return false;
+    }
     let url;
     try {
         url = new url_1.URL(val);

package/lib/index.js

@@ -10,11 +10,17 @@ const utils_1 = require("./utils");
  */
 const scrub = (input, secretValues) => {
     const sensitiveBank = (0, utils_1.makeSensitiveBank)(secretValues);
+    // Sort by string length first and then by letters.
+    // Otherwise, a sensitive bank {"abcdefg": "aa", "abcdefgh": "bb"} would censor {"api_key": "abcdefgh"}
+    // into {"api_key": "aah"} while the desired output is {"api_key": "bb"}.
+    const sortedKeys = Object.keys(sensitiveBank).sort((x, y) => x.length - y.length === 0 ? y.localeCompare(x) : y.length - x.length);
+    const sensitiveBankEntries = sortedKeys
+        .map((key) => [key, sensitiveBank[key]]);
     const replacer = (val) => {
         if (typeof val === 'string') {
             let copiedVal = val;
             // have to look for substrings in the value instead of looking for the value in the map
-            Object.entries(sensitiveBank).forEach(([transformed, censored]) => {
+            sensitiveBankEntries.forEach(([transformed, censored]) => {
                 copiedVal = (0, utils_1.replaceAll)(copiedVal, transformed, censored);
             });
             return copiedVal;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zapier/secret-scrubber",
-  "version": "1.0.6",
+  "version": "1.0.8",
   "description": "Confidently remove secrets and sensitive values from unstructured objects.",
   "main": "lib/index.js",
   "typings": "lib/index.d.ts",