@zapier/secret-scrubber 1.0.7 → 1.0.8

package/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 1.0.8
+
+_released `2023-10-25`_
+
+- fix issue where the order of replacements in `scrub` matters in the sense that we can end up with partially scrubbed sensitive data. Now, we sort the sensitive bank values by larger keys first ([!11](https://gitlab.com/zapier/team-developer-platform/secret-scrubber-js/-/merge_requests/11))
+
 ## 1.0.7
 
 _released `2022-04-28`_

package/lib/index.js

@@ -10,11 +10,17 @@ const utils_1 = require("./utils");
  */
 const scrub = (input, secretValues) => {
     const sensitiveBank = (0, utils_1.makeSensitiveBank)(secretValues);
+    // Sort by string length first and then by letters.
+    // Otherwise, a sensitive bank {"abcdefg": "aa", "abcdefgh": "bb"} would censor {"api_key": "abcdefgh"}
+    // into {"api_key": "aah"} while the desired output is {"api_key": "bb"}.
+    const sortedKeys = Object.keys(sensitiveBank).sort((x, y) => x.length - y.length === 0 ? y.localeCompare(x) : y.length - x.length);
+    const sensitiveBankEntries = sortedKeys
+        .map((key) => [key, sensitiveBank[key]]);
     const replacer = (val) => {
         if (typeof val === 'string') {
             let copiedVal = val;
             // have to look for substrings in the value instead of looking for the value in the map
-            Object.entries(sensitiveBank).forEach(([transformed, censored]) => {
+            sensitiveBankEntries.forEach(([transformed, censored]) => {
                 copiedVal = (0, utils_1.replaceAll)(copiedVal, transformed, censored);
             });
             return copiedVal;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zapier/secret-scrubber",
-  "version": "1.0.7",
+  "version": "1.0.8",
   "description": "Confidently remove secrets and sensitive values from unstructured objects.",
   "main": "lib/index.js",
   "typings": "lib/index.d.ts",