npm - dd-trace - Versions diffs - 2.33.0 → 2.35.0 - Mend

dd-trace 2.33.0 → 2.35.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (120) hide show

package/packages/dd-trace/src/appsec/iast/analyzers/ssrf-analyzer.js ADDED Viewed

@@ -0,0 +1,26 @@
+'use strict'
+const InjectionAnalyzer = require('./injection-analyzer')
+const { SSRF } = require('../vulnerabilities')
+class SSRFAnalyzer extends InjectionAnalyzer {
+  constructor () {
+    super(SSRF)
+    this.addSub('apm:http:client:request:start', ({ args }) => {
+      if (typeof args.originalUrl === 'string') {
+        this.analyze(args.originalUrl)
+      } else if (args.options && args.options.host) {
+        this.analyze(args.options.host)
+      }
+    })
+    this.addSub('apm:http2:client:connect:start', ({ authority }) => {
+      if (authority && typeof authority === 'string') {
+        this.analyze(authority)
+      }
+    })
+  }
+}
+module.exports = new SSRFAnalyzer()

package/packages/dd-trace/src/appsec/iast/analyzers/vulnerability-analyzer.js CHANGED Viewed

@@ -4,7 +4,7 @@ const Plugin = require('../../../../src/plugins/plugin')
 const { storage } = require('../../../../../datadog-core')
 const iastLog = require('../iast-log')
 const { getFirstNonDDPathAndLine } = require('../path-line')
-const { createVulnerability, addVulnerability } = require('../vulnerability-reporter')
+const { addVulnerability } = require('../vulnerability-reporter')
 const { getIastContext } = require('../iast-context')
 const overheadController = require('../overhead-controller')
@@ -41,7 +41,7 @@ class Analyzer extends Plugin {
     const location = this._getLocation()
     if (!this._isExcluded(location)) {
       const spanId = context && context.rootSpan && context.rootSpan.context().toSpanId()
-      const vulnerability = createVulnerability(this._type, evidence, spanId, location)
+      const vulnerability = this._createVulnerability(this._type, evidence, spanId, location)
       addVulnerability(context, vulnerability)
     }
   }
@@ -59,9 +59,11 @@ class Analyzer extends Plugin {
   }
   _getLocation () {
-    return getFirstNonDDPathAndLine()
+    return getFirstNonDDPathAndLine(this._getExcludedPaths())
   }
+  _getExcludedPaths () {}
   analyze (value) {
     const store = storage.getStore()
     const iastContext = getIastContext(store)
@@ -87,6 +89,36 @@ class Analyzer extends Plugin {
   _checkOCE (context) {
     return overheadController.hasQuota(overheadController.OPERATIONS.REPORT_VULNERABILITY, context)
   }
+  _createVulnerability (type, evidence, spanId, location) {
+    if (type && evidence) {
+      const _spanId = spanId || 0
+      return {
+        type,
+        evidence,
+        location: {
+          spanId: _spanId,
+          ...location
+        },
+        hash: this._createHash(this._createHashSource(type, evidence, location))
+      }
+    }
+    return null
+  }
+  _createHashSource (type, evidence, location) {
+    return location ? `${type}:${location.path}:${location.line}` : type
+  }
+  _createHash (hashSource) {
+    let hash = 0
+    let offset = 0
+    const size = hashSource.length
+    for (let i = 0; i < size; i++) {
+      hash = ((hash << 5) - hash) + hashSource.charCodeAt(offset++)
+    }
+    return hash
+  }
 }
 module.exports = Analyzer

package/packages/dd-trace/src/appsec/iast/analyzers/weak-cipher-analyzer.js CHANGED Viewed

@@ -1,5 +1,6 @@
 'use strict'
 const Analyzer = require('./vulnerability-analyzer')
+const { WEAK_CIPHER } = require('../vulnerabilities')
 const INSECURE_CIPHERS = new Set([
   'des', 'des-cbc', 'des-cfb', 'des-cfb1', 'des-cfb8', 'des-ecb', 'des-ede', 'des-ede-cbc', 'des-ede-cfb',
@@ -12,7 +13,7 @@ const INSECURE_CIPHERS = new Set([
 class WeakCipherAnalyzer extends Analyzer {
   constructor () {
-    super('WEAK_CIPHER')
+    super(WEAK_CIPHER)
     this.addSub('datadog:crypto:cipher:start', ({ algorithm }) => this.analyze(algorithm))
   }

package/packages/dd-trace/src/appsec/iast/analyzers/weak-hash-analyzer.js CHANGED Viewed

@@ -1,5 +1,6 @@
 'use strict'
 const Analyzer = require('./vulnerability-analyzer')
+const { WEAK_HASH } = require('../vulnerabilities')
 const INSECURE_HASH_ALGORITHMS = new Set([
   'md4', 'md4WithRSAEncryption', 'RSA-MD4',
@@ -9,7 +10,7 @@ const INSECURE_HASH_ALGORITHMS = new Set([
 class WeakHashAnalyzer extends Analyzer {
   constructor () {
-    super('WEAK_HASH')
+    super(WEAK_HASH)
     this.addSub('datadog:crypto:hashing:start', ({ algorithm }) => this.analyze(algorithm))
   }

package/packages/dd-trace/src/appsec/iast/index.js CHANGED Viewed

@@ -51,7 +51,7 @@ function onIncomingHttpRequestStart (data) {
         }
         if (rootSpan.addTags) {
           rootSpan.addTags({
-            [IAST_ENABLED_TAG_KEY]: isRequestAcquired ? '1' : '0'
+            [IAST_ENABLED_TAG_KEY]: isRequestAcquired ? 1 : 0
           })
         }
       }

package/packages/dd-trace/src/appsec/iast/path-line.js CHANGED Viewed

@@ -37,15 +37,16 @@ function getCallSiteInfo () {
   return callsiteList
 }
-function getFirstNonDDPathAndLineFromCallsites (callsites) {
+function getFirstNonDDPathAndLineFromCallsites (callsites, externallyExcludedPaths) {
   if (callsites) {
     for (let i = 0; i < callsites.length; i++) {
       const callsite = callsites[i]
       const filepath = callsite.getFileName()
-      if (!isExcluded(callsite) && filepath.indexOf(pathLine.ddBasePath) === -1) {
+      if (!isExcluded(callsite, externallyExcludedPaths) && filepath.indexOf(pathLine.ddBasePath) === -1) {
         return {
           path: path.relative(process.cwd(), filepath),
-          line: callsite.getLineNumber()
+          line: callsite.getLineNumber(),
+          isInternal: !path.isAbsolute(filepath)
         }
       }
     }
@@ -53,26 +54,33 @@ function getFirstNonDDPathAndLineFromCallsites (callsites) {
   return null
 }
-function isExcluded (callsite) {
+function isExcluded (callsite, externallyExcludedPaths) {
   if (callsite.isNative()) return true
   const filename = callsite.getFileName()
   if (!filename) {
     return true
   }
-  for (let i = 0; i < EXCLUDED_PATHS.length; i++) {
-    if (filename.indexOf(EXCLUDED_PATHS[i]) > -1) {
+  let excludedPaths = EXCLUDED_PATHS
+  if (externallyExcludedPaths) {
+    excludedPaths = [...excludedPaths, ...externallyExcludedPaths]
+  }
+  for (let i = 0; i < excludedPaths.length; i++) {
+    if (filename.indexOf(excludedPaths[i]) > -1) {
       return true
     }
   }
   for (let i = 0; i < EXCLUDED_PATH_PREFIXES.length; i++) {
     if (filename.indexOf(EXCLUDED_PATH_PREFIXES[i]) === 0) {
       return true
     }
   }
   return false
 }
-function getFirstNonDDPathAndLine () {
-  return getFirstNonDDPathAndLineFromCallsites(getCallSiteInfo())
+function getFirstNonDDPathAndLine (externallyExcludedPaths) {
+  return getFirstNonDDPathAndLineFromCallsites(getCallSiteInfo(), externallyExcludedPaths)
 }
 module.exports = pathLine

package/packages/dd-trace/src/appsec/iast/taint-tracking/plugin.js CHANGED Viewed

@@ -12,17 +12,32 @@ class TaintTrackingPlugin extends Plugin {
     this._type = 'taint-tracking'
     this.addSub(
       'datadog:body-parser:read:finish',
-      ({ req }) => this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body')
+      ({ req }) => {
+        const iastContext = getIastContext(storage.getStore())
+        if (iastContext && iastContext['body'] !== req.body) {
+          this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body', iastContext)
+          iastContext['body'] = req.body
+        }
+      }
     )
     this.addSub(
       'datadog:qs:parse:finish',
       ({ qs }) => this._taintTrackingHandler(HTTP_REQUEST_PARAMETER, qs))
+    this.addSub('apm:express:middleware:next', ({ req }) => {
+      if (req && req.body && typeof req.body === 'object') {
+        const iastContext = getIastContext(storage.getStore())
+        if (iastContext && iastContext['body'] !== req.body) {
+          this._taintTrackingHandler(HTTP_REQUEST_BODY, req, 'body', iastContext)
+          iastContext['body'] = req.body
+        }
+      }
+    })
   }
-  _taintTrackingHandler (type, target, property) {
-    const iastContext = getIastContext(storage.getStore())
+  _taintTrackingHandler (type, target, property, iastContext = getIastContext(storage.getStore())) {
     if (!property) {
-      target = taintObject(iastContext, target, type)
+      taintObject(iastContext, target, type)
     } else {
       target[property] = taintObject(iastContext, target[property], type)
     }

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/range-utils.js ADDED Viewed

@@ -0,0 +1,37 @@
+'use strict'
+function contains (rangeContainer, rangeContained) {
+  if (rangeContainer.start > rangeContained.start) {
+    return false
+  }
+  return rangeContainer.end >= rangeContained.end
+}
+function intersects (rangeA, rangeB) {
+  return rangeB.start < rangeA.end && rangeB.end > rangeA.start
+}
+function remove (range, rangeToRemove) {
+  if (!intersects(range, rangeToRemove)) {
+    return [range]
+  } else if (contains(rangeToRemove, range)) {
+    return []
+  } else {
+    const result = []
+    if (rangeToRemove.start > range.start) {
+      const offset = rangeToRemove.start - range.start
+      result.push({ start: range.start, end: range.start + offset })
+    }
+    if (rangeToRemove.end < range.end) {
+      const offset = range.end - rangeToRemove.end
+      result.push({ start: rangeToRemove.end, end: rangeToRemove.end + offset })
+    }
+    return result
+  }
+}
+module.exports = {
+  contains,
+  intersects,
+  remove
+}

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/command-sensitive-analyzer.js ADDED Viewed

@@ -0,0 +1,29 @@
+'use strict'
+const iastLog = require('../../../iast-log')
+const COMMAND_PATTERN = '^(?:\\s*(?:sudo|doas)\\s+)?\\b\\S+\\b\\s(.*)'
+class CommandSensitiveAnalyzer {
+  constructor () {
+    this._pattern = new RegExp(COMMAND_PATTERN, 'gmi')
+  }
+  extractSensitiveRanges (evidence) {
+    try {
+      this._pattern.lastIndex = 0
+      const regexResult = this._pattern.exec(evidence.value)
+      if (regexResult && regexResult.length > 1) {
+        const start = regexResult.index + (regexResult[0].length - regexResult[1].length)
+        const end = start + regexResult[1].length
+        return [{ start, end }]
+      }
+    } catch (e) {
+      iastLog.debug(e)
+    }
+    return []
+  }
+}
+module.exports = CommandSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/ldap-sensitive-analyzer.js ADDED Viewed

@@ -0,0 +1,35 @@
+'use strict'
+const iastLog = require('../../../iast-log')
+const LDAP_PATTERN = '\\(.*?(?:~=|=|<=|>=)(?<LITERAL>[^)]+)\\)'
+class LdapSensitiveAnalyzer {
+  constructor () {
+    this._pattern = new RegExp(LDAP_PATTERN, 'gmi')
+  }
+  extractSensitiveRanges (evidence) {
+    try {
+      this._pattern.lastIndex = 0
+      const tokens = []
+      let regexResult = this._pattern.exec(evidence.value)
+      while (regexResult != null) {
+        if (!regexResult.groups.LITERAL) continue
+        // Computing indices manually since NodeJs 12 does not support d flag on regular expressions
+        // TODO Get indices from group by adding d flag in regular expression
+        const start = regexResult.index + (regexResult[0].length - regexResult.groups.LITERAL.length - 1)
+        const end = start + regexResult.groups.LITERAL.length
+        tokens.push({ start, end })
+        regexResult = this._pattern.exec(evidence.value)
+      }
+      return tokens
+    } catch (e) {
+      iastLog.debug(e)
+    }
+    return []
+  }
+}
+module.exports = LdapSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/sql-sensitive-analyzer.js ADDED Viewed

@@ -0,0 +1,118 @@
+'use strict'
+const iastLog = require('../../../iast-log')
+const STRING_LITERAL = '\'(?:\'\'|[^\'])*\''
+const POSTGRESQL_ESCAPED_LITERAL = '\\$([^$]*)\\$.*?\\$\\1\\$'
+const MYSQL_STRING_LITERAL = '"(?:\\\\"|[^"])*"|\'(?:\\\\\'|[^\'])*\''
+const LINE_COMMENT = '--.*$'
+const BLOCK_COMMENT = '/\\*[\\s\\S]*\\*/'
+const EXPONENT = '(?:E[-+]?\\d+[fd]?)?'
+const INTEGER_NUMBER = '(?<!\\w)\\d+'
+const DECIMAL_NUMBER = '\\d*\\.\\d+'
+const HEX_NUMBER = 'x\'[0-9a-f]+\'|0x[0-9a-f]+'
+const BIN_NUMBER = 'b\'[0-9a-f]+\'|0b[0-9a-f]+'
+const NUMERIC_LITERAL =
+  `[-+]?(?:${
+    [
+      HEX_NUMBER,
+      BIN_NUMBER,
+      DECIMAL_NUMBER + EXPONENT,
+      INTEGER_NUMBER + EXPONENT
+    ].join('|')
+  })`
+const ORACLE_ESCAPED_LITERAL = 'q\'<.*?>\'|q\'\\(.*?\\)\'|q\'\\{.*?\\}\'|q\'\\[.*?\\]\'|q\'(?<ESCAPE>.).*?\\k<ESCAPE>\''
+class SqlSensitiveAnalyzer {
+  constructor () {
+    this._patterns = {
+      ANSI: new RegExp( // Default
+        [
+          NUMERIC_LITERAL,
+          STRING_LITERAL,
+          LINE_COMMENT,
+          BLOCK_COMMENT
+        ].join('|'),
+        'gmi'
+      ),
+      MYSQL: new RegExp(
+        [
+          NUMERIC_LITERAL,
+          MYSQL_STRING_LITERAL,
+          LINE_COMMENT,
+          BLOCK_COMMENT
+        ].join('|'),
+        'gmi'
+      ),
+      POSTGRES: new RegExp(
+        [
+          NUMERIC_LITERAL,
+          POSTGRESQL_ESCAPED_LITERAL,
+          STRING_LITERAL,
+          LINE_COMMENT,
+          BLOCK_COMMENT
+        ].join('|'),
+        'gmi'
+      ),
+      ORACLE: new RegExp([
+        NUMERIC_LITERAL,
+        ORACLE_ESCAPED_LITERAL,
+        STRING_LITERAL,
+        LINE_COMMENT,
+        BLOCK_COMMENT
+      ].join('|'),
+      'gmi')
+    }
+    this._patterns.SQLITE = this._patterns.MYSQL
+    this._patterns.MARIADB = this._patterns.MYSQL
+  }
+  extractSensitiveRanges (evidence) {
+    try {
+      let pattern = this._patterns[evidence.dialect]
+      if (!pattern) {
+        pattern = this._patterns['ANSI']
+      }
+      pattern.lastIndex = 0
+      const tokens = []
+      let regexResult = pattern.exec(evidence.value)
+      while (regexResult != null) {
+        let start = regexResult.index
+        let end = regexResult.index + regexResult[0].length
+        const startChar = evidence.value.charAt(start)
+        if (startChar === '\'' || startChar === '"') {
+          start++
+          end--
+        } else if (end > start + 1) {
+          const nextChar = evidence.value.charAt(start + 1)
+          if (startChar === '/' && nextChar === '*') {
+            start += 2
+            end -= 2
+          } else if (startChar === '-' && startChar === nextChar) {
+            start += 2
+          } else if (startChar.toLowerCase() === 'q' && nextChar === '\'') {
+            start += 3
+            end -= 2
+          } else if (startChar === '$') {
+            const match = regexResult[0]
+            const size = match.indexOf('$', 1) + 1
+            if (size > 1) {
+              start += size
+              end -= size
+            }
+          }
+        }
+        tokens.push({ start, end })
+        regexResult = pattern.exec(evidence.value)
+      }
+      return tokens
+    } catch (e) {
+      iastLog.debug(e)
+    }
+    return []
+  }
+}
+module.exports = SqlSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-analyzers/url-sensitive-analyzer.js ADDED Viewed

@@ -0,0 +1,49 @@
+'use strict'
+const iastLog = require('../../../iast-log')
+const AUTHORITY = '^(?:[^:]+:)?//([^@]+)@'
+const QUERY_FRAGMENT = '[?#&]([^=&;]+)=([^?#&]+)'
+class UrlSensitiveAnalyzer {
+  constructor () {
+    this._pattern = new RegExp([AUTHORITY, QUERY_FRAGMENT].join('|'), 'gmi')
+  }
+  extractSensitiveRanges (evidence) {
+    try {
+      const pattern = this._pattern
+      const ranges = []
+      let regexResult = pattern.exec(evidence.value)
+      while (regexResult != null) {
+        if (typeof regexResult[1] === 'string') {
+          // AUTHORITY regex match always ends by group + @
+          // it means that the match last chars - 1 are always the group
+          const end = regexResult.index + (regexResult[0].length - 1)
+          const start = end - regexResult[1].length
+          ranges.push({ start, end })
+        }
+        if (typeof regexResult[3] === 'string') {
+          // QUERY_FRAGMENT regex always ends with the group
+          // it means that the match last chars are always the group
+          const end = regexResult.index + regexResult[0].length
+          const start = end - regexResult[3].length
+          ranges.push({ start, end })
+        }
+        regexResult = pattern.exec(evidence.value)
+      }
+      return ranges
+    } catch (e) {
+      iastLog.debug(e)
+    }
+    return []
+  }
+}
+module.exports = UrlSensitiveAnalyzer

package/packages/dd-trace/src/appsec/iast/vulnerabilities-formatter/evidence-redaction/sensitive-handler.js ADDED Viewed

@@ -0,0 +1,146 @@
+'use strict'
+const vulnerabilities = require('../../vulnerabilities')
+const { contains, intersects, remove } = require('./range-utils')
+const CommandSensitiveAnalyzer = require('./sensitive-analyzers/command-sensitive-analyzer')
+const LdapSensitiveAnalyzer = require('./sensitive-analyzers/ldap-sensitive-analyzer')
+const SqlSensitiveAnalyzer = require('./sensitive-analyzers/sql-sensitive-analyzer')
+const UrlSensitiveAnalyzer = require('./sensitive-analyzers/url-sensitive-analyzer')
+// eslint-disable-next-line max-len
+const DEFAULT_IAST_REDACTION_NAME_PATTERN = '(?:p(?:ass)?w(?:or)?d|pass(?:_?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)'
+// eslint-disable-next-line max-len
+const DEFAULT_IAST_REDACTION_VALUE_PATTERN = '(?:bearer\\s+[a-z0-9\\._\\-]+|glpat-[\\w\\-]{20}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L][\\w=\\-]+\\.ey[I-L][\\w=\\-]+(?:\\.[\\w.+/=\\-]+)?|(?:[\\-]{5}BEGIN[a-z\\s]+PRIVATE\\sKEY[\\-]{5}[^\\-]+[\\-]{5}END[a-z\\s]+PRIVATE\\sKEY[\\-]{5}|ssh-rsa\\s*[a-z0-9/\\.+]{100,}))'
+class SensitiveHandler {
+  constructor () {
+    this._namePattern = new RegExp(DEFAULT_IAST_REDACTION_NAME_PATTERN, 'gmi')
+    this._valuePattern = new RegExp(DEFAULT_IAST_REDACTION_VALUE_PATTERN, 'gmi')
+    this._sensitiveAnalyzers = new Map()
+    this._sensitiveAnalyzers.set(vulnerabilities.COMMAND_INJECTION, new CommandSensitiveAnalyzer())
+    this._sensitiveAnalyzers.set(vulnerabilities.LDAP_INJECTION, new LdapSensitiveAnalyzer())
+    this._sensitiveAnalyzers.set(vulnerabilities.SQL_INJECTION, new SqlSensitiveAnalyzer())
+    this._sensitiveAnalyzers.set(vulnerabilities.SSRF, new UrlSensitiveAnalyzer())
+  }
+  isSensibleName (name) {
+    this._namePattern.lastIndex = 0
+    return this._namePattern.test(name)
+  }
+  isSensibleValue (value) {
+    this._valuePattern.lastIndex = 0
+    return this._valuePattern.test(value)
+  }
+  isSensibleSource (source) {
+    return source != null && (this.isSensibleName(source.name) || this.isSensibleValue(source.value))
+  }
+  scrubEvidence (vulnerabilityType, evidence, sourcesIndexes, sources) {
+    const sensitiveAnalyzer = this._sensitiveAnalyzers.get(vulnerabilityType)
+    if (sensitiveAnalyzer) {
+      const sensitiveRanges = sensitiveAnalyzer.extractSensitiveRanges(evidence)
+      return this.toRedactedJson(evidence, sensitiveRanges, sourcesIndexes, sources)
+    }
+    return null
+  }
+  toRedactedJson (evidence, sensitive, sourcesIndexes, sources) {
+    const valueParts = []
+    const redactedSources = []
+    const { value, ranges } = evidence
+    let start = 0
+    let nextTaintedIndex = 0
+    let sourceIndex
+    let nextTainted = ranges.shift()
+    let nextSensitive = sensitive.shift()
+    for (let i = 0; i < value.length; i++) {
+      if (nextTainted != null && nextTainted.start === i) {
+        this.writeValuePart(valueParts, value.substring(start, i), sourceIndex)
+        sourceIndex = sourcesIndexes[nextTaintedIndex]
+        while (nextSensitive != null && contains(nextTainted, nextSensitive)) {
+          sourceIndex != null && redactedSources.push(sourceIndex)
+          nextSensitive = sensitive.shift()
+        }
+        if (nextSensitive != null && intersects(nextSensitive, nextTainted)) {
+          sourceIndex != null && redactedSources.push(sourceIndex)
+          const entries = remove(nextSensitive, nextTainted)
+          nextSensitive = entries.length > 0 ? entries[0] : null
+        }
+        this.isSensibleSource(sources[sourceIndex]) && redactedSources.push(sourceIndex)
+        if (redactedSources.indexOf(sourceIndex) > -1) {
+          this.writeRedactedValuePart(valueParts, sourceIndex)
+        } else {
+          const substringEnd = Math.min(nextTainted.end, value.length)
+          this.writeValuePart(valueParts, value.substring(nextTainted.start, substringEnd), sourceIndex)
+        }
+        start = i + (nextTainted.end - nextTainted.start)
+        i = start - 1
+        nextTainted = ranges.shift()
+        nextTaintedIndex++
+        sourceIndex = null
+      } else if (nextSensitive != null && nextSensitive.start === i) {
+        this.writeValuePart(valueParts, value.substring(start, i), sourceIndex)
+        if (nextTainted != null && intersects(nextSensitive, nextTainted)) {
+          sourceIndex = sourcesIndexes[nextTaintedIndex]
+          sourceIndex != null && redactedSources.push(sourceIndex)
+          for (const entry of remove(nextSensitive, nextTainted)) {
+            if (entry.start === i) {
+              nextSensitive = entry
+            } else {
+              sensitive.unshift(entry)
+            }
+          }
+        }
+        this.writeRedactedValuePart(valueParts)
+        start = i + (nextSensitive.end - nextSensitive.start)
+        i = start - 1
+        nextSensitive = sensitive.shift()
+      }
+    }
+    if (start < value.length) {
+      this.writeValuePart(valueParts, value.substring(start))
+    }
+    return { redactedValueParts: valueParts, redactedSources }
+  }
+  writeValuePart (valueParts, value, source) {
+    if (value.length > 0) {
+      if (source != null) {
+        valueParts.push({ value, source })
+      } else {
+        valueParts.push({ value })
+      }
+    }
+  }
+  writeRedactedValuePart (valueParts, source) {
+    if (source != null) {
+      valueParts.push({ redacted: true, source })
+    } else {
+      valueParts.push({ redacted: true })
+    }
+  }
+}
+module.exports = new SensitiveHandler()