vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 06:00:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(logging): redact URL query secrets

Browse Source
This commit is contained in:
Peter Steinberger
2026-04-27 10:56:39 +01:00
parent 1b581b4c71
commit a0023f4978
3 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/logging/diagnostic-support-export.test.ts
View File

@@ -556,7 +556,7 @@ describe("diagnostic support export", () => {
const cases = [
[
"connect wss://support-user:support-password@gateway.example/ws?token=short-token&ok=1",
"connect wss://<redacted>:<redacted>@gateway.example/ws?token=<redacted>",
"connect wss://<redacted>:<redacted>@gateway.example/ws?token=<redacted>&ok=1",
],
[
"connect https://gateway.example/ws?access-token=short-token",

18
src/logging/redact.test.ts
View File

@@ -134,6 +134,24 @@ describe("redactSensitiveText", () => {
expect(output).toBe(input);
});
it("masks sensitive URL query params while preserving non-sensitive params", () => {
const input = "GET /_matrix/client/v3/sync?access_token=abcdef1234567890ghij&since=123";
const output = redactSensitiveText(input, {
mode: "tools",
patterns: defaults,
});
expect(output).toBe("GET /_matrix/client/v3/sync?access_token=abcdef…ghij&since=123");
});
it("treats sensitive URL query param names case-insensitively", () => {
const input = "connect https://gateway.example/ws?Access-Token=short-token&ok=1";
const output = redactSensitiveText(input, {
mode: "tools",
patterns: defaults,
});
expect(output).toBe("connect https://gateway.example/ws?Access-Token=***&ok=1");
});
it("redacts private key blocks", () => {
const input = [
"-----BEGIN PRIVATE KEY-----",

3
src/logging/redact.ts
View File

@@ -14,6 +14,9 @@ const DEFAULT_REDACT_PATTERNS: string[] = [
// ENV-style assignments. Keep this case-sensitive so diagnostics like
// `Unrecognized key: "llm"` do not lose the actual config key.
String.raw`/\b[A-Z0-9_]*(?:KEY|TOKEN|SECRET|PASSWORD|PASSWD)\b\s*[=:]\s*(["']?)([^\s"'\\]+)\1/g`,
// URL query parameters. Keep this separate from ENV-style assignments so
// lower-case URL secrets stay redacted without hiding config-key diagnostics.
String.raw`/[?&](?:access[-_]?token|auth[-_]?token|hook[-_]?token|refresh[-_]?token|api[-_]?key|client[-_]?secret|token|key|secret|password|pass|passwd|auth|signature)=([^&\s"'<>]+)/gi`,
// JSON fields.
String.raw`"(?:apiKey|token|secret|password|passwd|accessToken|refreshToken)"\s*:\s*"([^"]+)"`,
// CLI flags.