mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-12 18:30:44 +00:00
47 lines
1.3 KiB
TypeScript
47 lines
1.3 KiB
TypeScript
import { normalizeLowercaseStringOrEmpty } from "../shared/string-coerce.js";
|
|
|
|
/**
|
|
* Non-sensitive field names that happen to match sensitive patterns.
|
|
* These are explicitly excluded from redaction (plugin config) and
|
|
* warnings about not being marked sensitive (base config).
|
|
*/
|
|
const SENSITIVE_KEY_WHITELIST_SUFFIXES = [
|
|
"maxtokens",
|
|
"maxoutputtokens",
|
|
"maxinputtokens",
|
|
"maxcompletiontokens",
|
|
"contexttokens",
|
|
"totaltokens",
|
|
"tokencount",
|
|
"tokenlimit",
|
|
"tokenbudget",
|
|
"passwordFile",
|
|
] as const;
|
|
|
|
const NORMALIZED_SENSITIVE_KEY_WHITELIST_SUFFIXES = SENSITIVE_KEY_WHITELIST_SUFFIXES.map((suffix) =>
|
|
normalizeLowercaseStringOrEmpty(suffix),
|
|
);
|
|
|
|
const SENSITIVE_PATTERNS = [
|
|
/token$/i,
|
|
/password/i,
|
|
/secret/i,
|
|
/api.?key/i,
|
|
/encrypt.?key/i,
|
|
/private.?key/i,
|
|
/serviceaccount(?:ref)?$/i,
|
|
];
|
|
|
|
function isWhitelistedSensitivePath(path: string): boolean {
|
|
const lowerPath = normalizeLowercaseStringOrEmpty(path);
|
|
return NORMALIZED_SENSITIVE_KEY_WHITELIST_SUFFIXES.some((suffix) => lowerPath.endsWith(suffix));
|
|
}
|
|
|
|
function matchesSensitivePattern(path: string): boolean {
|
|
return SENSITIVE_PATTERNS.some((pattern) => pattern.test(path));
|
|
}
|
|
|
|
export function isSensitiveConfigPath(path: string): boolean {
|
|
return !isWhitelistedSensitivePath(path) && matchesSensitivePattern(path);
|
|
}
|