From 524fdc5e8294fd5259b9dd164ceab0e8b33fef4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?El=C3=A9onore=20Carpentier?= Date: Wed, 15 Nov 2023 17:05:39 -0500 Subject: [PATCH 1/7] Update default rules to add JWT and private keys --- lib/patterns/default.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/patterns/default.rb b/lib/patterns/default.rb index 31ad926..e3cf6f6 100644 --- a/lib/patterns/default.rb +++ b/lib/patterns/default.rb @@ -5,6 +5,8 @@ module Patterns DEFAULT = [ /ghp_[A-Za-z0-9]{36,}|[0-9A-Fa-f]{40,}/, # GitHub Personal Access Token /github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}/, # GitHub Personal Access Token (fine-grained) - /ghs_[a-zA-Z0-9]{36}/ # Temporary GitHub Actions Tokens + /ghs_[a-zA-Z0-9]{36}/, # Temporary GitHub Actions Tokens + /\b(ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9\/\\_-]{17,}\.(?:[a-zA-Z0-9\/\\_-]{10,}={0,2})?)(?:['|\"|\n|\r|\s|\x60|;]|$)/, # JWT tokens + /(?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY( BLOCK)?-----[\s\S-]*KEY( BLOCK)?----/ # private keys ].freeze end From c7b0bed3a3a5784a53d3ad0d344628afdfa02c6c Mon Sep 17 00:00:00 2001 From: GrantBirki Date: Wed, 15 Nov 2023 15:15:27 -0700 Subject: [PATCH 2/7] add JWT test --- spec/lib/redacting_logger_spec.rb | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/spec/lib/redacting_logger_spec.rb b/spec/lib/redacting_logger_spec.rb index 94f820c..2fc074c 100644 --- a/spec/lib/redacting_logger_spec.rb +++ b/spec/lib/redacting_logger_spec.rb @@ -132,5 +132,17 @@ expect(log_output).to match(/Custom token: token_ABCD/) end + + it "redacts a JWT token" do + # this is a dummy JWT token, but it is the correct length and format + token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" + + logger.info("JWT token: #{token}") + + logdev.rewind + log_output = logdev.read + + expect(log_output).to match(/JWT token: \[REDACTED\]/) + end end end From 03bab6e60e7e5626c791aa91f518be48569b84a0 Mon Sep 17 00:00:00 2001 From: GrantBirki Date: Wed, 15 Nov 2023 15:23:36 -0700 Subject: [PATCH 3/7] add a fake RSA key --- spec/fixtures/fake.private_key | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 spec/fixtures/fake.private_key diff --git a/spec/fixtures/fake.private_key b/spec/fixtures/fake.private_key new file mode 100644 index 0000000..d81b50c --- /dev/null +++ b/spec/fixtures/fake.private_key @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICWgIBAAKBgGoYIuq9HddnNIqkdZODTLvo/XACp39SprGGpG3DdozcKr9f3Zyg +AOrF898TvUaxjIPp7roLpNKH6uyK/mHGwESiM1hVT/KK2YUb0Urwc2hNSCoN9nn4 +hN5tSXRh1P0PCjYC8oJhHfvrgEUrAvBnLx1RKJ6cG0OSbBk+y16lEZSbAgMBAAEC +gYBovuu6Vnzf7kUxnK14tmlMHPwbWoOEcVWicAxnUlP5PmX2C/AAcvh00nu0Awkc +gq74jj3j8RsJwKdwYspEPrYTx6Qi+mtTfDAwXkJNWFQCKI3RtGF51fbvj3GL/tcZ +mdMdhSMqZFgOgPcaYxpRIx+q2NDj8wBdSnEsmlidcH/2AQJBAKUpFqGI2oG4y9Ed +hw1V9XyLna1wNZq96Ua9k+YW/Y6MO/pEzEgUxNgF5/tSIVoAgHqw41Y7mWwt1yP/ +jkTC+c0CQQCkcmmW2sokdeF+6ssgAf8cIZqMYZ8ND9yQQlYJZ01MZ/s0OpBWz4jD +8kePMoBP1nBNPgLq03IlbSNrjQya78AHAkAdRBujghmeFP3gz0eoIExAxoipPBHz +mqVkiKFVi0tg4A6cuWYte6ip0toZmaMZTK93jjKqjCMSnUjbMySloJsdAkBWu9mh +LUiMrnf+vsvf1+274qVnAV4oP4Nvuu0yDIAimn1N8M2MW+2gm7rOdi5i7ZFRzDEx +tdBwmP2jjkNlvKolAkBa/x6jUiLhPMlypTpJvwJdYd7E/w8zEctSSXq6xbrZjUfT +who52YgHVfGnCNkgrjnCSAswsFbJ8d5vLijGFcXM +-----END RSA PRIVATE KEY----- From 2a6f92fd91063145a372015e1f9d3a4c92af3fca Mon Sep 17 00:00:00 2001 From: GrantBirki Date: Wed, 15 Nov 2023 15:23:48 -0700 Subject: [PATCH 4/7] add tests against fake RSA key --- spec/lib/redacting_logger_spec.rb | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/spec/lib/redacting_logger_spec.rb b/spec/lib/redacting_logger_spec.rb index 2fc074c..440fa68 100644 --- a/spec/lib/redacting_logger_spec.rb +++ b/spec/lib/redacting_logger_spec.rb @@ -144,5 +144,15 @@ expect(log_output).to match(/JWT token: \[REDACTED\]/) end + + it "redacts a RSA private key" do + fake_private_key = File.read("spec/fixtures/fake.private_key") + + logger.info("RSA private key: #{fake_private_key}") + + logdev.rewind + log_output = logdev.read + expect(log_output).to match(/RSA private key: \[REDACTED\]/) + end end end From bd9a1abafe0b8557f8db89c89cda60394119f6f0 Mon Sep 17 00:00:00 2001 From: GrantBirki Date: Wed, 15 Nov 2023 15:24:15 -0700 Subject: [PATCH 5/7] update docs --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 3c26610..b27143b 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,7 @@ A few examples of these patterns are: - GitHub Personal Access Tokens - GitHub Temporary Actions Tokens +- RSA Private Keys You can disable these default patterns with: From b4b917c308b99b19207616397e8f2054e178c1bf Mon Sep 17 00:00:00 2001 From: GrantBirki Date: Wed, 15 Nov 2023 15:24:36 -0700 Subject: [PATCH 6/7] add JWT Tokens to the docs --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b27143b..c96d91c 100644 --- a/README.md +++ b/README.md @@ -77,6 +77,7 @@ A few examples of these patterns are: - GitHub Personal Access Tokens - GitHub Temporary Actions Tokens - RSA Private Keys +- JWT Tokens You can disable these default patterns with: From 12d20deef71da8af5d25224109f1c3dbc7ebaa4f Mon Sep 17 00:00:00 2001 From: GrantBirki Date: Wed, 15 Nov 2023 15:25:15 -0700 Subject: [PATCH 7/7] =?UTF-8?q?v1.0.0=20ready!=20=F0=9F=9A=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/version.rb b/lib/version.rb index 538f9ae..8ca01ee 100644 --- a/lib/version.rb +++ b/lib/version.rb @@ -2,6 +2,6 @@ module RedactingLogger module Version - VERSION = "0.3.0" + VERSION = "1.0.0" end end