Merge pull request #48 from github/more-patterns

GrantBirki · web-flow · commit 770cf01001ff · 2024-05-20T16:39:43.000-07:00
Enhanced Secrets Redaction Support - More Patterns 🔑
diff --git a/lib/patterns/default.rb b/lib/patterns/default.rb
@@ -6,7 +6,13 @@ module Patterns
     /ghp_[A-Za-z0-9]{36,}|[0-9A-Fa-f]{40,}/, # GitHub Personal Access Token
     /github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}/, # GitHub Personal Access Token (fine-grained)
     /ghs_[a-zA-Z0-9]{36}/, # Temporary GitHub Actions Tokens
-    /\b(ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9\/\\_-]{17,}\.(?:[a-zA-Z0-9\/\\_-]{10,}={0,2})?)(?:['|\"|\n|\r|\s|\x60|;]|$)/, # JWT tokens
-    /(?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY( BLOCK)?-----[\s\S-]*KEY( BLOCK)?----/ # private keys
+    %r{\b(ey[a-zA-Z0-9]{17,}\.ey[a-zA-Z0-9/\\_-]{17,}\.(?:[a-zA-Z0-9/\\_-]{10,}={0,2})?)(?:['|"|\n|\r|\s|\x60|;]|$)}, # JWT tokens
+    /(?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY( BLOCK)?-----[\s\S-]*KEY( BLOCK)?----/, # private keys
+    %r{https://hooks\.slack\.com/services/[a-zA-Z0-9]{9,}/[a-zA-Z0-9]{9,}/[a-zA-Z0-9]{24}}, # Slack webhook
+    %r{https://hooks\.slack\.com/workflows/[a-zA-Z0-9]{9,}/[a-zA-Z0-9]{9,}/[0-9]+?/[a-zA-Z0-9]{24}}, # Slack workflow
+    /xoxp-(?:[0-9]{7,})-(?:[0-9]{7,})-(?:[0-9]{7,})-(?:[0-9a-f]{6,})|xoxb-(?:[0-9]{7,})-(?:[A-Za-z0-9]{14,})|xoxs-(?:[0-9]{7,})-(?:[0-9]{7,})-(?:[0-9]{7,})-(?:[0-9a-f]{7,})|xoxa-(?:[0-9]{7,})-(?:[0-9]{7,})-(?:[0-9]{7,})-(?:[0-9a-f]{7,})|xoxo-(?:[0-9]{7,})-(?:[A-Za-z0-9]{14,})|xoxa-2-(?:[0-9]{7,})-(?:[0-9]{7,})-(?:[0-9]{7,})-(?:[0-9a-f]{7,})|xoxr-(?:[0-9]{7,})-(?:[0-9]{7,})-(?:[0-9]{7,})-(?:[0-9a-f]{7,})|xoxb-(?:[0-9]{7,})-(?:[0-9]{7,})-(?:[A-Za-z0-9]{14,})/, # Slack tokens
+    /[sbr]\.[a-zA-Z0-9]{24,}/, # vault token for 1.9.x or earlier
+    /hv[sbr]\.[a-zA-Z0-9]{24,}/, # vault token for 1.10 and later
+    /rubygems_[0-9a-f]{48}/ # RubyGems token
   ].freeze
 end
diff --git a/lib/version.rb b/lib/version.rb
@@ -2,6 +2,6 @@
 
 module RedactingLogger
   module Version
-    VERSION = "1.2.1"
+    VERSION = "1.3.0"
   end
 end
diff --git a/spec/lib/redacting_logger_spec.rb b/spec/lib/redacting_logger_spec.rb
@@ -130,6 +130,31 @@
         case: "redacts from a Numeric match with extra numbers",
         message: 123_999_999_999_123,
         expected_message: "123[REDACTED]123"
+      },
+      {
+        case: "redacts a Slack webhook",
+        message: "posting slack message to: https://hooks.slack.com/services/T1BAAA111/B0111AAA111/MMMAAA333CCC222bbbAAA111",
+        expected_message: "posting slack message to: [REDACTED]"
+      },
+      {
+        case: "redacts a Slack workflow webhook",
+        message: "workflow: https://hooks.slack.com/workflows/abc123XYZ/def456UVW/123456789/abcdefghijklmnopqrstuvwx",
+        expected_message: "workflow: [REDACTED]"
+      },
+      {
+        case: "redacts a Slack token",
+        message: "using slack token: xoxb-2444333222111-2444333222111-123456789AbCdEfGHi123456",
+        expected_message: "using slack token: [REDACTED]"
+      },
+      {
+        case: "redacts a vault token",
+        message: "logging into vault with token: s.FakeToken1234567890123456",
+        expected_message: "logging into vault with token: [REDACTED]"
+      },
+      {
+        case: "redacts a RubyGems token",
+        message: "using rubygems token: rubygems_0123456789abcdef0123456789abcdef0123456789abcdef",
+        expected_message: "using rubygems token: rubygems_[REDACTED]"
       }
     ].each do |test|
       it "redacts #{test[:case]}" do
