fix: redact URL query credentials in diagnostics · openclaw/openclaw@e7432ae
steipete
·
2026-04-27
·
via Recent Commits to openclaw:main
| Original file line number | Diff line number | Diff line change |
|---|
@@ -20,7 +20,8 @@ const COOKIE_HEADER_RE = /\b(Cookie|Set-Cookie)\s*:\s*[^\r\n]+/giu;
|
20 | 20 | const AWS_ACCESS_KEY_ID_RE = /\b(?:AKIA|ASIA)[A-Z0-9]{16}\b/gu; |
21 | 21 | const JWT_RE = /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/gu; |
22 | 22 | const URL_USERINFO_RE = /\b([a-z][a-z0-9+.-]*:\/\/)([^/@\s:?#]+)(?::([^/@\s?#]+))?@/giu; |
23 | | -const URL_PARAM_RE = /([?&])([^=&\s]+)=([^&#\s]+)/giu; |
| 23 | +const URL_SENSITIVE_PARAM_RE = |
| 24 | +/([?&])(api[-_]?key|apikey|access[-_]?token|auth[-_]?token|client[-_]?secret|hook[-_]?token|refresh[-_]?token|token|key|secret|password|pass|passwd|auth|signature)=([^&#\s)"'<>]+)(?:&[^#\s)"'<>]*)?/giu; |
24 | 25 | const EMAIL_RE = /\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/giu; |
25 | 26 | const MATRIX_USER_ID_RE = /@[A-Za-z0-9._=-]+:[A-Za-z0-9.-]+/gu; |
26 | 27 | const MATRIX_ROOM_ID_RE = /![A-Za-z0-9._=-]+:[A-Za-z0-9.-]+/gu; |
@@ -306,7 +307,7 @@ function redactUrlSecretsForSupport(value: string): string {
|
306 | 307 | .replace(URL_USERINFO_RE, (_match, scheme: string, _username: string, password?: string) => |
307 | 308 | password ? `${scheme}<redacted>:<redacted>@` : `${scheme}<redacted>@`, |
308 | 309 | ) |
309 | | -.replace(URL_PARAM_RE, (match, prefix: string, key: string) => |
| 310 | +.replace(URL_SENSITIVE_PARAM_RE, (match, prefix: string, key: string) => |
310 | 311 | isSensitiveUrlQueryParamName(key) ? `${prefix}${key}=<redacted>` : match, |
311 | 312 | ); |
312 | 313 | } |
|
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。