fix(logging): redact URL query secrets · openclaw/openclaw@a0023f4
steipete
·
2026-04-27
·
via Recent Commits to openclaw:main
| Original file line number | Diff line number | Diff line change |
|---|
@@ -556,7 +556,7 @@ describe("diagnostic support export", () => {
|
556 | 556 | const cases = [ |
557 | 557 | [ |
558 | 558 | "connect wss://support-user:support-password@gateway.example/ws?token=short-token&ok=1", |
559 | | -"connect wss://<redacted>:<redacted>@gateway.example/ws?token=<redacted>", |
| 559 | +"connect wss://<redacted>:<redacted>@gateway.example/ws?token=<redacted>&ok=1", |
560 | 560 | ], |
561 | 561 | [ |
562 | 562 | "connect https://gateway.example/ws?access-token=short-token", |
|
| Original file line number | Diff line number | Diff line change |
|---|
@@ -134,6 +134,24 @@ describe("redactSensitiveText", () => {
|
134 | 134 | expect(output).toBe(input); |
135 | 135 | }); |
136 | 136 | |
| 137 | +it("masks sensitive URL query params while preserving non-sensitive params", () => { |
| 138 | +const input = "GET /_matrix/client/v3/sync?access_token=abcdef1234567890ghij&since=123"; |
| 139 | +const output = redactSensitiveText(input, { |
| 140 | +mode: "tools", |
| 141 | +patterns: defaults, |
| 142 | +}); |
| 143 | +expect(output).toBe("GET /_matrix/client/v3/sync?access_token=abcdef…ghij&since=123"); |
| 144 | +}); |
| 145 | + |
| 146 | +it("treats sensitive URL query param names case-insensitively", () => { |
| 147 | +const input = "connect https://gateway.example/ws?Access-Token=short-token&ok=1"; |
| 148 | +const output = redactSensitiveText(input, { |
| 149 | +mode: "tools", |
| 150 | +patterns: defaults, |
| 151 | +}); |
| 152 | +expect(output).toBe("connect https://gateway.example/ws?Access-Token=***&ok=1"); |
| 153 | +}); |
| 154 | + |
137 | 155 | it("redacts private key blocks", () => { |
138 | 156 | const input = [ |
139 | 157 | "-----BEGIN PRIVATE KEY-----", |
|
| Original file line number | Diff line number | Diff line change |
|---|
@@ -14,6 +14,9 @@ const DEFAULT_REDACT_PATTERNS: string[] = [
|
14 | 14 | // ENV-style assignments. Keep this case-sensitive so diagnostics like |
15 | 15 | // `Unrecognized key: "llm"` do not lose the actual config key. |
16 | 16 | String.raw`/\b[A-Z0-9_]*(?:KEY|TOKEN|SECRET|PASSWORD|PASSWD)\b\s*[=:]\s*(["']?)([^\s"'\\]+)\1/g`, |
| 17 | +// URL query parameters. Keep this separate from ENV-style assignments so |
| 18 | +// lower-case URL secrets stay redacted without hiding config-key diagnostics. |
| 19 | +String.raw`/[?&](?:access[-_]?token|auth[-_]?token|hook[-_]?token|refresh[-_]?token|api[-_]?key|client[-_]?secret|token|key|secret|password|pass|passwd|auth|signature)=([^&\s"'<>]+)/gi`, |
17 | 20 | // JSON fields. |
18 | 21 | String.raw`"(?:apiKey|token|secret|password|passwd|accessToken|refreshToken)"\s*:\s*"([^"]+)"`, |
19 | 22 | // CLI flags. |
|
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。