Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Credscan #871

Closed
wants to merge 3 commits into from
Closed

Credscan #871

wants to merge 3 commits into from

Conversation

pelikhan
Copy link
Member

@pelikhan pelikhan commented Nov 18, 2024
edited by github-actions bot
Loading

  • 🔒 Enhanced Security: Introduced a hideSecrets function to mask sensitive information such as API keys and tokens within message content.
  • 🛡️ Secret Protection: Applied hideSecrets to user, assistant, and system messages to prevent accidental leakage of secrets in output or logs.
  • 🔧 Trace Safety: Integrated hideSecrets in the MarkdownTrace class to secure content tracing by ensuring sensitive data doesn't appear in trace logs.
  • 📦 New Module: Added a secrets.ts file with predefined regular expressions to identify various secret patterns like GitHub tokens, API keys, and more.
  • 📜 Log Verbosity: Added verbose logging to indicate when and what kind of potential secret is being masked, enhancing monitoring and debugging efforts.

generated by pr-describe

@github-actions GitHub Actions
Copy link

The changes made in the pull request focus on enhancing security by implementing a mechanism to hide secrets in user, assistant, and system messages, as well as in trace logs. This is done by introducing a new hideSecrets function, which identifies and obfuscates a wide range of sensitive patterns, such as API keys, tokens, and other credentials.

Key Changes:

  • New Security Feature: A new file secrets.ts is added that contains a hideSecrets function. This function uses regular expressions to match potential secret patterns and replaces them with "***".
  • Integration of Security Feature: The hideSecrets function is integrated into functions handling user, assistant, and system messages (appendUserMessage, appendAssistantMessage, appendSystemMessage) and trace management (MarkdownTrace).
  • Logging and Tracing: The hideSecrets function logs instances where potential secrets are found and obfuscated.

Concerns:

  • The regular expressions used for matching secrets are broad and comprehensive. However, care should be taken to ensure that they do not lead to excessive obfuscation of legitimate non-secret data.
  • There are placeholders for "Private SSH Key" and "PEM Certificate" patterns in the secretPatterns. These should be properly defined or removed to avoid incomplete functionality.

Suggested Improvement:

Define patterns for "Private SSH Key" and "PEM Certificate" or remove them if not needed. Here's a possible placeholder fix:

+    "Private SSH Key": /-----BEGIN (?:RSA|DSA|EC|OPENSSH) PRIVATE KEY-----[\s\S]+?-----END (?:RSA|DSA|EC|OPENSSH) PRIVATE KEY-----/g,
+    "PEM Certificate": /-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g,

Overall, the changes significantly improve the security aspect by ensuring sensitive information is not logged or exposed inadvertently.

LGTM 🚀

generated by pr-review

github-actions[bot]
github-actions bot reviewed Nov 18, 2024
View reviewed changes
packages/core/src/secrets.ts
result = result.replace(pattern[1], "***")
if (prev !== result) {
logVerbose(`secrets: hidding potential ${pattern[0]} secret`)
process.stderr.write(pattern[1].exec(prev) + "\n")
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using process.stderr.write to log potential secrets can inadvertently expose sensitive information. Consider using a more secure logging mechanism that redacts or anonymizes the data.

generated by pr-review-commit potential_security_risk

github-actions[bot]
github-actions bot reviewed Nov 18, 2024
View reviewed changes
packages/core/src/secrets.ts
let prev = result
result = result.replace(pattern[1], "***")
if (prev !== result) {
logVerbose(`secrets: hidding potential ${pattern[0]} secret`)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a typo in the log message: "hidding" should be "hiding". This can lead to confusion when reading logs.

generated by pr-review-commit typo

github-actions[bot]
github-actions bot reviewed Nov 18, 2024
View reviewed changes
packages/core/src/secrets.ts
"Shopify Access Token": /shpat_[0-9a-fA-F]{32}/g,
"GitHub Personal Access Token": /ghp_[0-9a-zA-Z]{36}/g,
"Generic API Key": /(?<![a-zA-Z0-9])[a-zA-Z0-9]{32,128}(?![a-zA-Z0-9])/g,
"JWT Token": /^[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+\.[A-Za-z0-9-_.+/=]*$/g,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The regular expression for "JWT Token" is too permissive and may match unintended strings. Consider refining the pattern to ensure it only matches valid JWT tokens.

generated by pr-review-commit regex_incorrect

@pelikhan pelikhan closed this Nov 21, 2024
@pelikhan pelikhan deleted the credscan branch December 5, 2024 02:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@pelikhan