Lines 1-41javascript
2 * Sanitizer module for JavaScript/Node.js code.
4 * This module provides functions to:
5 * 1. Sanitize sensitive data (API keys, passwords, tokens) from JavaScript source code
6 * 2. Check if patches are safe to apply (don't overwrite redacted sensitive data)
8 * Used by the file content endpoint and AI service to protect sensitive information.
11// Patterns that span multiple lines and must run on the whole content BEFORE
12// the per-line loop. Same fix as connectors/python/sanitizer.py (1.46.0):
13// pasted PEM blocks were never redacted before because the loop only saw one
14// line at a time. Line count is preserved by padding the replacement with the
15// same number of newlines as the original match.
17// 1.47.0 (V3): added the canonical OpenSSH "ssh-rsa AAAA…" blob shape so that
18// `~/.ssh/id_rsa.pub` dumps printed into a log/error trace get redacted in
19// one whole-content sweep.
20const MULTILINE_SENSITIVE_PATTERNS = [
21 // `[A-Z ]*` (not `+`) so PKCS#8 unencrypted keys (`-----BEGIN PRIVATE KEY-----`
CriticalCritical Secret
Package contains a critical-looking secret pattern.
sanitizer.jsView on unpkg · L21 22 // with no algorithm prefix — the format `openssl pkcs8` exports for modern
23 // Ed25519/RSA/EC keys) get redacted alongside OPENSSH / RSA / DSA / EC /
24 // ENCRYPTED PRIVATE KEY blocks.
25 { pattern: /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g, replacement: 'PRIVATE_KEY_REDACTED' },
26 { pattern: /(ssh-rsa|ssh-ed25519|ssh-dss|ecdsa-sha2-nistp(?:256|384|521))\s+AAAA[A-Za-z0-9+/=\s]{40,}(?:\s+[^\s\n]+)?/g, replacement: 'SSH_PUBLIC_KEY_REDACTED' },
29// Common patterns for sensitive data in JavaScript.
31// Notes for 1.47.0 (V3, "high-signal vendor tokens"):
32// * The vendor-token regexes below are anchored on canonical vendor
33// PREFIXES (AKIA / ASIA / ghp_ / ghs_ / xoxb- / sk_live_ / whsec_ / …)
34// so they fire on log/trace text, not just on `name = "value"` source.
35// * Each replacement is a fixed placeholder, NEVER a back-reference into
36// the matched value, so the operator's secret cannot leak through the
38const SENSITIVE_PATTERNS = [
39 // API keys and tokens
40 { pattern: /['"]([A-Za-z0-9_-]{32,})['"]/, replacement: 'CREDENTIAL_REDACTED' },
41 { pattern: /api[_-]?key\s*[=:]\s*['"]([^'"]+)['"]/i, replacement: 'CREDENTIAL_REDACTED' },