Lines 47-92javascript
47 // Skip implausibly large blocks (>12KB is not a real key)
48 if (blockLen > 12000) {
49 offset = beginIdx + 1;
53 result = result.slice(0, beginIdx) + replacement + result.slice(blockEnd);
54 // Don't advance offset — replacement is shorter, recheck from same position
60// @ghost-verified: false positive -- variants array contains only real PEM
61// begin/end markers. PRIVATE_KEY_REPLACEMENT and CERTIFICATE_REPLACEMENT are
62// named constants defined separately and are never used as search patterns.
63// Reviewed 2026-06-29.
64function parsePrivateKeyBlocks(content) {
65 // Handle all variants: RSA PRIVATE KEY, EC PRIVATE KEY, PRIVATE KEY, etc.
67 { begin: '-----BEGIN RSA PRIVATE KEY-----', end: '-----END RSA PRIVATE KEY-----' },
CriticalCritical Secret
Package contains a critical-looking secret pattern.
src/redactor.jsView on unpkg · L67 68 { begin: '-----BEGIN EC PRIVATE KEY-----', end: '-----END EC PRIVATE KEY-----' },
69 { begin: '-----BEGIN DSA PRIVATE KEY-----', end: '-----END DSA PRIVATE KEY-----' },
70 { begin: '-----BEGIN PRIVATE KEY-----', end: '-----END PRIVATE KEY-----' },
71 { begin: '-----BEGIN ENCRYPTED PRIVATE KEY-----', end: '-----END ENCRYPTED PRIVATE KEY-----' },
72 { begin: '-----BEGIN OPENSSH PRIVATE KEY-----', end: '-----END OPENSSH PRIVATE KEY-----' },
75 for (const { begin, end } of variants) {
76 result = parseKeyBlocks(result, begin, end, PRIVATE_KEY_REPLACEMENT);
81function parseCertificateBlocks(content) {
82 return parseKeyBlocks(content, '-----BEGIN CERTIFICATE-----', '-----END CERTIFICATE-----', CERTIFICATE_REPLACEMENT);
85// ── Regex timeout wrapper (Finding 15 - ReDoS protection) ──────────────────
86function safeRegexReplace(content, regex, replacement, timeoutMs = 500) {
87 // Simple length-based guard — skip regex on extremely large inputs
88 // This prevents catastrophic backtracking on malformed files
89 if (content.length > SIZE_GUARD_BYTES) {
90 return { result: content, timedOut: true };