fix: avoid vsce secret scanner false positive on regex patterns (#6247)

* fix: avoid vsce secret scanner false positive on regex patterns

Use character class `[b]` instead of literal `b` in Slack token regex
patterns to prevent vsce's secret scanner from detecting `xoxb-` as a
real Slack bot token during VSIX packaging.

The regex semantics are unchanged — `[b]` is equivalent to `b` in a
character class, but the built string no longer contains the continuous
`xoxb-` substring that triggers the scanner.

Fixes #6199

* fix: document vsce scanner regex workaround

* docs: clarify Slack regex workaround

* test(acp-bridge): cover Slack user token redaction
This commit is contained in:
易良 2026-07-03 20:03:49 +08:00 committed by GitHub
parent 081c46c5bc
commit 6accb8ee12
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 12 additions and 5 deletions

View file

@ -89,6 +89,11 @@ describe('redactLogCredentials', () => {
expect(redactLogCredentials(token)).toBe(R);
});
it('redacts Slack user access tokens', () => {
const token = 'xoxp-' + '1'.repeat(20);
expect(redactLogCredentials(token)).toBe(R);
});
it('redacts real-format Slack tokens with hyphens', () => {
const token = 'xoxb-fake-' + 'a'.repeat(30);
expect(redactLogCredentials(token)).toBe(R);

View file

@ -41,9 +41,11 @@ const CREDENTIAL_PATTERNS: Array<{ pattern: RegExp; replacement: string }> = [
},
// GitHub / GitLab / Slack tokens.
// Includes github_pat_ (fine-grained PATs) and ghu_ (app user tokens).
// Slack tokens use hyphens as separators: xoxb-NNN-NNN-alphanum.
// Slack tokens use hyphens as separators.
// The [b]/[p] classes avoid embedding Slack token prefixes that vsce flags.
{
pattern: /(?:ghp_|gho_|ghs_|ghu_|github_pat_|glpat-|xoxb-|xoxp-)[a-zA-Z0-9_-]{20,}/g,
pattern:
/(?:ghp_|gho_|ghs_|ghu_|github_pat_|glpat-|xox[b]-|xox[p]-)[a-zA-Z0-9_-]{20,}/g,
replacement: REDACTED,
},
// AWS access key IDs (permanent AKIA + temporary STS ASIA)
@ -53,8 +55,7 @@ const CREDENTIAL_PATTERNS: Array<{ pattern: RegExp; replacement: string }> = [
},
// Key=value assignments for simple secret names (token=, secret=, etc.)
{
pattern:
/((?:api[_-]?key|token|secret|password|pwd)[_-]?[=:]\s*)\S{10,}/gi,
pattern: /((?:api[_-]?key|token|secret|password|pwd)[_-]?[=:]\s*)\S{10,}/gi,
replacement: `$1${REDACTED}`,
},
// Compound env-var keys ending in _KEY, _TOKEN, _SECRET, or _PASSWORD

View file

@ -92,7 +92,8 @@ const SECRET_RULES: readonly SecretRule[] = [
// Communication
{
id: 'slack-bot-token',
source: 'xoxb-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*',
// The [b] class avoids embedding a Slack token prefix that vsce flags.
source: 'xox[b]-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*',
},
{
id: 'slack-app-token',