mirror of
https://github.com/QwenLM/qwen-code.git
synced 2026-07-09 17:19:02 +00:00
fix: avoid vsce secret scanner false positive on regex patterns (#6247)
* fix: avoid vsce secret scanner false positive on regex patterns Use character class `[b]` instead of literal `b` in Slack token regex patterns to prevent vsce's secret scanner from detecting `xoxb-` as a real Slack bot token during VSIX packaging. The regex semantics are unchanged — `[b]` is equivalent to `b` in a character class, but the built string no longer contains the continuous `xoxb-` substring that triggers the scanner. Fixes #6199 * fix: document vsce scanner regex workaround * docs: clarify Slack regex workaround * test(acp-bridge): cover Slack user token redaction
This commit is contained in:
parent
081c46c5bc
commit
6accb8ee12
3 changed files with 12 additions and 5 deletions
|
|
@ -89,6 +89,11 @@ describe('redactLogCredentials', () => {
|
|||
expect(redactLogCredentials(token)).toBe(R);
|
||||
});
|
||||
|
||||
it('redacts Slack user access tokens', () => {
|
||||
const token = 'xoxp-' + '1'.repeat(20);
|
||||
expect(redactLogCredentials(token)).toBe(R);
|
||||
});
|
||||
|
||||
it('redacts real-format Slack tokens with hyphens', () => {
|
||||
const token = 'xoxb-fake-' + 'a'.repeat(30);
|
||||
expect(redactLogCredentials(token)).toBe(R);
|
||||
|
|
|
|||
|
|
@ -41,9 +41,11 @@ const CREDENTIAL_PATTERNS: Array<{ pattern: RegExp; replacement: string }> = [
|
|||
},
|
||||
// GitHub / GitLab / Slack tokens.
|
||||
// Includes github_pat_ (fine-grained PATs) and ghu_ (app user tokens).
|
||||
// Slack tokens use hyphens as separators: xoxb-NNN-NNN-alphanum.
|
||||
// Slack tokens use hyphens as separators.
|
||||
// The [b]/[p] classes avoid embedding Slack token prefixes that vsce flags.
|
||||
{
|
||||
pattern: /(?:ghp_|gho_|ghs_|ghu_|github_pat_|glpat-|xoxb-|xoxp-)[a-zA-Z0-9_-]{20,}/g,
|
||||
pattern:
|
||||
/(?:ghp_|gho_|ghs_|ghu_|github_pat_|glpat-|xox[b]-|xox[p]-)[a-zA-Z0-9_-]{20,}/g,
|
||||
replacement: REDACTED,
|
||||
},
|
||||
// AWS access key IDs (permanent AKIA + temporary STS ASIA)
|
||||
|
|
@ -53,8 +55,7 @@ const CREDENTIAL_PATTERNS: Array<{ pattern: RegExp; replacement: string }> = [
|
|||
},
|
||||
// Key=value assignments for simple secret names (token=, secret=, etc.)
|
||||
{
|
||||
pattern:
|
||||
/((?:api[_-]?key|token|secret|password|pwd)[_-]?[=:]\s*)\S{10,}/gi,
|
||||
pattern: /((?:api[_-]?key|token|secret|password|pwd)[_-]?[=:]\s*)\S{10,}/gi,
|
||||
replacement: `$1${REDACTED}`,
|
||||
},
|
||||
// Compound env-var keys ending in _KEY, _TOKEN, _SECRET, or _PASSWORD
|
||||
|
|
|
|||
|
|
@ -92,7 +92,8 @@ const SECRET_RULES: readonly SecretRule[] = [
|
|||
// Communication
|
||||
{
|
||||
id: 'slack-bot-token',
|
||||
source: 'xoxb-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*',
|
||||
// The [b] class avoids embedding a Slack token prefix that vsce flags.
|
||||
source: 'xox[b]-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*',
|
||||
},
|
||||
{
|
||||
id: 'slack-app-token',
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue