From 6accb8ee124976f14cc9dfbda8ca0399ecb5314f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=98=93=E8=89=AF?= <1204183885@qq.com> Date: Fri, 3 Jul 2026 20:03:49 +0800 Subject: [PATCH] fix: avoid vsce secret scanner false positive on regex patterns (#6247) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: avoid vsce secret scanner false positive on regex patterns Use character class `[b]` instead of literal `b` in Slack token regex patterns to prevent vsce's secret scanner from detecting `xoxb-` as a real Slack bot token during VSIX packaging. The regex semantics are unchanged — `[b]` is equivalent to `b` in a character class, but the built string no longer contains the continuous `xoxb-` substring that triggers the scanner. Fixes #6199 * fix: document vsce scanner regex workaround * docs: clarify Slack regex workaround * test(acp-bridge): cover Slack user token redaction --- packages/acp-bridge/src/logRedaction.test.ts | 5 +++++ packages/acp-bridge/src/logRedaction.ts | 9 +++++---- packages/core/src/memory/secret-scanner.ts | 3 ++- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/packages/acp-bridge/src/logRedaction.test.ts b/packages/acp-bridge/src/logRedaction.test.ts index e1b0a3fe9e..d35f8be898 100644 --- a/packages/acp-bridge/src/logRedaction.test.ts +++ b/packages/acp-bridge/src/logRedaction.test.ts @@ -89,6 +89,11 @@ describe('redactLogCredentials', () => { expect(redactLogCredentials(token)).toBe(R); }); + it('redacts Slack user access tokens', () => { + const token = 'xoxp-' + '1'.repeat(20); + expect(redactLogCredentials(token)).toBe(R); + }); + it('redacts real-format Slack tokens with hyphens', () => { const token = 'xoxb-fake-' + 'a'.repeat(30); expect(redactLogCredentials(token)).toBe(R); diff --git a/packages/acp-bridge/src/logRedaction.ts b/packages/acp-bridge/src/logRedaction.ts index 8ab5c79d83..5cc13aa3e6 100644 --- a/packages/acp-bridge/src/logRedaction.ts +++ b/packages/acp-bridge/src/logRedaction.ts @@ -41,9 +41,11 @@ const CREDENTIAL_PATTERNS: Array<{ pattern: RegExp; replacement: string }> = [ }, // GitHub / GitLab / Slack tokens. // Includes github_pat_ (fine-grained PATs) and ghu_ (app user tokens). - // Slack tokens use hyphens as separators: xoxb-NNN-NNN-alphanum. + // Slack tokens use hyphens as separators. + // The [b]/[p] classes avoid embedding Slack token prefixes that vsce flags. { - pattern: /(?:ghp_|gho_|ghs_|ghu_|github_pat_|glpat-|xoxb-|xoxp-)[a-zA-Z0-9_-]{20,}/g, + pattern: + /(?:ghp_|gho_|ghs_|ghu_|github_pat_|glpat-|xox[b]-|xox[p]-)[a-zA-Z0-9_-]{20,}/g, replacement: REDACTED, }, // AWS access key IDs (permanent AKIA + temporary STS ASIA) @@ -53,8 +55,7 @@ const CREDENTIAL_PATTERNS: Array<{ pattern: RegExp; replacement: string }> = [ }, // Key=value assignments for simple secret names (token=, secret=, etc.) { - pattern: - /((?:api[_-]?key|token|secret|password|pwd)[_-]?[=:]\s*)\S{10,}/gi, + pattern: /((?:api[_-]?key|token|secret|password|pwd)[_-]?[=:]\s*)\S{10,}/gi, replacement: `$1${REDACTED}`, }, // Compound env-var keys ending in _KEY, _TOKEN, _SECRET, or _PASSWORD diff --git a/packages/core/src/memory/secret-scanner.ts b/packages/core/src/memory/secret-scanner.ts index 3ed2dff217..b7ec67cebf 100644 --- a/packages/core/src/memory/secret-scanner.ts +++ b/packages/core/src/memory/secret-scanner.ts @@ -92,7 +92,8 @@ const SECRET_RULES: readonly SecretRule[] = [ // Communication { id: 'slack-bot-token', - source: 'xoxb-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*', + // The [b] class avoids embedding a Slack token prefix that vsce flags. + source: 'xox[b]-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*', }, { id: 'slack-app-token',