security(agent): redact Slack App-Level (xapp-) tokens
The xapp-<num>-<hash> format used by Slack App-Level / Socket Mode tokens was missing from both agent/redact.py prefix patterns and gateway/run.py gateway secret patterns, so SLACK_APP_TOKEN values could leak through to chat users even with security.redact_secrets enabled. Adds an anchored xapp-\d+- pattern to both redaction paths.
This commit is contained in:
parent
cc7d20d683
commit
fdb9620ac4
2 changed files with 3 additions and 1 deletions
|
|
@ -76,7 +76,8 @@ _PREFIX_PATTERNS = [
|
|||
r"ghu_[A-Za-z0-9]{10,}", # GitHub user-to-server token
|
||||
r"ghs_[A-Za-z0-9]{10,}", # GitHub server-to-server token
|
||||
r"ghr_[A-Za-z0-9]{10,}", # GitHub refresh token
|
||||
r"xox[baprs]-[A-Za-z0-9-]{10,}", # Slack tokens
|
||||
r"xapp-\d+-[A-Za-z0-9-]{10,}", # Slack app-Level token
|
||||
r"xox[baprs]-[A-Za-z0-9-]{10,}", # Slack bot/app/user tokens
|
||||
r"AIza[A-Za-z0-9_-]{30,}", # Google API keys
|
||||
r"pplx-[A-Za-z0-9]{10,}", # Perplexity
|
||||
r"fal_[A-Za-z0-9_-]{10,}", # Fal.ai
|
||||
|
|
|
|||
|
|
@ -147,6 +147,7 @@ _GATEWAY_RATE_LIMIT_RE = re.compile(
|
|||
_GATEWAY_SECRET_PATTERNS = (
|
||||
re.compile(r"\bsk-[A-Za-z0-9][A-Za-z0-9_\-]{12,}\b"),
|
||||
re.compile(r"\bgh[pousr]_[A-Za-z0-9_]{20,}\b"),
|
||||
re.compile(r"\bxapp-\d+-[A-Za-z0-9\-]{20,}\b"),
|
||||
re.compile(r"\bxox[baprs]-[A-Za-z0-9\-]{20,}\b"),
|
||||
re.compile(r"\bhf_[A-Za-z0-9]{20,}\b"),
|
||||
re.compile(r"\bglpat-[A-Za-z0-9_\-]{20,}\b"),
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue