Module: Browserctl::Recording::Redactor
- Defined in:
- lib/browserctl/recording/redactor.rb
Overview
Secret-aware redaction helpers used while a recording is being captured. Two responsibilities:
-
Inferring whether a ‘fill` selector is targeting a secret-shaped field, so the generated workflow can wire a `secret_ref:` param.
-
Stripping sensitive query-string values out of recorded URLs so they never reach disk.
Constant Summary collapse
- SENSITIVE_PARAM_PATTERN =
Query-string parameter names whose values are scrubbed when a navigate/page_open URL is recorded.
/\A(token|key|secret|auth|code|access_token|api_key|client_secret|state)\z/ix- SECRET_FIELD_PATTERN =
Selector tokens that signal a fill is targeting a secret-shaped field. The captured group is used as the inferred field name; that name later drives the generated ‘secret_ref:` placeholder.
Regexp.new( '\b(password|passwd|api[_-]?key|token|secret|otp|pin|client[_-]?secret|access[_-]?token)\b', Regexp::IGNORECASE )
Class Method Summary collapse
-
.infer_secret_field(selector) ⇒ Object
Returns a normalised secret-field name (e.g. “api_key”) inferred from the selector, or nil when the selector is missing or does not match the secret-field pattern.
-
.redact_url(url) ⇒ Object
Returns ‘url` with any sensitive query parameter values replaced by `[REDACTED]`.
Class Method Details
.infer_secret_field(selector) ⇒ Object
Returns a normalised secret-field name (e.g. “api_key”) inferred from the selector, or nil when the selector is missing or does not match the secret-field pattern.
32 33 34 35 36 37 38 39 |
# File 'lib/browserctl/recording/redactor.rb', line 32 def infer_secret_field(selector) return nil unless selector match = selector.match(SECRET_FIELD_PATTERN) return nil unless match match[1].downcase.gsub(/[^a-z0-9]/, "_") end |
.redact_url(url) ⇒ Object
Returns ‘url` with any sensitive query parameter values replaced by `[REDACTED]`. URLs that fail to parse are returned unchanged.
43 44 45 46 47 48 49 50 51 52 53 54 55 |
# File 'lib/browserctl/recording/redactor.rb', line 43 def redact_url(url) uri = URI.parse(url) return url if uri.query.nil? uri.query = uri.query.gsub(/([^&=]+)=([^&]*)/) do |full_match| raw_key = ::Regexp.last_match(1) key = URI.decode_www_form_component(raw_key) key =~ SENSITIVE_PARAM_PATTERN ? "#{raw_key}=[REDACTED]" : full_match end uri.to_s rescue URI::InvalidURIError url end |