MaskerLogger icon indicating copy to clipboard operation
MaskerLogger copied to clipboard
verified publisher icon oxsecurity

fix: Catch multiple leak occurrences in same string

Open diogosilva30 opened this issue 10 months ago • 3 comments

Main change

  • Allows to catch more than 1 leak in same string. Before only the first instance was being catch, and tests were also looking at this case. Tests were updated to cover these more complex cases.

Example:

from maskerlogger import mask_string
my_str="This is some confidential line, and the user password: mysuperSecretPassword and btw the user apiKey=AIzaSyabcdefghijklmnopqrstuvwxyz1234567"
# Output:
# This is some confidential line, and the user password: ********************* and btw the user apiKey=***************************************
# Before this change only the password would have been masked and not the ApiKey :(
  • Removes the main masking logic from AbstractMaskedLogger and instead logic is placed into a independent function mask_string. This allow + flexible usage of the codebase. For example, in my use case I want to have access to this function to cleanup a string outside of logging context, but since logic is currently hidden inside AbstractMaskedLogger._mask_sensitive_data and the argument is a LogRecord we cannot use this logic for more generic cases. By abstracting away the logic to an independent mask_string method we can use this code base into other use-cases. Retro-compatibility is ensured by calling mask_string inside AbstractMaskedLogger._mask_sensitive_data.

Example use case:

from maskerlogger import mask_string
my_str= "Here I have a generic string with a potential leak. Password: mypasswordoops"
masked_my_str=mask_string(my_str)
# Done! My str was cleaned into a context that is not related to logging at all. Awesome library :)

Additional

  • Performs general code cleanup (more pythonic code, better type hints, code formatting, etc)
  • Changes the rule generic-api-key to allow common chars that are used in passwords/api keys, and reduce minimum length to 8 instead of 10, as it's very common for passwords to have 8 as required minimum chars

diogosilva30 avatar Mar 26 '25 01:03 diogosilva30

@nvuillam @tamar-ox @oxnick Please let me know if you find these changes useful and if something should be changed

diogosilva30 avatar Mar 26 '25 01:03 diogosilva30

Hi @diogosilva30, thanks a lot for contributing, and apologies for the delayed response. this repository hasn’t been actively maintained for a while.

I'm currently working on formalizing the repo to streamline reviewing and merging future PRs. Since this PR includes a lot of refactoring and style changes, it’s a bit difficult to review and merge as is at the moment.

I suggest one of the following options:

  • Wait until https://github.com/oxsecurity/MaskerLogger/pull/7 is merged, and then rebase/open a new PR on top of it
  • Alternatively, I can incorporate your changes myself once the repo update is done

Let me know which option you’d prefer, and thanks again for your patience and contribution!

aviadlevy avatar Nov 05 '25 13:11 aviadlevy

@aviadlevy This has been a while, but I can give it a go at rebasing this MR against 1.0.0 release

diogosilva30 avatar Nov 10 '25 16:11 diogosilva30