feat: more accurately filter secret tokens (#2932)

author: Keith Cirkel <keithamus@users.noreply.github.com> 2025-10-03 02:03:04 +0100
committer: GitHub <noreply@github.com> 2025-10-02 21:03:04 -0400
commit: 2fc262db80522b35aff87f34502abe073c78d52a (patch)
tree: 6989532d818e47ebd5e7a7ee0f8000bb34967c5a /crates
parent: feat: add various acceptance keys (#2928) (diff)
download: atuin-2fc262db80522b35aff87f34502abe073c78d52a.zip
1 files changed, 22 insertions, 6 deletions
diff --git a/crates/atuin-client/src/secrets.rs b/crates/atuin-client/src/secrets.rs
index 25e8db9a..100bcc50 100644
--- a/crates/atuin-client/src/secrets.rs
+++ b/crates/atuin-client/src/secrets.rs
@@ -17,18 +17,29 @@ pub static SECRET_PATTERNS: &[(&str, &str, TestValue)] = &[
     ),
     (
         "AWS Secret Access Key env var",
-        "AWS_SECRET_ACCESS_KEY",
-        TestValue::Single("AWS_SECRET_ACCESS_KEY=KEYDATA"),
+        "(?:[^A-Za-z0-9/+=])?([A-Za-z0-9/+=]{40})(?:[^A-Za-z0-9/+=])?",
+        TestValue::Multiple(&[
+            "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", // https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
+            "ABDRzve0QGx/U32PU9GrkNbmGiu+bz8jheThio/Y", // Found via github then tweaked
+            "lnKjhsGOXPK/MPFoW2tfi8BuD9AF5imhanhQ83EO", // Found via github then tweaked
+        ]),
     ),
     (
         "AWS Session Token env var",
-        "AWS_SESSION_TOKEN",
-        TestValue::Single("AWS_SESSION_TOKEN=KEYDATA"),
+        "[A-Za-z0-9/+=]{16,}\\.[A-Za-z0-9/+=]+\\.?[A-Za-z0-9/+=]*",
+        TestValue::Multiple(&[
+            "AAAAAAAAAAAAAAAA.BBBBBBBBBBBBBBB",
+            "AAAAAAAAAAAAAAAA.BBBBBBBBBBBBBBB.CCCCCCCCCCC",
+        ]),
     ),
     (
         "Microsoft Azure secret access key env var",
-        "AZURE_.*_KEY",
-        TestValue::Single("export AZURE_STORAGE_ACCOUNT_KEY=KEYDATA"),
+        "(?:sk-[A-Za-z0-9]{48,}|[A-Za-z0-9+/]{86}={2}|[A-Za-z0-9+/]{87}=|[A-Za-z0-9+/]{88})",
+        TestValue::Multiple(&[
+            "sk-123abc456def789ghi012jkl345mno678pqr901stu234vwx567yz890",
+            "fVdIqqLbQxOBxnfuNoV5DToz+tNLdcJ1jksmkv6Lc3wcCppaXBe25kZY/akpAPgd66zPvhA9Jey1SV6qiMY8bA==",
+            "Eby9vdM03xNOcqFlqUwJPLlmEtlCDXJ2OUzFT49uSRZ7IFsuFq1UVErCz5I5tq/K2SZFPTOtr/KBHBeksoGMGw==",
+        ]),
     ),
     (
         "Google cloud platform key env var",
@@ -129,6 +140,11 @@ pub static SECRET_PATTERNS: &[(&str, &str, TestValue)] = &[
         "pul-[0-9a-f]{40}",
         TestValue::Single("pul-683c2770662c51d960d72ec27613be7653c5cb26"),
     ),
+    (
+        "Private keys",
+        "-----BEGIN PRIVATE KEY-----[A-Za-z0-9\\s+/=\\n-]+-----END PRIVATE KEY-----",
+        TestValue::Single("-----BEGIN PRIVATE KEY-----AAA-----END PRIVATE KEY-----"),
+    ),
 ];
 
 /// The `regex` expressions from [`SECRET_PATTERNS`] compiled into a `RegexSet`.
author	Keith Cirkel <keithamus@users.noreply.github.com>	2025-10-03 02:03:04 +0100
committer	GitHub <noreply@github.com>	2025-10-02 21:03:04 -0400
commit	2fc262db80522b35aff87f34502abe073c78d52a (patch)
tree	6989532d818e47ebd5e7a7ee0f8000bb34967c5a /crates
parent	feat: add various acceptance keys (#2928) (diff)
download	atuin-2fc262db80522b35aff87f34502abe073c78d52a.zip