From 2fc262db80522b35aff87f34502abe073c78d52a Mon Sep 17 00:00:00 2001
From: Keith Cirkel <keithamus@users.noreply.github.com>
Date: Fri, 3 Oct 2025 02:03:04 +0100
Subject: feat: more accurately filter secret tokens (#2932)

---
 crates/atuin-client/src/secrets.rs | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

(limited to 'crates/atuin-client/src')

diff --git a/crates/atuin-client/src/secrets.rs b/crates/atuin-client/src/secrets.rs
index 25e8db9a..100bcc50 100644
--- a/crates/atuin-client/src/secrets.rs
+++ b/crates/atuin-client/src/secrets.rs
@@ -17,18 +17,29 @@ pub static SECRET_PATTERNS: &[(&str, &str, TestValue)] = &[
     ),
     (
         "AWS Secret Access Key env var",
-        "AWS_SECRET_ACCESS_KEY",
-        TestValue::Single("AWS_SECRET_ACCESS_KEY=KEYDATA"),
+        "(?:[^A-Za-z0-9/+=])?([A-Za-z0-9/+=]{40})(?:[^A-Za-z0-9/+=])?",
+        TestValue::Multiple(&[
+            "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", // https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
+            "ABDRzve0QGx/U32PU9GrkNbmGiu+bz8jheThio/Y", // Found via github then tweaked
+            "lnKjhsGOXPK/MPFoW2tfi8BuD9AF5imhanhQ83EO", // Found via github then tweaked
+        ]),
     ),
     (
         "AWS Session Token env var",
-        "AWS_SESSION_TOKEN",
-        TestValue::Single("AWS_SESSION_TOKEN=KEYDATA"),
+        "[A-Za-z0-9/+=]{16,}\\.[A-Za-z0-9/+=]+\\.?[A-Za-z0-9/+=]*",
+        TestValue::Multiple(&[
+            "AAAAAAAAAAAAAAAA.BBBBBBBBBBBBBBB",
+            "AAAAAAAAAAAAAAAA.BBBBBBBBBBBBBBB.CCCCCCCCCCC",
+        ]),
     ),
     (
         "Microsoft Azure secret access key env var",
-        "AZURE_.*_KEY",
-        TestValue::Single("export AZURE_STORAGE_ACCOUNT_KEY=KEYDATA"),
+        "(?:sk-[A-Za-z0-9]{48,}|[A-Za-z0-9+/]{86}={2}|[A-Za-z0-9+/]{87}=|[A-Za-z0-9+/]{88})",
+        TestValue::Multiple(&[
+            "sk-123abc456def789ghi012jkl345mno678pqr901stu234vwx567yz890",
+            "fVdIqqLbQxOBxnfuNoV5DToz+tNLdcJ1jksmkv6Lc3wcCppaXBe25kZY/akpAPgd66zPvhA9Jey1SV6qiMY8bA==",
+            "Eby9vdM03xNOcqFlqUwJPLlmEtlCDXJ2OUzFT49uSRZ7IFsuFq1UVErCz5I5tq/K2SZFPTOtr/KBHBeksoGMGw==",
+        ]),
     ),
     (
         "Google cloud platform key env var",
@@ -129,6 +140,11 @@ pub static SECRET_PATTERNS: &[(&str, &str, TestValue)] = &[
         "pul-[0-9a-f]{40}",
         TestValue::Single("pul-683c2770662c51d960d72ec27613be7653c5cb26"),
     ),
+    (
+        "Private keys",
+        "-----BEGIN PRIVATE KEY-----[A-Za-z0-9\\s+/=\\n-]+-----END PRIVATE KEY-----",
+        TestValue::Single("-----BEGIN PRIVATE KEY-----AAA-----END PRIVATE KEY-----"),
+    ),
 ];
 
 /// The `regex` expressions from [`SECRET_PATTERNS`] compiled into a `RegexSet`.
-- 
cgit v1.3.1