SanitizeErrorMessage removes potential secret key names from error messages to prevent information disclosure via logs. This prevents exposing details about an organization's security infrastructure by redacting secret key names that might appear in error messages.
(message string)
| 172 | // information disclosure via logs. This prevents exposing details about an organization's |
| 173 | // security infrastructure by redacting secret key names that might appear in error messages. |
| 174 | func SanitizeErrorMessage(message string) string { |
| 175 | if message == "" { |
| 176 | return message |
| 177 | } |
| 178 | |
| 179 | sanitizeLog.Printf("Sanitizing error message: length=%d", len(message)) |
| 180 | |
| 181 | // Redact uppercase snake_case patterns (e.g., MY_SECRET_KEY, API_TOKEN) |
| 182 | sanitized := secretNamePattern.ReplaceAllStringFunc(message, func(match string) string { |
| 183 | // Don't redact common workflow keywords |
| 184 | if _, ok := commonWorkflowKeywords[match]; ok { |
| 185 | return match |
| 186 | } |
| 187 | // Don't redact gh-aw public configuration variables (e.g., GH_AW_SKIP_NPX_VALIDATION) |
| 188 | if strings.HasPrefix(match, "GH_AW_") { |
| 189 | return match |
| 190 | } |
| 191 | sanitizeLog.Printf("Redacted snake_case secret pattern: %s", match) |
| 192 | return "[REDACTED]" |
| 193 | }) |
| 194 | |
| 195 | // Redact PascalCase patterns ending with security suffixes (e.g., GitHubToken, ApiKey) |
| 196 | sanitized = pascalCaseSecretPattern.ReplaceAllString(sanitized, "[REDACTED]") |
| 197 | |
| 198 | if sanitized != message { |
| 199 | sanitizeLog.Print("Error message sanitization applied redactions") |
| 200 | } |
| 201 | |
| 202 | return sanitized |
| 203 | } |
| 204 | |
| 205 | // SanitizeIdentifierName sanitizes a name for use as a programming-language identifier |
| 206 | // by replacing disallowed characters with underscores. |