MCPcopy Index your code
hub / github.com/github/gh-aw / SanitizeErrorMessage

Function SanitizeErrorMessage

pkg/stringutil/sanitize.go:174–203  ·  view source on GitHub ↗

SanitizeErrorMessage removes potential secret key names from error messages to prevent information disclosure via logs. This prevents exposing details about an organization's security infrastructure by redacting secret key names that might appear in error messages.

(message string)

Source from the content-addressed store, hash-verified

172// information disclosure via logs. This prevents exposing details about an organization's
173// security infrastructure by redacting secret key names that might appear in error messages.
174func SanitizeErrorMessage(message string) string {
175 if message == "" {
176 return message
177 }
178
179 sanitizeLog.Printf("Sanitizing error message: length=%d", len(message))
180
181 // Redact uppercase snake_case patterns (e.g., MY_SECRET_KEY, API_TOKEN)
182 sanitized := secretNamePattern.ReplaceAllStringFunc(message, func(match string) string {
183 // Don't redact common workflow keywords
184 if _, ok := commonWorkflowKeywords[match]; ok {
185 return match
186 }
187 // Don't redact gh-aw public configuration variables (e.g., GH_AW_SKIP_NPX_VALIDATION)
188 if strings.HasPrefix(match, "GH_AW_") {
189 return match
190 }
191 sanitizeLog.Printf("Redacted snake_case secret pattern: %s", match)
192 return "[REDACTED]"
193 })
194
195 // Redact PascalCase patterns ending with security suffixes (e.g., GitHubToken, ApiKey)
196 sanitized = pascalCaseSecretPattern.ReplaceAllString(sanitized, "[REDACTED]")
197
198 if sanitized != message {
199 sanitizeLog.Print("Error message sanitization applied redactions")
200 }
201
202 return sanitized
203}
204
205// SanitizeIdentifierName sanitizes a name for use as a programming-language identifier
206// by replacing disallowed characters with underscores.

Calls 2

PrintMethod · 0.80
PrintfMethod · 0.45