Class: Sqreen::SensitiveDataRedactor

Inherits:

Object

Object
Sqreen::SensitiveDataRedactor

show all

Defined in:: lib/sqreen/sensitive_data_redactor.rb

Overview

For redacting sensitive data and avoid having it sent to our servers

Constant Summary collapse

DEFAULT_SENSITIVE_KEYS =

Set.new(%w[password password2 password_confirmation secret passwd authorization api_key apikey token access_token jwt_token cvv cvv2]).freeze

DEFAULT_REGEX =

/\A(?:\d[ -]*?){13,16}\z/

MASK =

'<Redacted by Sqreen>'.freeze

Class Method Summary collapse

Instance Method Summary collapse

#initialize(params = {}) ⇒ SensitiveDataRedactor constructor

A new instance of SensitiveDataRedactor.
#redact(obj) ⇒ Object

Constructor Details

#initialize(params = {}) ⇒ `SensitiveDataRedactor`

Returns a new instance of SensitiveDataRedactor.

# File 'lib/sqreen/sensitive_data_redactor.rb', line 37

def initialize(params = {})
  @regex = params[:regex] || DEFAULT_REGEX
  @keys = (params[:keys] || DEFAULT_SENSITIVE_KEYS).map(&:downcase)
end

Class Method Details

.all_strings(v) ⇒ `Object`

# File 'lib/sqreen/sensitive_data_redactor.rb', line 78

def all_strings(v)
  accum = []
  all_strings_impl(v, accum)
  accum
end

.from_config ⇒ `Object`

# File 'lib/sqreen/sensitive_data_redactor.rb', line 18

def self.from_config
  keys = Sqreen.config_get(:strip_sensitive_keys)
  keys = keys.split(',') if keys && keys.is_a?(String)

  regex = Sqreen.config_get(:strip_sensitive_regex)
  if regex && regex.is_a?(String)
    begin
      regex = Regexp.compile(regex)
    rescue RegexpError
      Sqreen.log.warn("Invalid regular expression given in strip_sensitive_regex: #{regex}")
      regex = nil
    end
  else
    regex = nil
  end

  new(keys: keys, regex: regex)
end

Instance Method Details

#redact(obj) ⇒ `Object`

# File 'lib/sqreen/sensitive_data_redactor.rb', line 42

def redact(obj)
  result = obj
  redacted = []

  case obj
  when String
    if obj =~ @regex
      result = MASK
      redacted << obj
    end
  when Array
    result = []
    obj.each do |e|
      e, r = redact(e)
      result << e
      redacted += r
    end
  when Hash
    result = {}
    obj.each do |k, v|
      ck = k.is_a?(String) ? k.downcase : k
      if @keys.include?(ck)
        redacted += SensitiveDataRedactor.all_strings(v)
        v = MASK
      else
        v, r = redact(v)
        redacted += r
      end
      result[k] = v
    end
  end

  [result, redacted]
end