Update child_process redaction pattern (#4509)

DataDog · Jul 12, 2024 · 36da286 · 36da286
1 parent bed4b20
commit 36da286
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/packages/datadog-plugin-child_process/src/scrub-cmd-params.js b/packages/datadog-plugin-child_process/src/scrub-cmd-params.js
@@ -7,10 +7,10 @@ const PROCESS_DENYLIST = ['md5']
 
 const VARNAMES_REGEX = /\$([\w\d_]*)(?:[^\w\d_]|$)/gmi
 // eslint-disable-next-line max-len
-const PARAM_PATTERN = '^-{0,2}(?:p(?:ass(?:w(?:or)?d)?)?|api_?key|secret|a(?:ccess|uth)_token|mysql_pwd|credentials|(?:stripe)?token)$'
+const PARAM_PATTERN = '^-{0,2}(?:p(?:ass(?:w(?:or)?d)?)?|address|api[-_]?key|e?mail|secret(?:[-_]?key)?|a(?:ccess|uth)[-_]?token|mysql_pwd|credentials|(?:stripe)?token)$'
 const regexParam = new RegExp(PARAM_PATTERN, 'i')
 const ENV_PATTERN = '^(\\w+=\\w+;)*\\w+=\\w+;?$'
-const envvarRegex = new RegExp(ENV_PATTERN)
+const envVarRegex = new RegExp(ENV_PATTERN)
 const REDACTED = '?'
 
 function extractVarNames (expression) {
@@ -70,7 +70,7 @@ function scrubChildProcessCmd (expression) {
           result.push(`#${token.comment}`)
         }
       } else if (!foundBinary) {
-        if (envvarRegex.test(token)) {
+        if (envVarRegex.test(token)) {
           const envSplit = token.split('=')
 
           if (!ALLOWED_ENV_VARIABLES.includes(envSplit[0])) {

diff --git a/packages/datadog-plugin-child_process/test/scrub-cmd-params.spec.js b/packages/datadog-plugin-child_process/test/scrub-cmd-params.spec.js
@@ -39,6 +39,9 @@ describe('scrub cmds', () => {
 
     expect(scrubCmdParams('test -password very_secret -api_key 1234'))
       .to.be.deep.equal(['test', '-password', '?', '-api_key', '?'])
+
+    expect(scrubCmdParams('test --address https://some.address.com --email testing@to.es --api-key 1234'))
+      .to.be.deep.equal(['test', '--address', '?', '--email', '?', '--api-key', '?'])
   })
 
   it('Should scrub md5 commands', () => {