@@ -31,6 +31,7 @@ const SECRET_QUERY_PARAMETER_NAMES = new Set([
3131 'sig' ,
3232 'subscription-key' ,
3333] ) ;
34+ const BEARER_TOKEN_PATTERN = / ^ ( \s * B e a r e r ) ( \s + ) ( .* ?) ( \s * ) $ / i;
3435
3536export interface PolicySecretFinding {
3637 location : string ;
@@ -91,6 +92,29 @@ function shouldRedactLiteral(value: string): boolean {
9192 return ! isApimNamedValueReference ( trimmed ) ;
9293}
9394
95+ function redactAuthorizationHeaderValue (
96+ value : string
97+ ) : { redactedValue : string ; wasRedacted : boolean } {
98+ const bearerMatch = BEARER_TOKEN_PATTERN . exec ( value ) ;
99+ if ( bearerMatch ) {
100+ const [ , scheme , spacing , tokenValue , suffix ] = bearerMatch ;
101+ if ( ! shouldRedactLiteral ( tokenValue ) ) {
102+ return { redactedValue : value , wasRedacted : false } ;
103+ }
104+
105+ return {
106+ redactedValue : `${ scheme } ${ spacing } ${ REDACTION_MARKER } ${ suffix } ` ,
107+ wasRedacted : true ,
108+ } ;
109+ }
110+
111+ if ( ! shouldRedactLiteral ( value ) ) {
112+ return { redactedValue : value , wasRedacted : false } ;
113+ }
114+
115+ return { redactedValue : REDACTION_MARKER , wasRedacted : true } ;
116+ }
117+
94118/**
95119 * Redact inline literal secrets in policy XML content.
96120 */
@@ -114,12 +138,19 @@ export function redactPolicySecrets(
114138 return setHeaderBlock . replace (
115139 / ( < v a l u e \b [ ^ > ] * > ) ( [ \s \S ] * ?) ( < \/ v a l u e > ) / gi,
116140 ( _full , openTag : string , value : string , closeTag : string ) => {
117- if ( ! shouldRedactLiteral ( value ) ) {
141+ const shouldRedactHeaderValue = shouldRedactLiteral ( value ) ;
142+ const { redactedValue, wasRedacted } = headerName === 'authorization'
143+ ? redactAuthorizationHeaderValue ( value )
144+ : {
145+ redactedValue : shouldRedactHeaderValue ? REDACTION_MARKER : value ,
146+ wasRedacted : shouldRedactHeaderValue ,
147+ } ;
148+ if ( ! wasRedacted ) {
118149 return `${ openTag } ${ value } ${ closeTag } ` ;
119150 }
120151
121152 addFinding ( `set-header[${ headerName } ]` ) ;
122- return `${ openTag } ${ REDACTION_MARKER } ${ closeTag } ` ;
153+ return `${ openTag } ${ redactedValue } ${ closeTag } ` ;
123154 }
124155 ) ;
125156 } ) ;
0 commit comments