fix: add AKIA and 0x private key redaction, preserve scan diagnostics
- redact_secrets now covers AWS AKIA keys and 0x-prefixed private keys, matching all patterns that scan_for_secrets detects - file-action-issue.sh no longer suppresses stderr from scan_for_secrets, so blocked-issue diagnostics reach the caller's log Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
openhands
parent
2cc538d4fc
commit
1c8c6a8caf
2 changed files with 7 additions and 1 deletions
|
|
@ -17,7 +17,7 @@ file_action_issue() {
|
|||
FILED_ISSUE_NUM=""
|
||||
|
||||
# Secret scan: reject issue bodies containing embedded secrets
|
||||
if ! scan_for_secrets "$body" 2>/dev/null; then
|
||||
if ! scan_for_secrets "$body"; then
|
||||
echo "file-action-issue: BLOCKED — issue body for '${formula_name}' contains potential secrets. Use env var references instead." >&2
|
||||
return 4
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -79,6 +79,12 @@ scan_for_secrets() {
|
|||
redact_secrets() {
|
||||
local text="${1:-$(cat)}"
|
||||
|
||||
# Replace AWS AKIA keys
|
||||
text=$(printf '%s' "$text" | sed -E 's/AKIA[0-9A-Z]{16}/[REDACTED]/g')
|
||||
|
||||
# Replace Ethereum private keys (0x + 64 hex chars)
|
||||
text=$(printf '%s' "$text" | sed -E 's/0x[0-9a-fA-F]{64}/[REDACTED]/g')
|
||||
|
||||
# Replace long hex strings (32+ chars) not preceded by $ (env var refs)
|
||||
text=$(printf '%s' "$text" | sed -E 's/([^$]|^)([0-9a-fA-F]{32,})/\1[REDACTED]/g')
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue