Salastil/odysseus
1
0
Fork 0
mirror of https://github.com/pewdiepie-archdaemon/odysseus.git synced 2026-06-15 17:25:26 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix(settings): scrub camelCase secret keys (#3707)

Browse Source
This commit is contained in:
cyq
2026-06-11 18:53:33 +08:00
committed by GitHub
parent d5603ee575
commit c01034f9cb
2 changed files with 30 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/settings_scrub.py
+11 -1
View File
@@ -12,6 +12,8 @@ tunnel / reverse proxy. Scrubbing is deep (recurses nested dicts/lists) and keye
on secret-shaped names.
"""
import re
_SECRET_KEY_PATTERNS = (
"_api_key", "_apikey", "_password", "_passwd", "_pass", "_pwd",
"_secret", "_client_secret", "_token", "_access_token", "_refresh_token",
@@ -26,8 +28,16 @@ _SENSITIVE_KEY_EXACT = (
)
def _canonical_key_name(name: str) -> str:
"""Normalize common JS-style key names so secret matching is style-agnostic."""
n = (name or "").replace("-", "_")
n = re.sub(r"(.)([A-Z][a-z]+)", r"\1_\2", n)
n = re.sub(r"([a-z0-9])([A-Z])", r"\1_\2", n)
return n.lower()
def is_secret_key(name: str) -> bool:
n = (name or "").lower()
n = _canonical_key_name(name)
if n in _SECRET_KEY_ALLOW:
return False
if n in _SENSITIVE_KEY_EXACT:
tests/test_settings_scrub.py
+19 -1
View File
@@ -40,7 +40,8 @@ def test_secret_in_list_of_dicts_blanked():
def test_non_secret_keys_preserved():
s = {"keybinds": {"send": "Enter"}, "theme": "dark", "image_model": "x",
"default_endpoint_id": "ep1", "search_result_count": 5, "tts_enabled": True}
"default_endpoint_id": "ep1", "search_result_count": 5, "tts_enabled": True,
"tokenId": "public-id", "keyId": "public-key-id"}
assert scrub_settings(s) == s # untouched
@@ -71,6 +72,23 @@ def test_exact_name_matches():
assert all(v == "" for v in out.values()), out
def test_camel_case_secret_keys_blanked():
out = scrub_settings({
"apiKey": "api-secret",
"accessToken": "access-secret",
"refreshToken": "refresh-secret",
"clientSecret": "client-secret",
"hfToken": "hf-secret",
"nested": {"privateKey": "private-secret"},
})
assert out["apiKey"] == ""
assert out["accessToken"] == ""
assert out["refreshToken"] == ""
assert out["clientSecret"] == ""
assert out["hfToken"] == ""
assert out["nested"]["privateKey"] == ""
def test_non_object_settings_return_empty_mapping():
assert scrub_settings(["not", "settings"]) == {}
assert scrub_settings("not settings") == {}