fix(redaction): scope long_hex_secret to credential context (#136)#159
Open
tcconnally wants to merge 3 commits into
Open
fix(redaction): scope long_hex_secret to credential context (#136)#159tcconnally wants to merge 3 commits into
tcconnally wants to merge 3 commits into
Conversation
The pre-1.0.6 default rule `\b[a-fA-F0-9]{40,}\b` silently destroyed git
commit hashes (40 hex chars), SHA-256 sums (64 hex chars), Docker digests,
and Atlassian content hashes in any rendered output that crossed the trust
boundary. `@query "git log --oneline"` produced `[REDACTED:long_hex_secret]`
for every commit hash, with no recovery path.
The rule now requires an explicit credential anchor before matching:
(?i)(?:secret|token|key|password|passwd|api[_-]?key|auth(?:orization)?)
\s*[:=]\s*["']?([a-fA-F0-9]{40,})["']?
Real secrets in credential context are still caught; bare hashes pass through.
Internals:
- New `_anchor_group` field on rule dicts identifies which capture group
holds the secret payload. _sub() in redact_text() replaces only that span
while preserving surrounding context verbatim.
- Legacy prefix-preserve behavior (group(1) is a prefix) is retained for
bearer_header and other existing rules — controlled by absence of
_anchor_group.
Tests (tests/test_redaction.py):
- test_bare_git_sha1_is_not_redacted_by_defaults
- test_bare_sha256_checksum_is_not_redacted_by_defaults
- test_credential_anchored_hex_IS_redacted
- test_credential_anchored_hex_preserves_surrounding_context
- test_bearer_header_prefix_still_preserved
- test_at_query_git_log_output_survives_redaction
All 27 redaction tests pass. test_edge_cases.py parity vs main confirmed
(0 net new failures).
Closes #136
Refs milestone v1.0.6
This was referenced Jun 3, 2026
tcconnally
added a commit
that referenced
this pull request
Jun 4, 2026
Comprehensive handoff for the v1.0.6 security + correctness hotfix cycle (2026-06-03): - Summarizes all 10 open PRs (#159-#164, #170-#173) with closes-issue, severity, suggested merge order, and known conflicts. - Documents the 7 residual issues NOT yet PR'd (#138, #140, #167, #130, #135, #141, #142) with size estimates. - Captures architectural notes: the _provenance pattern, build- artifact drift trap, @Perseus header requirement, git stash + built artifact hazard. - Lists 97/97 new regression tests and pre-existing failure baseline for parity-checking. - Provides release mechanics: tagging, smoke testing, security advisory recommendations with CVSS estimates. - Lists mistakes I made this session (5 of them) and open questions for the maintainer (5 of them). - Appendix A: side-by-side diff of my review's findings vs Codex's findings — shows Codex caught 5 Criticals my review missed, all of which now have PRs. Lives at HANDOFF-v1.0.6.md (existing HANDOFF.md is the Phase 24 extensibility-spec handoff from 2026-05-24 and is preserved). Co-authored-by: Thomas Connally <tconnally@atlassian.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #136 — first item in the v1.0.6 hotfix bundle.
The pre-1.0.6 default redaction rule
\b[a-fA-F0-9]{40,}\bsilently destroyed every git commit hash (40 hex chars), SHA-256 sum (64 hex), Docker digest, and Atlassian content hash in any rendered output that crossed the trust boundary.@query "git log --oneline"produced[REDACTED:long_hex_secret]for every commit, with no recovery path.Fix
The rule now requires an explicit credential anchor before matching:
Real secrets in credential context are still caught; bare hashes pass through verbatim.
Internals
_anchor_groupidentifies which capture group holds the secret payload._sub()inredact_text()extended to support three modes:anchor_group=N— replace only that span, preserve everything elsegroup(1)is a prefix to preserve (used bybearer_header)Tests
6 new regression tests in
tests/test_redaction.py:test_bare_git_sha1_is_not_redacted_by_defaultstest_bare_sha256_checksum_is_not_redacted_by_defaultstest_credential_anchored_hex_IS_redacted(5 cases)test_credential_anchored_hex_preserves_surrounding_contexttest_bearer_header_prefix_still_preserved(sanity)test_at_query_git_log_output_survives_redaction(integration)Test results
test_redaction.py: 27/27 pass (21 existing + 6 new)test_edge_cases.py: parity withmainconfirmed (12 pass / 21 fail, identical sorted diff) — 0 net new failures introducedCHANGELOG
New
[1.0.6] — UNRELEASEDsection added with full migration notes.Migration
No config breaking changes. If a user had relied on
long_hex_secretredacting bare hex output (unlikely), they need to add an explicit user rule underredaction.patterns.First of 12 PRs in the v1.0.6 milestone. Suggested next: #129 (trust profile override) or #137 (audit log secret leak).