From 5320a0fd4d71867686f88af46bd89355d8fc619e Mon Sep 17 00:00:00 2001 From: Benjamin Stefan <145866889+Benjamin-Stefan@users.noreply.github.com> Date: Fri, 27 Sep 2024 23:44:32 +0200 Subject: [PATCH 1/4] Fix code scanning alert no. 1: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- src/utils/ssh.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/utils/ssh.ts b/src/utils/ssh.ts index 40139f4..e02aa82 100644 --- a/src/utils/ssh.ts +++ b/src/utils/ssh.ts @@ -9,7 +9,9 @@ import { SSHOptions } from "../types"; */ function logDebug(message: string, debug?: boolean) { if (debug) { - console.log(`[DEBUG] ${message}`); + // Sanitize the message to remove sensitive information + const sanitizedMessage = message.replace(/--password=\S+/g, '--password=****'); + console.log(`[DEBUG] ${sanitizedMessage}`); } } From 4cae3a2789b9aa513641c7acae302841aeebddd5 Mon Sep 17 00:00:00 2001 From: Benjamin Stefan <145866889+Benjamin-Stefan@users.noreply.github.com> Date: Fri, 27 Sep 2024 23:46:33 +0200 Subject: [PATCH 2/4] Fix code scanning alert no. 31: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- src/utils/ssh.ts | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/utils/ssh.ts b/src/utils/ssh.ts index e02aa82..e14c5cf 100644 --- a/src/utils/ssh.ts +++ b/src/utils/ssh.ts @@ -10,11 +10,23 @@ import { SSHOptions } from "../types"; function logDebug(message: string, debug?: boolean) { if (debug) { // Sanitize the message to remove sensitive information - const sanitizedMessage = message.replace(/--password=\S+/g, '--password=****'); + const sanitizedMessage = sanitizeSensitiveData(message); console.log(`[DEBUG] ${sanitizedMessage}`); } } +/** + * Sanitizes a message to remove sensitive information such as passwords, usernames, and other credentials. + * @param {string} message - The message to sanitize. + * @returns {string} The sanitized message. + */ +function sanitizeSensitiveData(message: string): string { + return message + .replace(/--password=\S+/g, '--password=****') + .replace(/--username=\S+/g, '--username=****') + .replace(/--apn=\S+/g, '--apn=****'); +} + /** * Creates an SSH connection using the provided options. * @param {SSHOptions} options - The SSH connection options. From 25d0cfeba0570dd8de12805f45ae4ecab241d525 Mon Sep 17 00:00:00 2001 From: Benjamin Stefan <145866889+Benjamin-Stefan@users.noreply.github.com> Date: Fri, 27 Sep 2024 23:50:18 +0200 Subject: [PATCH 3/4] Fix code scanning alert no. 32: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- src/utils/ssh.ts | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/utils/ssh.ts b/src/utils/ssh.ts index e14c5cf..9114017 100644 --- a/src/utils/ssh.ts +++ b/src/utils/ssh.ts @@ -11,7 +11,11 @@ function logDebug(message: string, debug?: boolean) { if (debug) { // Sanitize the message to remove sensitive information const sanitizedMessage = sanitizeSensitiveData(message); - console.log(`[DEBUG] ${sanitizedMessage}`); + if (!sanitizedMessage.includes("password") && !sanitizedMessage.includes("username") && !sanitizedMessage.includes("apn")) { + console.log(`[DEBUG] ${sanitizedMessage}`); + } else { + console.log(`[DEBUG] Sensitive information omitted`); + } } } @@ -24,7 +28,9 @@ function sanitizeSensitiveData(message: string): string { return message .replace(/--password=\S+/g, '--password=****') .replace(/--username=\S+/g, '--username=****') - .replace(/--apn=\S+/g, '--apn=****'); + .replace(/--apn=\S+/g, '--apn=****') + .replace(/--auth-type=\S+/g, '--auth-type=****') + .replace(/--ip-family=\S+/g, '--ip-family=****'); } /** From b48c38cd67bb4a76688274535ce0a58905d644c0 Mon Sep 17 00:00:00 2001 From: Benjamin Stefan <145866889+Benjamin-Stefan@users.noreply.github.com> Date: Fri, 27 Sep 2024 23:54:02 +0200 Subject: [PATCH 4/4] Fix code scanning alert no. 33: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- src/utils/ssh.ts | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/utils/ssh.ts b/src/utils/ssh.ts index 9114017..309429a 100644 --- a/src/utils/ssh.ts +++ b/src/utils/ssh.ts @@ -11,10 +11,10 @@ function logDebug(message: string, debug?: boolean) { if (debug) { // Sanitize the message to remove sensitive information const sanitizedMessage = sanitizeSensitiveData(message); - if (!sanitizedMessage.includes("password") && !sanitizedMessage.includes("username") && !sanitizedMessage.includes("apn")) { - console.log(`[DEBUG] ${sanitizedMessage}`); - } else { + if (sanitizedMessage.includes("****")) { console.log(`[DEBUG] Sensitive information omitted`); + } else { + console.log(`[DEBUG] ${sanitizedMessage}`); } } } @@ -30,7 +30,11 @@ function sanitizeSensitiveData(message: string): string { .replace(/--username=\S+/g, '--username=****') .replace(/--apn=\S+/g, '--apn=****') .replace(/--auth-type=\S+/g, '--auth-type=****') - .replace(/--ip-family=\S+/g, '--ip-family=****'); + .replace(/--ip-family=\S+/g, '--ip-family=****') + .replace(/--device=\S+/g, '--device=****') + .replace(/--set-client-id \S+/g, '--set-client-id ****') + .replace(/--get-client-id \S+/g, '--get-client-id ****') + .replace(/--sync/g, '--sync ****'); } /**