From 55957b15f6550dadfd52bb701eb11c6899984187 Mon Sep 17 00:00:00 2001 From: Alejandro Ponce Date: Mon, 13 Jan 2025 11:53:33 +0200 Subject: [PATCH] fix: Notify to secrets to DB on complete redacted text Closes: #563. See the issue for full context. With this PR we wait until all the secrets have been redacted (we have a full protected text) to report the secrets to DB. It will prevent from contigous secrets to get stored in DB as plain text. --- src/codegate/pipeline/secrets/secrets.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/codegate/pipeline/secrets/secrets.py b/src/codegate/pipeline/secrets/secrets.py index 0845c0f6..d8f2e705 100644 --- a/src/codegate/pipeline/secrets/secrets.py +++ b/src/codegate/pipeline/secrets/secrets.py @@ -135,15 +135,13 @@ def obfuscate(self, text: str) -> tuple[str, int]: # Store matches for logging found_secrets = 0 - # Replace each match with its encrypted value + # First pass. Replace each match with its encrypted value logger.info("\nFound secrets:") for start, end, match in absolute_matches: hidden_secret = self._hide_secret(match) # Replace the secret in the text protected_text[start:end] = hidden_secret - - self._notify_secret(match, protected_text) found_secrets += 1 # Log the findings logger.info( @@ -153,6 +151,10 @@ def obfuscate(self, text: str) -> tuple[str, int]: f"\nEncrypted: {hidden_secret}" ) + # Second pass. Notify the secrets in DB over the complete protected text. + for _, _, match in absolute_matches: + self._notify_secret(match, protected_text) + # Convert back to string protected_string = "".join(protected_text) print(f"\nProtected text:\n{protected_string}")