-
Notifications
You must be signed in to change notification settings - Fork 0
ci/security/test: automated audit fixes for QuantPlatformKit #164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| """Small helpers for keeping notification errors safe to log.""" | ||
|
|
||
| from __future__ import annotations | ||
|
|
||
| import re | ||
|
|
||
|
|
||
| _REDACTED = "<redacted>" | ||
| _TELEGRAM_BOT_PATH_RE = re.compile(r"(?i)(/bot)([^/\s]+)") | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
This helper only masks Telegram-style Useful? React with 👍 / 👎. |
||
| _SENSITIVE_QUERY_RE = re.compile( | ||
| r"(?i)([?&](?:access[_-]?token|api[_-]?key|auth[_-]?token|key|password|secret|signature|token)=)([^&\s]+)" | ||
| ) | ||
| _AUTH_HEADER_RE = re.compile(r"(?i)\b(Bearer|Basic)\s+([A-Za-z0-9._~+/=-]{8,})") | ||
| _ASSIGNMENT_RE = re.compile( | ||
| r"(?i)\b(api[_-]?key|auth[_-]?token|credential|password|private[_-]?key|secret|token)\s*[:=]\s*([\"']?)([^\"'\s,;]{8,})([\"']?)" | ||
| ) | ||
|
|
||
|
|
||
| def redact_sensitive_text(value: object) -> str: | ||
| """Return text suitable for logs without exposing common secret shapes.""" | ||
|
|
||
| text = str(value) | ||
| text = _TELEGRAM_BOT_PATH_RE.sub(r"\1" + _REDACTED, text) | ||
| text = _SENSITIVE_QUERY_RE.sub(r"\1" + _REDACTED, text) | ||
| text = _AUTH_HEADER_RE.sub(r"\1 " + _REDACTED, text) | ||
| return _ASSIGNMENT_RE.sub(lambda match: f"{match.group(1)}={_REDACTED}", text) | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the generated
auto/qpk-pin-updatePRs,${{ github.token }}is the repositoryGITHUB_TOKEN; thecreate-pull-requestaction docs note that PRs created with the default token do not triggeron: pull_requestoron: pushworkflows. I checked this repo's PR validation workflows (.github/workflows/ci.ymland.github/workflows/codex_review_gate.yml) and they arepull_request-triggered, so these automated pin PRs will be opened without the normal CI/gate checks unless someone manually retriggers them. Use a policy-approved PAT/GitHub App token or add an explicit follow-up trigger for validation.Useful? React with 👍 / 👎.