Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@alwaysmeticulous/redaction
Advanced tools
Utilities for implementing common redaction logic for the [Meticulous Recorder Middleware API](https://github.com/alwaysmeticulous/meticulous-sdk/blob/main/packages/sdk-bundles-api/src/record/middleware.ts).
Utilities for implementing common redaction logic for the Meticulous Recorder Middleware API.
import { dropRequestHeader, transformJsonResponse, redactRecursively, asterixOut } from "@alwaysmeticulous/redaction";
const middleware = [
dropRequestHeader("Authorization"),
transformJsonResponse({
urlRegExp: /https:\/\/api\.example\.com\/.*/,
transform: (data) => {
return { ...data, ...(data.sensitive ? { sensitive: asterixOut(data.sensitive) } : {}) };
},
}),
transformJsonResponse({
urlRegExp: /https:\/\/api\.example\.com\/sensitive.*/,
transform: (data) => redactRecursively(data, {
redactString: (str, path) => path[path.length - 1] === "uuid" ? str : asterixOut(str),
}),
}),
];
To make it easier to redact large complex javascript types we provide a number of helpers.
This ensures the redacted text is the same length and has the same whitespace as the original text, thereby allowing you to test the same layout cases.
import { asterixOut } from "@alwaysmeticulous/redaction";
const redacted = asterixOut("some sensitive text"); // returns "**** ********* ****"
Redact string intelligently redacts the string by checking for common data formats. This reduces the risk of your app error'ing during the replay of Meticulous tests due to it failing to operate on the redacted data (e.g. "*******" is not a valid URL):
import { redactString } from "@alwaysmeticulous/redaction";
const redacted = redactString("some sensitive text"); // returns "**** ********* ****"
const redacted2 = redactString("test@example.com"); // returns "----@-------.com"
// etc.
See redactString.spec.ts for more examples.
NestedFieldsRedactor allows you to specify a redaction policy for each distinct field name (for example 'ssn' or 'email'). It'll then recursively apply this redaction policy across all nested fields inside an object. Type safety ensures that compile time errors will be produced if you provide an object that has a field name (nested at any level inside the object) that you have not specified a redaction policy for.
import { transformJsonResponse, NestedFieldsRedactor, redactString } from "@alwaysmeticulous/redaction";
interface MyComplexApiType {
details: {
ssn: string;
phoneNumbers: Array<{ mobile?: string; home?: string }>;
};
// By default we do not require redacting boolean fields.
isUSBased: boolean;
}
// Important: include your API type explictly in the call to createRedactor (`createRedactor<MyComplexApiType>`)
const complexApiTypeRedactor = NestedFieldsRedactor.builder().createRedactor<MyComplexApiType>({
strings: {
ssn: redactString,
mobile: redactString,
home: redactString,
},
});
const middleware = [
transformJsonResponse({
urlRegExp: /https:\/\/api\.example\.com\/.*/,
transform: (data: MyComplexApiType) => {
return complexApiTypeRedactor(data);
},
}),
];
If you update MyComplexApiType to add a new name
string field:
interface MyComplexApiType {
name: string; // <<< ADDED
details: {
ssn: string;
phoneNumbers: Array<{ mobile?: string; home?: string }>;
};
isUSBased: boolean;
}
But don't add a corresponding redaction policy for the new name
field to the 'createRedactor' call, then your
code will fail to compile. This ensures that the redaction is exhaustive.
createRedactor
will force you to redact all non-enum string fields, but it won't force exhaustive redaction of
other types of fields (dates, booleans, numbers, etc.). See createRedactorStrict
if you need to enforce exhaustive
redaction at compile time of additional data types.
We recommend however using NestedFieldsRedactor.builderWithDefaults()
, which will provide default redactors
for most common field names. If there are any string fields not covered by those defaults then the compiler will
force you to specify a redaction policy for them:
const complexApiTypeRedactor = NestedFieldsRedactor.builderWithDefaults().createRedactor<MyComplexApiType>({
strings: {
// Don't need to specify a redaction policy for `ssn` as it's covered by the defaults,
// but we do need to specify a redaction policy for `mobile` and `home` as they're not covered by the defaults.
mobile: redactString,
home: redactString,
},
});
You can also specify redactors that match field names that end with a given postfix, while preserving compile-time type safety. See common-redactors.ts and redact-nested-fields.ts for some examples.
Recursively iterates through a JSON object applying the provided redaction function. See redact-recursively.spec.ts for more details.
This can be combined with NestedFieldsRedactor
to provide extra safety. For example:
const complexApiTypeRedactor = NestedFieldsRedactor.builder().createRedactor<MyComplexApiType>({
strings: {
ssn: redactString,
mobile: redactString,
home: redactString,
},
});
const redactAnythingThatLooksLikeAnSSN = <T>(data: T) => redactRecursively(
data,
{
redactString: (str) => looksLikeAnSSN(str) ? asterixOut(str) : str,
}
);
const middleware = [
transformJsonResponse({
urlRegExp: /https:\/\/api\.example\.com\/.*/,
transform: (data: MyComplexApiType) => {
return redactAnythingThatLooksLikeAnSSN(complexApiTypeRedactor(data));
},
}),
];
FAQs
Utilities for implementing common redaction logic for the [Meticulous Recorder Middleware API](https://github.com/alwaysmeticulous/meticulous-sdk/blob/main/packages/sdk-bundles-api/src/record/middleware.ts).
The npm package @alwaysmeticulous/redaction receives a total of 136 weekly downloads. As such, @alwaysmeticulous/redaction popularity was classified as not popular.
We found that @alwaysmeticulous/redaction demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.