Skip to content

Fix allowlist bypass when log arguments span multiple params#23

Merged
SynthLuvr merged 5 commits into
mainfrom
copilot/fix-redaction-bypass-issue
Feb 27, 2026
Merged

Fix allowlist bypass when log arguments span multiple params#23
SynthLuvr merged 5 commits into
mainfrom
copilot/fix-redaction-bypass-issue

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 26, 2026
edited
Loading

Allowlist context rules failed when the keyword and the secret appeared in separate console.debug arguments — each argument was redacted independently, so the context window never included the preceding keyword.

Changes

  • src/format.ts: Replaced per-item redaction with a join-then-redact approach. All arguments are serialized to strings first, joined with a space, then redacted once on the full string — giving context rules a complete view of the message.
  • tests/index.test.ts: Added a test covering the multi-argument allowlist case.

Example

setupLogging({ hex: { allow: [{ re: /\b(transfer)\b/i }] } });

// Before: hex was redacted because "transfer" was in a separate arg
console.debug("transfer", "538845bf2f418e0c7f3798d6bcb632273d46633545a5e261feceb7d378ed0761");
// ✗ transfer [REDACTED]

// After: full joined string is evaluated, allowlist matches correctly
// ✓ transfer 538845bf2f418e0c7f3798d6bcb632273d46633545a5e261feceb7d378ed0761

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits February 26, 2026 22:25
@SynthLuvr
Fix allowlist bypass when multiple arguments are passed to console me…
b806894 
…thods

Co-authored-by: SynthLuvr <131367121+SynthLuvr@users.noreply.github.com>
@SynthLuvr
Remove package-lock.json from tracking, add to .gitignore
33cca60 
Co-authored-by: SynthLuvr <131367121+SynthLuvr@users.noreply.github.com>
codereviewbot-ai[bot]
codereviewbot-ai Bot reviewed Feb 26, 2026
View reviewed changes
Comment thread src/format.ts
Comment thread tests/index.test.ts Outdated
Copilot AI changed the title [WIP] Fix bypassing redaction in log messages with multiple arguments Fix allowlist bypass when log arguments span multiple params Feb 26, 2026
@SynthLuvr SynthLuvr marked this pull request as ready for review February 27, 2026 19:35
@SynthLuvr SynthLuvr merged commit 7c1c99d into main Feb 27, 2026
3 checks passed
@SynthLuvr SynthLuvr deleted the copilot/fix-redaction-bypass-issue branch February 27, 2026 19:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@codereviewbot-ai codereviewbot-ai[bot] codereviewbot-ai[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@SynthLuvr SynthLuvr

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SynthLuvr