fix: string masking and redaction#477
Open
arunmish-visa wants to merge 7 commits into
Open
Conversation
…w body logging Critical fixes for AISAST-10703: 1. Log.php - addDelimiterFwdSlash(): Add 's' (dotall) flag so sensitive values spanning newlines are matched by XML regex patterns. 2. Log.php - NEW maskSensitiveJsonString(): Add JSON-key-aware masking that handles the actual wire format (json_encode) used by ApiOperationBase. Masks cardNumber, cardCode, transactionKey, expirationDate, accountNumber, and nameOnAccount in JSON payloads using key-value regex patterns. 3. Log.php - getMasked(): Chain maskSensitiveJsonString() after XML masking so both formats are covered before credit card regex runs. 4. HttpClient.php line 77: Remove raw request body logging; log only payload length (payloadLength=N). 5. HttpClient.php line 96: Remove raw response body logging; log only HTTP status code and response length. 6. Add comprehensive PHPUnit tests (LogMaskingTest.php) covering: - JSON key masking for all sensitive fields - Multiple occurrences of same sensitive tag - Multi-line XML values (dotall coverage) - Credit card regex in freetext - Combined JSON + freetext scenarios - Edge cases (empty string, non-sensitive preservation) Addresses: PCI A3.2.6, KC 7.10.9, security-logging-dsr 11.2
…atterns - Remove user-controlled CWD-relative config file path; only load the SDK-bundled config via absolute path (dirname(__FILE__) prefix) - Validate all regex patterns from config with preg_match before use; discard invalid patterns to prevent ReDoS - Validate sensitiveStringRegexes array entries the same way
…PCRE null-check, fix backreference - AuthorizedNetSensitiveTagsConfig.json: Add password, sessionToken, fingerPrint, clientKey, accessToken, mobileDeviceId to sensitiveTags so they are masked on the object-reflection log path at ApiOperationBase.php:115 - Log.php maskCreditCards(): Add PCRE null-check (fail-closed) for consistency with XML and JSON maskers - Log.php maskSensitiveJsonString(): Remove dangling $2 backreference; JSON masker always uses static 'xxxx' replacement (the config replacement 'xxxx-$2' is XML-specific with 2 capture groups) - LogMaskingTest.php: Add 10 object-reflection masking tests covering all 6 new credential fields, nested objects, and non-sensitive field preservation
AISAST-b84e1cc7: Insecure default HTTP endpoint allows cleartext credential transmission. - ANetEnvironment.php: Change CUSTOM constant from http:// to https:// (was 'http://wwww.myendpoint.com', now 'https://custom.endpoint.example') - HttpClient.php _sendRequest(): Add HTTPS scheme enforcement — rejects any non-TLS URL before opening connection (PCI DSS 4.1) - HttpClient.php _sendRequest(): Explicitly set CURLOPT_SSL_VERIFYPEER=true rather than relying on libcurl default which may vary by build
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.