feat: mask potentially secret fields from response (#2164)

DmitryAnansky · web-flow · commit 0bacc809de9e · 2025-07-09T17:00:27.000+03:00
diff --git a/.changeset/warm-suns-try.md b/.changeset/warm-suns-try.md
@@ -0,0 +1,6 @@
+---
+"@redocly/respect-core": minor
+"@redocly/cli": minor
+---
+
+Implemented automatic masking of sensitive fields (such as tokens and passwords) in response bodies to enhance security and prevent accidental exposure of secrets in logs and outputs.
diff --git a/packages/respect-core/src/modules/__tests__/cli-putputs/mask-secrets.test.ts b/packages/respect-core/src/modules/__tests__/cli-putputs/mask-secrets.test.ts
@@ -0,0 +1,98 @@
+import {
+  findPotentiallySecretObjectFields,
+  containsSecret,
+  maskSecrets,
+} from '../../cli-output/mask-secrets';
+
+describe('findPotentiallySecretObjectFields', () => {
+  it('should find potentially secret object fields', () => {
+    const obj = {
+      token: 'token123456',
+      accessToken: 'accessToken789',
+      idToken: 'idToken012',
+      password: 'password345',
+      access_token: 'access_token678',
+      id_token: 'id_token901',
+      accessToken2: 'accessToken234',
+      idToken2: 'idToken567',
+      client_secret: 'some_client_secret',
+      access_token2: 'access_token123',
+      id_token2: 'id_token456',
+      name: 'John Doe',
+      age: 30,
+      isAdmin: true,
+      address: {
+        street: '123 Main St',
+        city: 'Anytown',
+        zip: '12345',
+        personal: {
+          favoritePassword: 'favoritePassword123',
+          password: 'password123',
+          color: 'red',
+        },
+      },
+    };
+
+    const result = findPotentiallySecretObjectFields(obj);
+    expect(result).toEqual([
+      'token123456',
+      'password345',
+      'access_token678',
+      'id_token901',
+      'some_client_secret',
+      'password123',
+    ]);
+  });
+});
+
+describe('containsSecret', () => {
+  it('should return true if the value contains a secret', () => {
+    const result = containsSecret('token123456', new Set(['token123456']));
+    expect(result).toBe(true);
+  });
+
+  it('should return false if the value does not contain a secret', () => {
+    const result = containsSecret('token123456', new Set(['token123456']));
+    expect(result).toBe(true);
+  });
+
+  it('should return true if the value contains a secret in different casing', () => {
+    const result = containsSecret('token123456', new Set(['token123456']));
+    expect(result).toBe(true);
+  });
+});
+
+describe('maskSecrets', () => {
+  it('should mask secrets', () => {
+    const result = maskSecrets('token123456', new Set(['token123456']));
+    expect(result).toEqual('********');
+  });
+
+  it('should mask secrets in different casing', () => {
+    const result = maskSecrets('token123456', new Set(['token123456']));
+    expect(result).toEqual('********');
+  });
+
+  it('should mask secrets in nested object', () => {
+    const result = maskSecrets(
+      { token: 'token123456', nested: { password: 'password123456' } },
+      new Set(['token123456'])
+    );
+    expect(result).toEqual({
+      nested: {
+        password: 'password123456',
+      },
+      token: '********',
+    });
+  });
+
+  it('should mask secrets in array', () => {
+    const result = maskSecrets(['token123456', 'password123456'], new Set(['token123456']));
+    expect(result).toEqual(['********', 'password123456']);
+  });
+
+  it('should mask secrets in string', () => {
+    const result = maskSecrets('Bearer token123456', new Set(['token123456']));
+    expect(result).toEqual('Bearer ********');
+  });
+});
diff --git a/packages/respect-core/src/modules/cli-output/mask-secrets.ts b/packages/respect-core/src/modules/cli-output/mask-secrets.ts
@@ -1,3 +1,11 @@
+export const POTENTIALLY_SECRET_FIELDS = [
+  'token',
+  'access_token',
+  'id_token',
+  'password',
+  'client_secret',
+];
+
 export function maskSecrets<T extends { [x: string]: any } | string>(
   target: T,
   secretValues: Set<string>
@@ -9,7 +17,7 @@ export function maskSecrets<T extends { [x: string]: any } | string>(
   if (typeof target === 'string') {
     let maskedString = target as string;
     secretValues.forEach((secret) => {
-      maskedString = maskedString.split(secret).join('*'.repeat(secret.length));
+      maskedString = maskedString.split(secret).join('*'.repeat(8));
     });
     return maskedString as T;
   }
@@ -44,3 +52,45 @@ export function maskSecrets<T extends { [x: string]: any } | string>(
 export function containsSecret(value: string, secretValues: Set<string>): boolean {
   return Array.from(secretValues).some((secret) => value.includes(secret));
 }
+
+export function findPotentiallySecretObjectFields(
+  obj: any,
+  tokenKeys: string[] = POTENTIALLY_SECRET_FIELDS
+): string[] {
+  const foundTokens: string[] = [];
+
+  if (!obj || typeof obj !== 'object') {
+    return foundTokens;
+  }
+
+  const searchInObject = (currentObj: any) => {
+    if (!currentObj || typeof currentObj !== 'object') {
+      return;
+    }
+
+    if (Array.isArray(currentObj)) {
+      for (const item of currentObj) {
+        searchInObject(item);
+      }
+      return;
+    }
+
+    for (const key in currentObj) {
+      const value = currentObj[key];
+
+      // Check if the key matches any of the token keys (case-insensitive)
+      if (tokenKeys.some((tokenKey) => tokenKey.toLowerCase() === key.toLowerCase())) {
+        if (typeof value === 'string' && value.trim()) {
+          foundTokens.push(value);
+        }
+      }
+
+      if (value && typeof value === 'object') {
+        searchInObject(value);
+      }
+    }
+  };
+
+  searchInObject(obj);
+  return foundTokens;
+}
diff --git a/packages/respect-core/src/utils/api-fetcher.ts b/packages/respect-core/src/utils/api-fetcher.ts
@@ -13,7 +13,11 @@ import {
 import { withHar } from '../utils/har-logs/index.js';
 import { isEmpty } from './is-empty.js';
 import { resolvePath } from '../modules/context-parser/index.js';
-import { getVerboseLogs, maskSecrets } from '../modules/cli-output/index.js';
+import {
+  getVerboseLogs,
+  maskSecrets,
+  findPotentiallySecretObjectFields,
+} from '../modules/cli-output/index.js';
 import { getResponseSchema } from '../modules/description-parser/index.js';
 import { collectSecretFields } from '../modules/flow-runner/index.js';
 import { createMtlsClient } from './mtls/create-mtls-client.js';
@@ -374,6 +378,11 @@ export class ApiFetcher implements IFetcher {
 
     collectSecretFields(ctx, responseSchema, transformedBody);
 
+    const foundResponseBodySecrets = findPotentiallySecretObjectFields(transformedBody);
+    for (const secretItem of foundResponseBodySecrets) {
+      ctx.secretFields.add(secretItem);
+    }
+
     const maskedResponseBody = isJsonContentType(responseContentType)
       ? maskSecrets(transformedBody, ctx.secretFields || new Set())
       : transformedBody;
