Improvements to e-mail masking

sandermvanvliet · sandermvanvliet · commit 6ea87ff377ed · 2020-03-03T08:33:11.000+01:00
diff --git a/src/Serilog.Enrichers.Sensitive/EmailAddressMaskingOperator.cs b/src/Serilog.Enrichers.Sensitive/EmailAddressMaskingOperator.cs
@@ -4,15 +4,30 @@ namespace Serilog.Enrichers.Sensitive
 {
     public class EmailAddressMaskingOperator : IMaskingOperator
     {
-        private static readonly Regex EmailReplaceRegex = new Regex("(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|\"(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21\\x23-\\x5b\\x5d-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])*\")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21-\\x5a\\x53-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])+)\\])");
+        private static readonly Regex EmailReplaceRegex = new Regex(
+            "(?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|\"(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21\\x23-\\x5b\\x5d-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])*\")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21-\\x5a\\x53-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])+)\\])",
+            RegexOptions.IgnoreCase);
 
         public MaskingResult Mask(string input, string mask)
         {
+            // Naive approach to deal with URL encoded values
+            // most likely this should properly URL decode once it
+            // finds this marker in the input string
+            if (input.Contains("%40"))
+            {
+                input = input.Replace("%40", "@");
+            }
+
+            // Early exit so we avoid the regex.
+            // Probably needs a benchmark to see
+            // if this actually helps.
             if (!input.Contains("@"))
             {
                 return MaskingResult.NoMatch;
             }
 
+            // Note that if we get here we _always_ assume
+            // a successful replacement.
             return new MaskingResult
             {
                 Result = EmailReplaceRegex.Replace(input, mask),
diff --git a/src/Serilog.Enrichers.Sensitive/Serilog.Enrichers.Sensitive.csproj b/src/Serilog.Enrichers.Sensitive/Serilog.Enrichers.Sensitive.csproj
@@ -8,7 +8,7 @@
 
   <PropertyGroup>
     <IsPackable>true</IsPackable>
-    <Version>0.1.1</Version>
+    <Version>0.1.2</Version>
     <Title>Serilog enricher to mask sensitive data</Title>
     <Description>An enricher to be used for masking sensitive (PII) data using Serilog</Description>
     <Copyright>2020 Sander van Vliet</Copyright>
diff --git a/test/Serilog.Enrichers.Sensitive.Tests.Unit/WhenMaskingEmailAddresses.cs b/test/Serilog.Enrichers.Sensitive.Tests.Unit/WhenMaskingEmailAddresses.cs
@@ -0,0 +1,67 @@
+﻿using FluentAssertions;
+using Xunit;
+
+namespace Serilog.Enrichers.Sensitive.Tests.Unit
+{
+    public class WhenMaskingEmailAddresses
+    {
+        [Fact]
+        public void GivenSimpleMailAddress_AddressIsMasked()
+        {
+            TheMaskedResultOf("simple@email.com")
+                .Should()
+                .Be(Mask);
+        }
+
+        [Fact]
+        public void GivenSimpleMailAddressButUppercase_AddressIsMasked()
+        {
+            TheMaskedResultOf("SIMPLE@email.com")
+                .Should()
+                .Be(Mask);
+        }
+
+        [Fact]
+        public void GivenEmailAddressWithBoxQualifier_AddressIsMasked()
+        {
+            TheMaskedResultOf("test+spamfolder@email.com")
+                .Should()
+                .Be(Mask);
+        }
+
+        [Fact]
+        public void GivenEmailAddressWithSubdomains_AddressIsMasked()
+        {
+            TheMaskedResultOf("test@sub.sub.sub.email.com")
+                .Should()
+                .Be(Mask);
+        }
+
+        [Fact]
+        public void GivenEmailAddressInUrl_EntireStringIsMasked()
+        {
+            TheMaskedResultOf("https://foo.com/api/1/some/endpoint?email=test@sub.sub.sub.email.com")
+                .Should()
+                .Be("https:" + Mask); // I don't even regex
+        }
+
+        [Fact]
+        public void GivenEmailAddressUrlEncoded_AddressIsMasked()
+        {
+            TheMaskedResultOf("test%40email.com")
+                .Should()
+                .Be(Mask); // I don't even regex
+        }
+
+        private const string Mask = "***MASK***";
+
+        private static string TheMaskedResultOf(string input)
+        {
+            var maskingResult = new EmailAddressMaskingOperator().Mask(input, Mask);
+
+            return maskingResult.Match 
+                ? maskingResult.Result 
+                : input;
+        }
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -4,15 +4,30 @@ namespace Serilog.Enrichers.Sensitive`
`4`	`4`	`{`
`5`	`5`	`public class EmailAddressMaskingOperator : IMaskingOperator`
`6`	`6`	`{`
`7`		- private static readonly Regex EmailReplaceRegex = new Regex("(?:[a-z0-9!#$%&'+/=?^_`{\|}~-]+(?:\\.[a-z0-9!#$%&'+/=?^_`{\|}~-]+)\|\"(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21\\x23-\\x5b\\x5d-\\x7f]\|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])\")@(?:(?:[a-z0-9](?:[a-z0-9-][a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-][a-z0-9])?\|\\[(?:(?:25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?\|[a-z0-9-]*[a-z0-9]:(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21-\\x5a\\x53-\\x7f]\|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])+)\\])");
	`7`	`+ private static readonly Regex EmailReplaceRegex = new Regex(`
	`8`	+ "(?:[a-z0-9!#$%&'+/=?^_`{\|}~-]+(?:\\.[a-z0-9!#$%&'+/=?^_`{\|}~-]+)\|\"(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21\\x23-\\x5b\\x5d-\\x7f]\|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])\")@(?:(?:[a-z0-9](?:[a-z0-9-][a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-][a-z0-9])?\|\\[(?:(?:25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?\|[a-z0-9-]*[a-z0-9]:(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21-\\x5a\\x53-\\x7f]\|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])+)\\])",
	`9`	`+ RegexOptions.IgnoreCase);`
`8`	`10`
`9`	`11`	`public MaskingResult Mask(string input, string mask)`
`10`	`12`	`{`
	`13`	`+ // Naive approach to deal with URL encoded values`
	`14`	`+ // most likely this should properly URL decode once it`
	`15`	`+ // finds this marker in the input string`
	`16`	`+ if (input.Contains("%40"))`
	`17`	`+ {`
	`18`	`+ input = input.Replace("%40", "@");`
	`19`	`+ }`
	`20`	`+`
	`21`	`+ // Early exit so we avoid the regex.`
	`22`	`+ // Probably needs a benchmark to see`
	`23`	`+ // if this actually helps.`
`11`	`24`	`if (!input.Contains("@"))`
`12`	`25`	`{`
`13`	`26`	`return MaskingResult.NoMatch;`
`14`	`27`	`}`
`15`	`28`
	`29`	`+ // Note that if we get here we _always_ assume`
	`30`	`+ // a successful replacement.`
`16`	`31`	`return new MaskingResult`
`17`	`32`	`{`
`18`	`33`	`Result = EmailReplaceRegex.Replace(input, mask),`