github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-07 13:51:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): redact Telegram bot tokens in errors

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-16 03:30:39 +01:00
parent 09566b1693
commit cf69907015
4 changed files with 31 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/logging/redact.test.ts
View File

@@ -49,6 +49,16 @@ describe("redactSensitiveText", () => {
expect(output).toBe("123456…cdef");
});
it("masks Telegram Bot API URL tokens", () => {
const input =
"GET https://api.telegram.org/bot123456:ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef/getMe HTTP/1.1";
const output = redactSensitiveText(input, {
mode: "tools",
patterns: defaults,
});
expect(output).toBe("GET https://api.telegram.org/bot123456…cdef/getMe HTTP/1.1");
});
it("redacts short tokens fully", () => {
const input = "TOKEN=shortvalue";
const output = redactSensitiveText(input, {

2
src/logging/redact.ts
View File

@@ -32,6 +32,8 @@ const DEFAULT_REDACT_PATTERNS: string[] = [
String.raw`\b(AIza[0-9A-Za-z\-_]{20,})\b`,
String.raw`\b(pplx-[A-Za-z0-9_-]{10,})\b`,
String.raw`\b(npm_[A-Za-z0-9]{10,})\b`,
// Telegram Bot API URLs embed the token as `/bot<token>/...` (no word-boundary before digits).
String.raw`\bbot(\d{6,}:[A-Za-z0-9_-]{20,})\b`,
String.raw`\b(\d{6,}:[A-Za-z0-9_-]{20,})\b`,
];