UNPKG

@needle-tools/engine

Version:

Needle Engine is a web-based runtime for 3D apps. It runs on your machine for development with great integrations into editors like Unity or Blender - and can be deployed onto any device! It is flexible, extensible and networking and XR are built-in.

needle.tools

needle-tools/needle-engine-support

53 lines (41 loc) 2.95 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
// @ts-check /** @type {Array<{regex: RegExp, label: string, replacement: string}>} */ const SECRET_PATTERNS = [ // Private keys (PEM blocks) — match first since they're multi-line { regex: /-----BEGIN\s+(?:RSA\s+|EC\s+|DSA\s+|OPENSSH\s+|ENCRYPTED\s+)?PRIVATE KEY-----[\s\S]*?-----END\s+(?:RSA\s+|EC\s+|DSA\s+|OPENSSH\s+|ENCRYPTED\s+)?PRIVATE KEY-----/g, label: "private-key", replacement: "***PRIVATE_KEY_REDACTED***" }, // Bearer / Basic auth tokens { regex: /(Bearer\s+)\S+/gi, label: "bearer-token", replacement: "$1***REDACTED***" }, { regex: /(Basic\s+)[A-Za-z0-9+/=]+/gi, label: "basic-auth", replacement: "$1***REDACTED***" }, // Authorization header value { regex: /(Authorization:\s*)\S+/gi, label: "auth-header", replacement: "$1***REDACTED***" }, // AWS access key IDs (always start with AKIA/ASIA) { regex: /\b(A[SK]IA[0-9A-Z]{16})\b/g, label: "aws-key", replacement: "***AWS_KEY_REDACTED***" }, // GitHub / GitLab / npm tokens { regex: /\b(gh[psotr]_[a-zA-Z0-9]{36,})\b/g, label: "github-token", replacement: "***GITHUB_TOKEN_REDACTED***" }, { regex: /\b(glpat-[a-zA-Z0-9\-_]{20,})\b/g, label: "gitlab-token", replacement: "***GITLAB_TOKEN_REDACTED***" }, { regex: /\b(npm_[a-zA-Z0-9]{36,})\b/g, label: "npm-token", replacement: "***NPM_TOKEN_REDACTED***" }, // OpenAI / Anthropic / common AI service keys { regex: /\b(sk-[a-zA-Z0-9]{20,})\b/g, label: "api-key-sk", replacement: "***API_KEY_REDACTED***" }, // JWT tokens (header.payload.signature, each segment is base64url) { regex: /\beyJ[a-zA-Z0-9_-]{10,}\.eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}\b/g, label: "jwt", replacement: "***JWT_REDACTED***" }, // Passwords embedded in URLs (scheme://user:password@host) { regex: /:\/\/([^/:@\s]+):([^@\s]+)@/g, label: "url-credential", replacement: "://$1:***REDACTED***@" }, // Key-value pairs where the key looks secret-like (in query strings, env vars, config, JSON) { regex: /((?:password|passwd|pwd|secret|token|api_?key|apikey|access_?key|private_?key|client_?secret|auth_?token|refresh_?token|session_?id|session_?token|database_?url|connection_?string)\s*[=:]\s*"?)([^\s"',}{)\]]+)/gi, label: "secret-value", replacement: "$1***REDACTED***" }, // Generic long hex strings that look like secrets (40+ chars) // Only match if preceded by a secret-like context word to avoid false positives { regex: /((?:key|token|secret|password|credential|auth)[^a-zA-Z0-9]{0,5})([a-f0-9]{40,})\b/gi, label: "hex-secret", replacement: "$1***REDACTED***" }, ]; /** * Scrubs potential secrets from a string before it is written to disk or sent over the wire. * @param {string} str * @returns {string} */ export function sanitizeSecrets(str) { let result = str; for (const { regex, replacement } of SECRET_PATTERNS) { regex.lastIndex = 0; result = result.replace(regex, replacement); } return result; }