scrub: Index | Files

package scrub

import ""

Package scrub offers data scrubbing options for protecting sensitive data.


Package Files

buffer.go command.go entropy.go password.go pem.go scrub.go


const (
    // DefaultWhitespace is used to split the given input string into tokens that get scrubbed individually.
    DefaultWhitespace = " \t\r\n="

    // DefaultEntropyThreshold is chosen to not match most UNIX shell commands, but it does match
    // passwords with sufficient complexity; use with care!
    DefaultEntropyThreshold = 3.75

    // IdealEntropyCorrection is used to calculate how much of ideal entropy should be in the string to be considered for scrubbing.
    IdealEntropyCorrection = 0.75

Defaults for the Entropy scrubber.


var (
    // PEMDHParameters scrubs a PEM DH PARAMETERS block retaining its original length.
    PEMDHParameters = regexpScrubber{
                    // contains filtered or unexported fields

    // PEMPrivateKey scrubs a PEM PRIVATE KEY block retaining its original length.
    PEMPrivateKey = regexpScrubber{
                  // contains filtered or unexported fields
var (
    // Replacement string.
    Replacement = `*redacted*`

    // ReplaceChar is used for equal length replacement.
    ReplaceChar = '*'
var All = Scrubbers{
        Whitespace: []rune(DefaultWhitespace),
        Threshold:  DefaultEntropyThreshold,

All registered scrubbers in safe evaluation order.

var Command = CommandScrubber{
    "mysql":     {re(`-p(\s?\S+)`), re(`--password(?:[= ])(\S+)`)},
    "mysqldump": {re(`-p(\s?\S+)`), re(`--password(?:[= ])(\S+)`)},

Command scrubber for well-known (shell) commands.

func Entropy Uses

func Entropy(s string) string

Entropy scrubs all high-entropy strings from s based on the ideal entropy for a string of len(s).

func EntropyWithThreshold Uses

func EntropyWithThreshold(s string, threshold float64) string

EntropyWithThreshold is like Entropy with a custom threshold.

type Buffer Uses

type Buffer struct {
    Scrubber Scrubber
    // contains filtered or unexported fields

Buffer can be written to and will scrub. By default the Buffer scrubs before each Read invocation.

func NewBuffer Uses

func NewBuffer(scrubber Scrubber) *Buffer

NewBuffer returns a Buffer with the selected Scrubber.

func (*Buffer) Read Uses

func (b *Buffer) Read(p []byte) (n int, err error)

Read data from the buffer. If no data has been written yet, this will block until a write occurs.

func (*Buffer) Reset Uses

func (b *Buffer) Reset()

Reset cancels any remaining flushers and empties the buffer.

func (*Buffer) ScrubAfter Uses

func (b *Buffer) ScrubAfter(timeout time.Duration) CancelFunc

ScrubAfter scrubs the contents of the internal buffer after no Write has happened for timeout. This is useful to make sure no unscrubbed secrets remain in memory, or if you want to scrub after a burst of writes happen and then pauses, such as when scrubbing output of a terminal session. If timeout <= 0 then the Buffer will be scrubbed for each write.

func (*Buffer) ScrubSize Uses

func (b *Buffer) ScrubSize(size int)

ScrubSize scrubs the contents of the buffer if it is larger than size. If size is equal to or less than 0, the buffer will be scrubbed immediately.

func (*Buffer) Write Uses

func (b *Buffer) Write(p []byte) (int, error)

Write data to the buffer.

func (*Buffer) WriteString Uses

func (b *Buffer) WriteString(s string) (n int, err error)

type CancelFunc Uses

type CancelFunc func()

CancelFunc cancels a Buffer flusher.

type CommandScrubber Uses

type CommandScrubber map[string][]*regexp.Regexp

CommandScrubber can scrub arguments for commands that contain password flags.

func (CommandScrubber) Scrub Uses

func (cs CommandScrubber) Scrub(s string) string

type EntropyScrubber Uses

type EntropyScrubber struct {
    // Whitespace runes.
    Whitespace []rune

    // Threshold for scrubbing. If not set the ideal entropy is calculated based on the length of the input string.
    Threshold float64

    // Correction threshold matching based on the ideal entropy if the Threshold is empty. If not set, the
    // correction is set to the IdealEntropyCorrection.
    Correction float64

EntropyScrubber splits the input by Whitespace and matches each part's entropy with the configured threshold.

func (EntropyScrubber) Scrub Uses

func (es EntropyScrubber) Scrub(s string) string

Scrub string s by first splitting the input based on Whitespace and then analyzing the entropy of each field.

type Scrubber Uses

type Scrubber interface {
    // Scrub a string.
    Scrub(string) string

Scrubber redacts sensitive data.

var (
    // CryptHash can scrub hashes in common crypt formats, such as Apache and IANA crypt hashes.
    CryptHash Scrubber = regexpScrubber{
        // contains filtered or unexported fields

type Scrubbers Uses

type Scrubbers []Scrubber

Scrubbers are zero or more Scrubber that act as a single scrubber.

func (Scrubbers) Scrub Uses

func (scrubbers Scrubbers) Scrub(s string) string

Scrub with all scrubbers, the first scrubber to alter the input will return the scrubbed output.

Package scrub imports 9 packages (graph). Updated 2020-03-23. Refresh now. Tools for package owners.