Documentation ¶
Overview ¶
Package scrub offers data scrubbing options for protecting sensitive data.
Index ¶
Constants ¶
const ( // DefaultWhitespace is used to split the given input string into tokens that get scrubbed individually. DefaultWhitespace = " \t\r\n=" // DefaultEntropyThreshold is chosen to not match most UNIX shell commands, but it does match // passwords with sufficient complexity; use with care! DefaultEntropyThreshold = 3.75 // IdealEntropyCorrection is used to calculate how much of ideal entropy should be in the string to be considered for scrubbing. IdealEntropyCorrection = 0.75 )
Defaults for the Entropy scrubber.
Variables ¶
var ( // PEMDHParameters scrubs a PEM DH PARAMETERS block retaining its original length. PEMDHParameters = regexpScrubber{ // contains filtered or unexported fields } // PEMPrivateKey scrubs a PEM PRIVATE KEY block retaining its original length. PEMPrivateKey = regexpScrubber{ // contains filtered or unexported fields } )
var ( // Replacement string. Replacement = `*redacted*` // ReplaceChar is used for equal length replacement. ReplaceChar = '*' )
var All = Scrubbers{ Command, CryptHash, PEMDHParameters, PEMPrivateKey, EntropyScrubber{ Whitespace: []rune(DefaultWhitespace), Threshold: DefaultEntropyThreshold, }, }
All registered scrubbers in safe evaluation order.
var Command = CommandScrubber{
"mysql": {re(`-p(\s?\S+)`), re(`--password(?:[= ])(\S+)`)},
"mysqldump": {re(`-p(\s?\S+)`), re(`--password(?:[= ])(\S+)`)},
}
Command scrubber for well-known (shell) commands.
Functions ¶
func Entropy ¶
Entropy scrubs all high-entropy strings from s based on the ideal entropy for a string of len(s).
Types ¶
type Buffer ¶
type Buffer struct { Scrubber Scrubber // contains filtered or unexported fields }
Buffer can be written to and will scrub. By default the Buffer scrubs before each Read invocation.
func NewBuffer ¶
NewBuffer returns a Buffer with the selected Scrubber.
func (*Buffer) Read ¶
Read data from the buffer. If no data has been written yet, this will block until a write occurs.
func (*Buffer) Reset ¶
func (b *Buffer) Reset()
Reset cancels any remaining flushers and empties the buffer.
func (*Buffer) ScrubAfter ¶
func (b *Buffer) ScrubAfter(timeout time.Duration) CancelFunc
ScrubAfter scrubs the contents of the internal buffer after no Write has happened for timeout. This is useful to make sure no unscrubbed secrets remain in memory, or if you want to scrub after a burst of writes happen and then pauses, such as when scrubbing output of a terminal session. If timeout <= 0 then the Buffer will be scrubbed for each write.
func (*Buffer) ScrubSize ¶
ScrubSize scrubs the contents of the buffer if it is larger than size. If size is equal to or less than 0, the buffer will be scrubbed immediately.
type CommandScrubber ¶
CommandScrubber can scrub arguments for commands that contain password flags.
func (CommandScrubber) Scrub ¶
func (cs CommandScrubber) Scrub(s string) string
type EntropyScrubber ¶
type EntropyScrubber struct { // Whitespace runes. Whitespace []rune // Threshold for scrubbing. If not set the ideal entropy is calculated based on the length of the input string. Threshold float64 // Correction threshold matching based on the ideal entropy if the Threshold is empty. If not set, the // correction is set to the IdealEntropyCorrection. Correction float64 }
EntropyScrubber splits the input by Whitespace and matches each part's entropy with the configured threshold.
func (EntropyScrubber) Scrub ¶
func (es EntropyScrubber) Scrub(s string) string
Scrub string s by first splitting the input based on Whitespace and then analyzing the entropy of each field.