rust-sanitize 0.11.0

Deterministic one-way data sanitization engine
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103

# Bruno — token patterns in body content, scripts, and header/param arrays
#
# These patterns cover the streaming pass for content the structured profile
# cannot reach: body:json / http.body.data blocks, runtime scripts, and
# high-entropy values in header/parameter {name, value} arrays.

# Bearer token in Authorization header value or script assignment
- kind: regex
  pattern: '(?i)\bBearer\s+([A-Za-z0-9\-._~+/]{16,})\b'
  category: auth_token
  label: bruno_bearer_token

# JWT in body or script context
- kind: regex
  pattern: '\b(eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,})\b'
  category: jwt
  label: bruno_jwt

# AWS access key ID
- kind: regex
  pattern: '\b((?:AKIA|ASIA|AROA)[A-Z0-9]{16})\b'
  category: auth_token
  label: bruno_aws_access_key

# bru.setVar() / bru.setCollectionVar() with a literal credential value
# (variable name in first argument, value in second)
- kind: regex
  pattern: '(?i)bru\.set(?:Var|CollectionVar|EnvVar)\s*\(\s*["\x27][^"''\s]+["\x27]\s*,\s*["\x27]([A-Za-z0-9\-._~+/=]{8,})["\x27]'
  category: auth_token
  label: bruno_script_setvar

# OAuth2 / API token in body:json or http.body.data response paste
- kind: regex
  pattern: '"(?:access_token|refresh_token|id_token|token)"\s*:\s*"([A-Za-z0-9\-._~+/]{16,})"'
  category: auth_token
  label: bruno_oauth_token_body

# field-name signal: high-entropy `value` fields in http.headers and http.params
# arrays (and auth:apikey `value` in .bru files not caught by explicit rules).
# threshold 4.0 skips template refs ({{token}}), enum values (json, header), etc.
- kind: field-name
  pattern: "^value$"
  category: auth_token
  label: bruno_value_signal
  threshold: 4.0

- kind: allow
  values:
    # Template variable references — never redact these
    - "{{*}}"
    # Auth type names
    - "Bearer"
    - "Basic"
    - "none"
    - "inherit"
    - "bearer"
    - "basic"
    - "apikey"
    - "digest"
    - "oauth1"
    - "oauth2"
    - "awsv4"
    - "ntlm"
    - "wsse"
    # HTTP methods / placement values
    - "GET"
    - "POST"
    - "PUT"
    - "PATCH"
    - "DELETE"
    - "HEAD"
    - "OPTIONS"
    - "header"
    - "query"
    - "path"
    # MIME types
    - "application/json"
    - "application/x-www-form-urlencoded"
    - "multipart/form-data"
    - "text/plain"
    - "text/html"
    - "json"
    - "text"
    - "xml"
    - "graphql"
    # Standard
    - "true"
    - "false"
    - "null"
    - "none"
    - "0"
    - "1"
    - "localhost"
    - "127.0.0.1"
    - "0.0.0.0"
    - "::1"
    - "changeme"
    - "example"
    - "sample"
    - "placeholder"
    - "${*}"
    - "example.com"
    - "example.org"