ggwhite / go-masker

Simple utility of creating a mask for sensitive information
https://godoc.org/github.com/ggwhite/go-masker
MIT License
104 stars 30 forks source link

Email masker is too easy to reverse #26

Closed thallard closed 8 months ago

thallard commented 9 months ago

Hello,

I'm working with your library and I found a potential bug with the email masking, it looks like it's just masking 4 characters and it's not checking the email length, here is an example:

func TestEmailMasker(t *testing.T) {
    emailMasker := masker.New()

    assert.Equal(t, "pot****@vegetables.com", emailMasker.Email("pota@vegetables.com")) // -> good

    assert.Equal(t, "pot***********@vegetables.com", emailMasker.Email("potato.eggplant@vegetables.com"))
    // -> return assertion failed: assertion failed: pot***********@vegetables.com (string) != pot****eggplant@vegetables.com (string)
}

On the first assert, there is only 1 character after the first 3 letters and it's adding 4 * but it's not an issue IMO.

But on the second case, the mask is adding 4 * and not hiding the next characters, I think it's not the behavior wanted, we can easily find the real email behind a mask like this one.

Thanks!

ggwhite commented 8 months ago

@thallard you can try v2 and customize email masker


type MyEmailMasker struct{}

func (m *MyEmailMasker) Marshal(s, i string) string {
    return "myemailmasker"
}

func main() {
    m := masker.NewMaskerMarshaler()

    // Register custom masker and override default masker
    m.Register(masker.MaskerTypeEmail, &MyEmailMasker{})

    log.Println(m.Marshal(masker.MaskerTypeEmail, "email")) // myemailmasker <nil>
}