Credscan

[pelikhan]

---

- 🔒 **Enhanced Security**: Introduced a `hideSecrets` function to mask sensitive information such as API keys and tokens within message content. - 🛡️ **Secret Protection**: Applied `hideSecrets` to user, assistant, and system messages to prevent accidental leakage of secrets in output or logs. - 🔧 **Trace Safety**: Integrated `hideSecrets` in the `MarkdownTrace` class to secure content tracing by ensuring sensitive data doesn't appear in trace logs. - 📦 **New Module**: Added a `secrets.ts` file with predefined regular expressions to identify various secret patterns like GitHub tokens, API keys, and more. - 📜 **Log Verbosity**: Added verbose logging to indicate when and what kind of potential secret is being masked, enhancing monitoring and debugging efforts. > generated by [pr-describe](https://github.com/microsoft/genaiscript/actions/runs/11895798334)

[github-actions[bot]]

The changes made in the pull request focus on enhancing security by implementing a mechanism to hide secrets in user, assistant, and system messages, as well as in trace logs. This is done by introducing a new hideSecrets function, which identifies and obfuscates a wide range of sensitive patterns, such as API keys, tokens, and other credentials.

Key Changes:

• New Security Feature: A new file secrets.ts is added that contains a hideSecrets function. This function uses regular expressions to match potential secret patterns and replaces them with "***".
• Integration of Security Feature: The hideSecrets function is integrated into functions handling user, assistant, and system messages (appendUserMessage, appendAssistantMessage, appendSystemMessage) and trace management (MarkdownTrace).
• Logging and Tracing: The hideSecrets function logs instances where potential secrets are found and obfuscated.

Concerns:

• The regular expressions used for matching secrets are broad and comprehensive. However, care should be taken to ensure that they do not lead to excessive obfuscation of legitimate non-secret data.
• There are placeholders for "Private SSH Key" and "PEM Certificate" patterns in the secretPatterns. These should be properly defined or removed to avoid incomplete functionality.

Suggested Improvement:

Define patterns for "Private SSH Key" and "PEM Certificate" or remove them if not needed. Here's a possible placeholder fix:

+    "Private SSH Key": /-----BEGIN (?:RSA|DSA|EC|OPENSSH) PRIVATE KEY-----[\s\S]+?-----END (?:RSA|DSA|EC|OPENSSH) PRIVATE KEY-----/g,
+    "PEM Certificate": /-----BEGIN CERTIFICATE-----[\s\S]+?-----END CERTIFICATE-----/g,

Overall, the changes significantly improve the security aspect by ensuring sensitive information is not logged or exposed inadvertently.

LGTM 🚀

generated by pr-review