Redact bearer tokens in error messages #88
Conversation
…rMessage function
There was a problem hiding this comment.
Pull Request Overview
This PR implements a new function, Set-RedactedString, to prevent exposure of sensitive Bearer tokens in error messages and logs. Key changes include:
- Introducing Set-RedactedString to redact sensitive information.
- Integrating Set-RedactedString with Export-Entra’s error and debug output.
- Updating the module manifest to export the new function.
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/internal/Set-RedactedString.ps1 | New function for redacting sensitive strings in error messages. |
| src/Export-Entra.ps1 | Updated error and debug outputs to use Set-RedactedString. |
| src/EntraExporter.psd1 | Added Set-RedactedString to the export list. |
There was a problem hiding this comment.
Pull Request Overview
This pull request implements security enhancements by introducing a new function, Set-RedactedString, to redact sensitive information from error messages and logs, and integrates it within the Export-Entra function.
- Adds the Set-RedactedString function to process strings containing Bearer tokens and other secrets.
- Updates Export-Entra to pipe error and debug messages through the redaction function.
- Exports the new function via the module manifest to make it available to users.
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/internal/Set-RedactedString.ps1 | Implements the new function to redact sensitive strings. |
| src/Export-Entra.ps1 | Updates error and debug outputs to use Set-RedactedString. |
| src/EntraExporter.psd1 | Adds Set-RedactedString to the export list for module access. |
Comments suppressed due to low confidence (1)
src/internal/Set-RedactedString.ps1:36
- [nitpick] Although PowerShell variables are case-insensitive, using '$pattern' instead of the previously defined '$Pattern' may lead to confusion. Consider using consistent casing for clarity.
$RedactedString = [regex]::Replace($InputString, $pattern, '${1}[REDACTED]')
Co-authored-by: Copilot <[email protected]>
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
|
It has been a while. Is this fixhancement still needed for #74 after the last PR was merged? |
1 participant
This pull request introduces a new function,
Set-RedactedString, to enhance security by redacting sensitive information in error messages and logs. It also integrates this functionality into existing code to ensure sensitive data is not exposed in debug or error output.This provides a potential fix for #74.
Security Enhancements:
Set-RedactedStringfunction to redact sensitive information such as Bearer tokens from strings. This function replaces sensitive data with[REDACTED]and supports both direct input and pipeline input. (src/internal/Set-RedactedString.ps1, src/internal/Set-RedactedString.ps1R1-R43)Export-Entrafunction to useSet-RedactedStringfor redacting sensitive information in debug and error messages. (src/Export-Entra.ps1, src/Export-Entra.ps1L148-R150)Module Updates:
Set-RedactedStringto theFunctionsToExportlist in the module manifest to make it accessible as part of the module. (src/EntraExporter.psd1, src/EntraExporter.psd1R82)