feat: Add --redact-body-fields option to prevent credentials in tapes #655
+359
−17
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add support for redacting sensitive JSON fields in request and response bodies during tape recording. This prevents credentials like passwords, tokens, and API keys from being written to tape files. ## Changes ### CLI (src/cli.ts) - Added `--redact-body-fields <fields>` option accepting comma-separated list - Passes field names to RecordReplayServer ### Server (src/server.ts) - Added `redactBodyFields` parameter to constructor options - Passes field names to Persistence layer ### Persistence (src/persistence.ts) - Updated constructor to accept `redactBodyFields` parameter - Added `redactBodyFields()` function to redact both request/response bodies - Added `redactBufferFields()` to parse JSON and redact field values - Added `redactObjectFields()` for recursive redaction of nested objects/arrays - Case-insensitive field matching - Gracefully handles non-JSON bodies (returns unchanged) ### Tests (src/persistence.spec.ts) - Added 9 comprehensive tests for body field redaction: - Simple JSON field redaction - Case-insensitive matching - Nested object redaction - Array handling - Response body redaction - Non-JSON body handling - Binary body handling - Empty body handling - No-op when no fields specified ## Usage ```bash # Record with body field redaction proxay --mode record --host https://api.example.com \ --tapes-dir ./tapes \ --redact-body-fields password,access_token,refresh_token,api_key # Redact specific fields PROXAY_REDACT_BODY_FIELDS=password,token proxay --mode record ... ``` ## Example Before redaction: ```json {"email": "user@example.com", "password": "secret123"} ``` After redaction: ```json {"email": "user@example.com", "password": "XXXX"} ``` ## Compatibility - Works alongside existing `--redact-headers` option - Only affects utf8-encoded JSON bodies - Binary bodies and non-JSON bodies are unchanged - Matches existing "XXXX" redaction pattern from header redaction Related: Phase 2 of security alert remediation (GitHub secret scanning)
|
|
timdawborn
reviewed
Dec 1, 2025
Contributor
timdawborn
left a comment
timdawborn
left a comment
There was a problem hiding this comment.
LGTM apart from the linting issues.
- Fix prettier formatting in src/persistence.ts and src/server.ts - Rename redactBodyFields function to redactRecordBodyFields to avoid shadowing the class property of the same name 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
jordanbinskin
approved these changes
Jan 7, 2026
Camcan
approved these changes
Jan 7, 2026
Camcan
left a comment
Camcan
left a comment
There was a problem hiding this comment.
Nicely done @NikoRoberts
I assume we've considered redacting fields by default and have arrived here through some deliberation? I'd have imagined there are very few instances where we'd not want to be redacting *_key & *_token values in logs.
Contributor
Author
|
@Camcan the main reasoning is that it isn't the default today and it would then mean that all tapes need re-recording. If we want to change that default I would suggest we do a major version change |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Add
--redact-body-fieldsCLI option to redact sensitive JSON fields in request and response bodies during tape recording. This prevents credentials like passwords, tokens, and API keys from being written to disk.What was done
Implemented body field redaction in Proxay core:
1. CLI Option
2. Implementation Details
src/persistence.ts(redaction before serialization)XXXX(matches existing--redact-headerspattern)3. Example
Before redaction:
{"email": "user@example.com", "password": "secret123"}After redaction:
{"email": "user@example.com", "password": "XXXX"}Changes
Core Files
src/cli.ts- Added--redact-body-fieldsoptionsrc/server.ts- Wired option to Persistence layersrc/persistence.ts- Implemented redaction logicredactBodyFields()- Main entry pointredactBufferFields()- JSON parsing and Buffer conversionredactObjectFields()- Recursive field redactionTests Added (9 comprehensive tests)