Skip to content

Commit 7db3fea

Browse files
deviantintegralclaude
deviantintegral
and
claude
committed
fix: match body redaction keys case-insensitively
Make redact_body match sensitive keys like "password" regardless of casing (e.g. "Password", "PASSWORD") to match how redact_headers already works for header names. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 27bb35b commit 7db3fea

2 files changed

Lines changed: 15 additions & 2 deletions

File tree

src/flameconnect/_http_logging.py

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -39,9 +39,17 @@ def redact_headers(headers: Mapping[str, str]) -> dict[str, str]:
3939
return result
4040

4141

42+
_SENSITIVE_BODY_KEYS: frozenset[str] = frozenset({"password"})
43+
44+
4245
def redact_body(data: Mapping[str, Any]) -> dict[str, Any]:
43-
"""Return a copy of *data* with the ``password`` key redacted to ``"***"``."""
44-
return {k: ("***" if k == "password" else v) for k, v in data.items()}
46+
"""Return a copy of *data* with sensitive keys redacted to ``"***"``.
47+
48+
Keys are matched case-insensitively against :data:`_SENSITIVE_BODY_KEYS`.
49+
"""
50+
return {
51+
k: ("***" if k.lower() in _SENSITIVE_BODY_KEYS else v) for k, v in data.items()
52+
}
4553

4654

4755
def log_request(

tests/test_http_logging.py

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,11 @@ def test_password_redacted(self) -> None:
7474
"user": "bob",
7575
}
7676

77+
def test_password_case_insensitive(self) -> None:
78+
for key in ("Password", "PASSWORD", "password"):
79+
result = redact_body({key: "s3cret"})
80+
assert result[key] == "***"
81+
7782
def test_other_keys_unchanged(self) -> None:
7883
assert redact_body({"email": "a@b.com"}) == {"email": "a@b.com"}
7984

0 commit comments

Comments
 (0)